diff --git a/assets/argo/argo-cd-5.51.4.tgz b/assets/argo/argo-cd-5.51.4.tgz index e3d3e9e54..9f84a23fe 100644 Binary files a/assets/argo/argo-cd-5.51.4.tgz and b/assets/argo/argo-cd-5.51.4.tgz differ diff --git a/assets/argo/argo-cd-5.52.1.tgz b/assets/argo/argo-cd-5.52.1.tgz new file mode 100644 index 000000000..fdcdbed4e Binary files /dev/null and b/assets/argo/argo-cd-5.52.1.tgz differ diff --git a/assets/bitnami/airflow-16.1.11.tgz b/assets/bitnami/airflow-16.1.11.tgz new file mode 100644 index 000000000..b9b94f1a1 Binary files /dev/null and b/assets/bitnami/airflow-16.1.11.tgz differ diff --git a/assets/bitnami/cassandra-10.6.9.tgz b/assets/bitnami/cassandra-10.6.9.tgz new file mode 100644 index 000000000..501cdb07d Binary files /dev/null and b/assets/bitnami/cassandra-10.6.9.tgz differ diff --git a/assets/bitnami/kafka-26.6.3.tgz b/assets/bitnami/kafka-26.6.3.tgz new file mode 100644 index 000000000..f063e23c0 Binary files /dev/null and b/assets/bitnami/kafka-26.6.3.tgz differ diff --git a/assets/bitnami/mariadb-15.0.1.tgz b/assets/bitnami/mariadb-15.0.1.tgz new file mode 100644 index 000000000..6cefebbc8 Binary files /dev/null and b/assets/bitnami/mariadb-15.0.1.tgz differ diff --git a/assets/bitnami/mysql-9.16.1.tgz b/assets/bitnami/mysql-9.16.1.tgz new file mode 100644 index 000000000..a7d70183b Binary files /dev/null and b/assets/bitnami/mysql-9.16.1.tgz differ diff --git a/assets/bitnami/postgresql-13.2.29.tgz b/assets/bitnami/postgresql-13.2.29.tgz new file mode 100644 index 000000000..510d12777 Binary files /dev/null and b/assets/bitnami/postgresql-13.2.29.tgz differ diff --git a/assets/bitnami/redis-18.6.3.tgz b/assets/bitnami/redis-18.6.3.tgz new file mode 100644 index 000000000..ea0668502 Binary files /dev/null and b/assets/bitnami/redis-18.6.3.tgz differ diff --git a/assets/bitnami/spark-8.1.8.tgz b/assets/bitnami/spark-8.1.8.tgz new file mode 100644 index 000000000..1d03d6824 Binary files /dev/null and b/assets/bitnami/spark-8.1.8.tgz differ diff --git a/assets/bitnami/tomcat-10.11.11.tgz b/assets/bitnami/tomcat-10.11.11.tgz new file mode 100644 index 000000000..78ba2db09 Binary files /dev/null and b/assets/bitnami/tomcat-10.11.11.tgz differ diff --git a/assets/bitnami/wordpress-19.0.5.tgz b/assets/bitnami/wordpress-19.0.5.tgz new file mode 100644 index 000000000..45ad103bb Binary files /dev/null and b/assets/bitnami/wordpress-19.0.5.tgz differ diff --git a/assets/bitnami/zookeeper-12.4.4.tgz b/assets/bitnami/zookeeper-12.4.4.tgz new file mode 100644 index 000000000..7779ebdab Binary files /dev/null and b/assets/bitnami/zookeeper-12.4.4.tgz differ diff --git a/assets/cert-manager/cert-manager-v1.13.3.tgz b/assets/cert-manager/cert-manager-v1.13.3.tgz new file mode 100644 index 000000000..92e54e61c Binary files /dev/null and b/assets/cert-manager/cert-manager-v1.13.3.tgz differ diff --git a/assets/clastix/kamaji-0.14.0.tgz b/assets/clastix/kamaji-0.14.0.tgz new file mode 100644 index 000000000..e78a20a63 Binary files /dev/null and b/assets/clastix/kamaji-0.14.0.tgz differ diff --git a/assets/cockroach-labs/cockroachdb-11.2.3.tgz b/assets/cockroach-labs/cockroachdb-11.2.3.tgz new file mode 100644 index 000000000..4eb0c89a3 Binary files /dev/null and b/assets/cockroach-labs/cockroachdb-11.2.3.tgz differ diff --git a/assets/confluent/confluent-for-kubernetes-0.824.40.tgz b/assets/confluent/confluent-for-kubernetes-0.824.40.tgz new file mode 100644 index 000000000..5a8f24d47 Binary files /dev/null and b/assets/confluent/confluent-for-kubernetes-0.824.40.tgz differ diff --git a/assets/crowdstrike/falcon-sensor-1.24.1.tgz b/assets/crowdstrike/falcon-sensor-1.24.1.tgz new file mode 100644 index 000000000..8f9fd9ed0 Binary files /dev/null and b/assets/crowdstrike/falcon-sensor-1.24.1.tgz differ diff --git a/assets/datadog/datadog-3.50.5.tgz b/assets/datadog/datadog-3.50.5.tgz new file mode 100644 index 000000000..b6efe4260 Binary files /dev/null and b/assets/datadog/datadog-3.50.5.tgz differ diff --git a/assets/datadog/datadog-operator-1.4.1.tgz b/assets/datadog/datadog-operator-1.4.1.tgz new file mode 100644 index 000000000..1905f6245 Binary files /dev/null and b/assets/datadog/datadog-operator-1.4.1.tgz differ diff --git a/assets/dell/csi-isilon-2.9.0.tgz b/assets/dell/csi-isilon-2.9.0.tgz new file mode 100644 index 000000000..38b3536b0 Binary files /dev/null and b/assets/dell/csi-isilon-2.9.0.tgz differ diff --git a/assets/dell/csi-powermax-2.9.0.tgz b/assets/dell/csi-powermax-2.9.0.tgz new file mode 100644 index 000000000..fc5b7bac0 Binary files /dev/null and b/assets/dell/csi-powermax-2.9.0.tgz differ diff --git a/assets/dell/csi-powerstore-2.9.0.tgz b/assets/dell/csi-powerstore-2.9.0.tgz new file mode 100644 index 000000000..80a041270 Binary files /dev/null and b/assets/dell/csi-powerstore-2.9.0.tgz differ diff --git a/assets/dell/csi-unity-2.9.0.tgz b/assets/dell/csi-unity-2.9.0.tgz new file mode 100644 index 000000000..565f503e1 Binary files /dev/null and b/assets/dell/csi-unity-2.9.0.tgz differ diff --git a/assets/dell/csi-vxflexos-2.9.0.tgz b/assets/dell/csi-vxflexos-2.9.0.tgz new file mode 100644 index 000000000..c0f6e6424 Binary files /dev/null and b/assets/dell/csi-vxflexos-2.9.0.tgz differ diff --git a/assets/digitalis/vals-operator-0.7.8.tgz b/assets/digitalis/vals-operator-0.7.8.tgz new file mode 100644 index 000000000..0dc393514 Binary files /dev/null and b/assets/digitalis/vals-operator-0.7.8.tgz differ diff --git a/assets/dynatrace/dynatrace-operator-0.15.0.tgz b/assets/dynatrace/dynatrace-operator-0.15.0.tgz new file mode 100644 index 000000000..c3c88a656 Binary files /dev/null and b/assets/dynatrace/dynatrace-operator-0.15.0.tgz differ diff --git a/assets/external-secrets/external-secrets-0.9.11.tgz b/assets/external-secrets/external-secrets-0.9.11.tgz new file mode 100644 index 000000000..10026d7a0 Binary files /dev/null and b/assets/external-secrets/external-secrets-0.9.11.tgz differ diff --git a/assets/f5/nginx-ingress-1.1.0.tgz b/assets/f5/nginx-ingress-1.1.0.tgz new file mode 100644 index 000000000..eab2faef5 Binary files /dev/null and b/assets/f5/nginx-ingress-1.1.0.tgz differ diff --git a/assets/fairwinds/polaris-5.17.0.tgz b/assets/fairwinds/polaris-5.17.0.tgz new file mode 100644 index 000000000..cc5cb267c Binary files /dev/null and b/assets/fairwinds/polaris-5.17.0.tgz differ diff --git a/assets/gluu/gluu-5.0.23.tgz b/assets/gluu/gluu-5.0.23.tgz index 432333599..91449d853 100644 Binary files a/assets/gluu/gluu-5.0.23.tgz and b/assets/gluu/gluu-5.0.23.tgz differ diff --git a/assets/gluu/gluu-5.0.24.tgz b/assets/gluu/gluu-5.0.24.tgz new file mode 100644 index 000000000..1319558e7 Binary files /dev/null and b/assets/gluu/gluu-5.0.24.tgz differ diff --git a/assets/haproxy/haproxy-1.35.5.tgz b/assets/haproxy/haproxy-1.35.5.tgz new file mode 100644 index 000000000..6b7ef8eca Binary files /dev/null and b/assets/haproxy/haproxy-1.35.5.tgz differ diff --git a/assets/harbor/harbor-1.14.0.tgz b/assets/harbor/harbor-1.14.0.tgz new file mode 100644 index 000000000..7091f51d1 Binary files /dev/null and b/assets/harbor/harbor-1.14.0.tgz differ diff --git a/assets/hashicorp/consul-1.3.1.tgz b/assets/hashicorp/consul-1.3.1.tgz new file mode 100644 index 000000000..ee80d269c Binary files /dev/null and b/assets/hashicorp/consul-1.3.1.tgz differ diff --git a/assets/instana/instana-agent-1.2.66.tgz b/assets/instana/instana-agent-1.2.66.tgz new file mode 100644 index 000000000..bfbc15f55 Binary files /dev/null and b/assets/instana/instana-agent-1.2.66.tgz differ diff --git a/assets/intel/intel-device-plugins-operator-0.29.0.tgz b/assets/intel/intel-device-plugins-operator-0.29.0.tgz new file mode 100644 index 000000000..9a7046ba6 Binary files /dev/null and b/assets/intel/intel-device-plugins-operator-0.29.0.tgz differ diff --git a/assets/intel/intel-device-plugins-qat-0.29.0.tgz b/assets/intel/intel-device-plugins-qat-0.29.0.tgz new file mode 100644 index 000000000..6d51af289 Binary files /dev/null and b/assets/intel/intel-device-plugins-qat-0.29.0.tgz differ diff --git a/assets/intel/intel-device-plugins-sgx-0.29.0.tgz b/assets/intel/intel-device-plugins-sgx-0.29.0.tgz new file mode 100644 index 000000000..bc7812345 Binary files /dev/null and b/assets/intel/intel-device-plugins-sgx-0.29.0.tgz differ diff --git a/assets/jenkins/jenkins-4.11.2.tgz b/assets/jenkins/jenkins-4.11.2.tgz new file mode 100644 index 000000000..ef6cdab2e Binary files /dev/null and b/assets/jenkins/jenkins-4.11.2.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.71.11.tgz b/assets/jfrog/artifactory-ha-107.71.11.tgz new file mode 100644 index 000000000..043e10671 Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.71.11.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.71.11.tgz b/assets/jfrog/artifactory-jcr-107.71.11.tgz new file mode 100644 index 000000000..0fc260c79 Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.71.11.tgz differ diff --git a/assets/kong/kong-2.33.3.tgz b/assets/kong/kong-2.33.3.tgz new file mode 100644 index 000000000..afb4b004a Binary files /dev/null and b/assets/kong/kong-2.33.3.tgz differ diff --git a/assets/kubecost/cost-analyzer-1.107.1.tgz b/assets/kubecost/cost-analyzer-1.107.1.tgz index 9dd167d8c..fba4b9e71 100644 Binary files a/assets/kubecost/cost-analyzer-1.107.1.tgz and b/assets/kubecost/cost-analyzer-1.107.1.tgz differ diff --git a/assets/kubecost/cost-analyzer-1.108.1.tgz b/assets/kubecost/cost-analyzer-1.108.1.tgz new file mode 100644 index 000000000..9cb7cd486 Binary files /dev/null and b/assets/kubecost/cost-analyzer-1.108.1.tgz differ diff --git a/assets/kuma/kuma-2.5.1.tgz b/assets/kuma/kuma-2.5.1.tgz new file mode 100644 index 000000000..9e3a28eb2 Binary files /dev/null and b/assets/kuma/kuma-2.5.1.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-1.16.6.tgz b/assets/linkerd/linkerd-control-plane-1.16.6.tgz index caf53b1a5..ba7146f33 100644 Binary files a/assets/linkerd/linkerd-control-plane-1.16.6.tgz and b/assets/linkerd/linkerd-control-plane-1.16.6.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-1.16.9.tgz b/assets/linkerd/linkerd-control-plane-1.16.9.tgz new file mode 100644 index 000000000..beb24782f Binary files /dev/null and b/assets/linkerd/linkerd-control-plane-1.16.9.tgz differ diff --git a/assets/mongodb/community-operator-0.9.0.tgz b/assets/mongodb/community-operator-0.9.0.tgz new file mode 100644 index 000000000..5280e2c23 Binary files /dev/null and b/assets/mongodb/community-operator-0.9.0.tgz differ diff --git a/assets/nats/nats-1.1.6.tgz b/assets/nats/nats-1.1.6.tgz new file mode 100644 index 000000000..60e417994 Binary files /dev/null and b/assets/nats/nats-1.1.6.tgz differ diff --git a/assets/new-relic/nri-bundle-5.0.58.tgz b/assets/new-relic/nri-bundle-5.0.58.tgz new file mode 100644 index 000000000..6542be79e Binary files /dev/null and b/assets/new-relic/nri-bundle-5.0.58.tgz differ diff --git a/assets/nutanix/nutanix-csi-snapshot-6.3.2.tgz b/assets/nutanix/nutanix-csi-snapshot-6.3.2.tgz new file mode 100644 index 000000000..3c1b739f0 Binary files /dev/null and b/assets/nutanix/nutanix-csi-snapshot-6.3.2.tgz differ diff --git a/assets/nutanix/nutanix-csi-storage-2.6.6.tgz b/assets/nutanix/nutanix-csi-storage-2.6.6.tgz new file mode 100644 index 000000000..ad0867dab Binary files /dev/null and b/assets/nutanix/nutanix-csi-storage-2.6.6.tgz differ diff --git a/assets/openebs/openebs-3.10.0.tgz b/assets/openebs/openebs-3.10.0.tgz new file mode 100644 index 000000000..a0dca2fc3 Binary files /dev/null and b/assets/openebs/openebs-3.10.0.tgz differ diff --git a/assets/percona/psmdb-db-1.15.1.tgz b/assets/percona/psmdb-db-1.15.1.tgz new file mode 100644 index 000000000..91378c1f7 Binary files /dev/null and b/assets/percona/psmdb-db-1.15.1.tgz differ diff --git a/assets/percona/pxc-db-1.13.4.tgz b/assets/percona/pxc-db-1.13.4.tgz new file mode 100644 index 000000000..4c94c55ec Binary files /dev/null and b/assets/percona/pxc-db-1.13.4.tgz differ diff --git a/assets/redpanda/redpanda-5.7.7.tgz b/assets/redpanda/redpanda-5.7.7.tgz new file mode 100644 index 000000000..81f316cbd Binary files /dev/null and b/assets/redpanda/redpanda-5.7.7.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.0.2.tgz b/assets/speedscale/speedscale-operator-2.0.2.tgz new file mode 100644 index 000000000..010d3b4fd Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.0.2.tgz differ diff --git a/assets/stackstate/stackstate-k8s-agent-1.0.66.tgz b/assets/stackstate/stackstate-k8s-agent-1.0.66.tgz new file mode 100644 index 000000000..c8b9cf6a0 Binary files /dev/null and b/assets/stackstate/stackstate-k8s-agent-1.0.66.tgz differ diff --git a/assets/sysdig/sysdig-1.16.24.tgz b/assets/sysdig/sysdig-1.16.24.tgz new file mode 100644 index 000000000..4feeee7b3 Binary files /dev/null and b/assets/sysdig/sysdig-1.16.24.tgz differ diff --git a/assets/traefik/traefik-26.0.0.tgz b/assets/traefik/traefik-26.0.0.tgz new file mode 100644 index 000000000..f564e6ba3 Binary files /dev/null and b/assets/traefik/traefik-26.0.0.tgz differ diff --git a/assets/trilio/k8s-triliovault-operator-4.0.0.tgz b/assets/trilio/k8s-triliovault-operator-4.0.0.tgz new file mode 100644 index 000000000..729975920 Binary files /dev/null and b/assets/trilio/k8s-triliovault-operator-4.0.0.tgz differ diff --git a/assets/weka/csi-wekafsplugin-2.3.2.tgz b/assets/weka/csi-wekafsplugin-2.3.2.tgz new file mode 100644 index 000000000..720172826 Binary files /dev/null and b/assets/weka/csi-wekafsplugin-2.3.2.tgz differ diff --git a/assets/yugabyte/yugabyte-2.18.5.tgz b/assets/yugabyte/yugabyte-2.18.5.tgz new file mode 100644 index 000000000..b80c24f65 Binary files /dev/null and b/assets/yugabyte/yugabyte-2.18.5.tgz differ diff --git a/assets/yugabyte/yugaware-2.18.5.tgz b/assets/yugabyte/yugaware-2.18.5.tgz new file mode 100644 index 000000000..298a70b5c Binary files /dev/null and b/assets/yugabyte/yugaware-2.18.5.tgz differ diff --git a/charts/argo/argo-cd/Chart.yaml b/charts/argo/argo-cd/Chart.yaml index af662ce46..455261a5b 100644 --- a/charts/argo/argo-cd/Chart.yaml +++ b/charts/argo/argo-cd/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/changes: | - kind: changed - description: Upgrade Argo CD to v2.9.2 + description: DRY cleanup of ServiceAccounts artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -11,7 +11,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 -appVersion: v2.9.2 +appVersion: v2.9.3 dependencies: - condition: redis-ha.enabled name: redis-ha @@ -33,4 +33,4 @@ name: argo-cd sources: - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-cd -version: 5.51.4 +version: 5.52.1 diff --git a/charts/argo/argo-cd/README.md b/charts/argo/argo-cd/README.md index 7b79080ec..919149b51 100644 --- a/charts/argo/argo-cd/README.md +++ b/charts/argo/argo-cd/README.md @@ -105,6 +105,10 @@ For full list of changes please check ArtifactHub [changelog]. Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version. +### 5.52.0 +Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server. +If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml. + ### 5.35.0 This version supports Kubernetes version `>=1.23.0-0`. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach. @@ -115,14 +119,22 @@ The manifests are now using [`tini` as entrypoint][tini], instead of `entrypoint This means that the deployment manifests have to be updated after upgrading to Argo CD v2.7, and before upgrading to Argo CD v2.8 later. In case the manifests are updated before moving to Argo CD v2.8, the containers will not be able to start. +### 5.26.0 + +This version adds support for Config Management Plugins using the sidecar model and configured in a ConfigMap named `argocd-cmp-cm`. +Users will need to migrate from the previous `argocd-cm` ConfigMap method to using the sidecar method before Argo CD v2.8. See the [Argo CD CMP migration guide](https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/#migrating-from-argocd-cm-plugins) for more specifics. + +To migrate your plugins, you can now set the `configs.cmp.create` to `true` and move your plugins from `configs.cm` to `configs.cmp.plugins`. +You will also need to configure the sidecar containers under `repoServer.extraContainers` and ensure you are mounting any custom volumes you need from `repoServer.volumes` into here also. + ### 5.24.0 -This versions adds additional global parameters for scheduling (`nodeSelector`, `tolerations`, `topologySpreadConstraints`). +This version adds additional global parameters for scheduling (`nodeSelector`, `tolerations`, `topologySpreadConstraints`). Default `global.affinity` rules can be disabled when `none` value is used for the preset. ### 5.22.0 -This versions adds `global.affinity` options that are used as a presets. Override on component level works as before and replaces the default preset completely. +This version adds `global.affinity` options that are used as a presets. Override on component level works as before and replaces the default preset completely. ### 5.19.0 @@ -710,10 +722,11 @@ NAME: my-release | server.env | list | `[]` | Environment variables to pass to Argo CD server | | server.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to Argo CD server | | server.extensions.containerSecurityContext | object | See [values.yaml] | Server UI extensions container-level security context | -| server.extensions.enabled | bool | `false` | Enable support for Argo UI extensions | +| server.extensions.enabled | bool | `false` | Enable support for Argo CD extensions | +| server.extensions.extensionList | list | `[]` (See [values.yaml]) | Extensions for Argo CD | | server.extensions.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for extensions | -| server.extensions.image.repository | string | `"ghcr.io/argoproj-labs/argocd-extensions"` | Repository to use for extensions image | -| server.extensions.image.tag | string | `"v0.2.1"` | Tag to use for extensions image | +| server.extensions.image.repository | string | `"quay.io/argoprojlabs/argocd-extension-installer"` | Repository to use for extension installer image | +| server.extensions.image.tag | string | `"v0.0.1"` | Tag to use for extension installer image | | server.extensions.resources | object | `{}` | Resource limits and requests for the argocd-extensions container | | server.extraArgs | list | `[]` | Additional command line arguments to pass to Argo CD server | | server.extraContainers | list | `[]` | Additional containers to be added to the server pod | @@ -1255,3 +1268,5 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/ [EKS EoL]: https://endoflife.date/amazon-eks [Kubernetes Compatibility Matrix]: https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions [Applications in any namespace]: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/#applications-in-any-namespace +[Argo CD Extensions]: https://github.com/argoproj-labs/argocd-extensions?tab=readme-ov-file#deprecation-notice +[Argo CD Extension Installer]: https://github.com/argoproj-labs/argocd-extension-installer diff --git a/charts/argo/argo-cd/templates/_helpers.tpl b/charts/argo/argo-cd/templates/_helpers.tpl index b5d62a6ab..97ba5c259 100644 --- a/charts/argo/argo-cd/templates/_helpers.tpl +++ b/charts/argo/argo-cd/templates/_helpers.tpl @@ -11,7 +11,7 @@ to 63 chars and it includes 10 chars of hash and a separating '-'. {{/* Create the name of the controller service account to use */}} -{{- define "argo-cd.controllerServiceAccountName" -}} +{{- define "argo-cd.controller.serviceAccountName" -}} {{- if .Values.controller.serviceAccount.create -}} {{ default (include "argo-cd.controller.fullname" .) .Values.controller.serviceAccount.name }} {{- else -}} @@ -40,7 +40,7 @@ Create Dex server endpoint {{/* Create the name of the dex service account to use */}} -{{- define "argo-cd.dexServiceAccountName" -}} +{{- define "argo-cd.dex.serviceAccountName" -}} {{- if .Values.dex.serviceAccount.create -}} {{ default (include "argo-cd.dex.fullname" .) .Values.dex.serviceAccount.name }} {{- else -}} @@ -78,7 +78,7 @@ Return Redis server endpoint {{/* Create the name of the redis service account to use */}} -{{- define "argo-cd.redisServiceAccountName" -}} +{{- define "argo-cd.redis.serviceAccountName" -}} {{- if .Values.redis.serviceAccount.create -}} {{ default (include "argo-cd.redis.fullname" .) .Values.redis.serviceAccount.name }} {{- else -}} @@ -96,7 +96,7 @@ Create argocd server name and version as used by the chart label. {{/* Create the name of the Argo CD server service account to use */}} -{{- define "argo-cd.serverServiceAccountName" -}} +{{- define "argo-cd.server.serviceAccountName" -}} {{- if .Values.server.serviceAccount.create -}} {{ default (include "argo-cd.server.fullname" .) .Values.server.serviceAccount.name }} {{- else -}} @@ -114,7 +114,7 @@ Create argocd repo-server name and version as used by the chart label. {{/* Create the name of the repo-server service account to use */}} -{{- define "argo-cd.repoServerServiceAccountName" -}} +{{- define "argo-cd.repoServer.serviceAccountName" -}} {{- if .Values.repoServer.serviceAccount.create -}} {{ default (include "argo-cd.repoServer.fullname" .) .Values.repoServer.serviceAccount.name }} {{- else -}} @@ -132,7 +132,7 @@ Create argocd application set name and version as used by the chart label. {{/* Create the name of the application set service account to use */}} -{{- define "argo-cd.applicationSetServiceAccountName" -}} +{{- define "argo-cd.applicationSet.serviceAccountName" -}} {{- if .Values.applicationSet.serviceAccount.create -}} {{ default (include "argo-cd.applicationSet.fullname" .) .Values.applicationSet.serviceAccount.name }} {{- else -}} @@ -150,7 +150,7 @@ Create argocd notifications name and version as used by the chart label. {{/* Create the name of the notifications service account to use */}} -{{- define "argo-cd.notificationsServiceAccountName" -}} +{{- define "argo-cd.notifications.serviceAccountName" -}} {{- if .Values.notifications.serviceAccount.create -}} {{ default (include "argo-cd.notifications.fullname" .) .Values.notifications.serviceAccount.name }} {{- else -}} diff --git a/charts/argo/argo-cd/templates/aggregate-roles.yaml b/charts/argo/argo-cd/templates/aggregate-roles.yaml index b38939224..ba93d5484 100644 --- a/charts/argo/argo-cd/templates/aggregate-roles.yaml +++ b/charts/argo/argo-cd/templates/aggregate-roles.yaml @@ -14,9 +14,6 @@ rules: {{- if .Values.applicationSet.enabled }} - applicationsets {{- end }} - {{- if .Values.server.extensions.enabled }} - - argocdextensions - {{- end }} - appprojects verbs: - get @@ -39,9 +36,6 @@ rules: {{- if .Values.applicationSet.enabled }} - applicationsets {{- end }} - {{- if .Values.server.extensions.enabled }} - - argocdextensions - {{- end }} - appprojects verbs: - create @@ -69,9 +63,6 @@ rules: {{- if .Values.applicationSet.enabled }} - applicationsets {{- end }} - {{- if .Values.server.extensions.enabled }} - - argocdextensions - {{- end }} - appprojects verbs: - create diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml index 39ee80a67..9ebe80ad1 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml @@ -12,6 +12,6 @@ roleRef: name: {{ include "argo-cd.controller.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "argo-cd.controllerServiceAccountName" . }} + name: {{ include "argo-cd.controller.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/rolebinding.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/rolebinding.yaml index 5f07f1090..9a87f7711 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/rolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/rolebinding.yaml @@ -1,15 +1,15 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-cd.controller.fullname" . }} + name: {{ include "argo-cd.controller.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "argo-cd.controller.fullname" . }} + name: {{ include "argo-cd.controller.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "argo-cd.controllerServiceAccountName" . }} - namespace: {{ .Release.Namespace }} \ No newline at end of file + name: {{ include "argo-cd.controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/serviceaccount.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/serviceaccount.yaml index fe56d3767..1b9619d6f 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/serviceaccount.yaml @@ -3,17 +3,17 @@ apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ template "argo-cd.controllerServiceAccountName" . }} + name: {{ include "argo-cd.controller.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -{{- if .Values.controller.serviceAccount.annotations }} + {{- with .Values.controller.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.controller.serviceAccount.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} - {{- range $key, $value := .Values.controller.serviceAccount.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- with .Values.controller.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml index 31bce2993..6d1d3e2f2 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -55,7 +55,7 @@ spec: {{- if .Values.controller.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- end }} - serviceAccountName: {{ include "argo-cd.controllerServiceAccountName" . }} + serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }} containers: - args: - /usr/local/bin/argocd-application-controller diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml index b704650ae..655e8f196 100644 --- a/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml @@ -55,7 +55,7 @@ spec: {{- if .Values.applicationSet.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.applicationSet.terminationGracePeriodSeconds }} {{- end }} - serviceAccountName: {{ include "argo-cd.applicationSetServiceAccountName" . }} + serviceAccountName: {{ include "argo-cd.applicationSet.serviceAccountName" . }} containers: - name: {{ .Values.applicationSet.name }} image: {{ default .Values.global.image.repository .Values.applicationSet.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.applicationSet.image.tag }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/rolebinding.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/rolebinding.yaml index 8a70526c6..a012f1ed1 100644 --- a/charts/argo/argo-cd/templates/argocd-applicationset/rolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-applicationset/rolebinding.yaml @@ -2,16 +2,16 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-cd.applicationSet.fullname" . }} + name: {{ include "argo-cd.applicationSet.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "argo-cd.applicationSet.fullname" . }} + name: {{ include "argo-cd.applicationSet.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "argo-cd.applicationSetServiceAccountName" . }} + name: {{ include "argo-cd.applicationSet.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/serviceaccount.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/serviceaccount.yaml index a196626eb..7c0cf0176 100644 --- a/charts/argo/argo-cd/templates/argocd-applicationset/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/argocd-applicationset/serviceaccount.yaml @@ -3,17 +3,17 @@ apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.applicationSet.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ template "argo-cd.applicationSetServiceAccountName" . }} + name: {{ include "argo-cd.applicationSet.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -{{- if .Values.applicationSet.serviceAccount.annotations }} + {{- with .Values.applicationSet.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.applicationSet.serviceAccount.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} - {{- range $key, $value := .Values.applicationSet.serviceAccount.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- with .Values.applicationSet.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml index 3dba71a2f..cfdba38a9 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml @@ -11,6 +11,6 @@ roleRef: name: {{ include "argo-cd.notifications.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "argo-cd.notificationsServiceAccountName" . }} + name: {{ include "argo-cd.notifications.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml b/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml index edee786a4..2ed9f1e8e 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml @@ -54,7 +54,7 @@ spec: {{- if .Values.notifications.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.notifications.terminationGracePeriodSeconds }} {{- end }} - serviceAccountName: {{ include "argo-cd.notificationsServiceAccountName" . }} + serviceAccountName: {{ include "argo-cd.notifications.serviceAccountName" . }} containers: - name: {{ .Values.notifications.name }} image: {{ default .Values.global.image.repository .Values.notifications.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.image.tag }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/rolebinding.yaml b/charts/argo/argo-cd/templates/argocd-notifications/rolebinding.yaml index 7bc6e1d12..323241905 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/rolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/rolebinding.yaml @@ -2,16 +2,16 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-cd.notifications.fullname" . }} + name: {{ include "argo-cd.notifications.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "argo-cd.notifications.fullname" . }} + name: {{ include "argo-cd.notifications.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "argo-cd.notificationsServiceAccountName" . }} + name: {{ include "argo-cd.notifications.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/serviceaccount.yaml b/charts/argo/argo-cd/templates/argocd-notifications/serviceaccount.yaml index aa8242420..8f58ff8d1 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/serviceaccount.yaml @@ -3,17 +3,17 @@ apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.notifications.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ template "argo-cd.notificationsServiceAccountName" . }} + name: {{ include "argo-cd.notifications.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -{{- if .Values.notifications.serviceAccount.annotations }} + {{- with .Values.notifications.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.notifications.serviceAccount.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }} - {{- range $key, $value := .Values.notifications.serviceAccount.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- with .Values.notifications.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml index c3e21edbc..ba156d241 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml @@ -12,6 +12,6 @@ roleRef: name: {{ include "argo-cd.repoServer.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "argo-cd.repoServerServiceAccountName" . }} + name: {{ include "argo-cd.repoServer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml index 90941428e..a9565a2e5 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -65,7 +65,7 @@ spec: {{- if .Values.repoServer.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.repoServer.terminationGracePeriodSeconds }} {{- end }} - serviceAccountName: {{ include "argo-cd.repoServerServiceAccountName" . }} + serviceAccountName: {{ include "argo-cd.repoServer.serviceAccountName" . }} containers: - name: {{ .Values.repoServer.name }} image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }} diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/rolebinding.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/rolebinding.yaml index 8834b7789..ea4baded7 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/rolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/rolebinding.yaml @@ -2,16 +2,16 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-cd.repoServer.fullname" . }} + name: {{ include "argo-cd.repoServer.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "argo-cd.repoServer.fullname" . }} + name: {{ include "argo-cd.repoServer.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "argo-cd.repoServerServiceAccountName" . }} + name: {{ include "argo-cd.repoServer.serviceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/serviceaccount.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/serviceaccount.yaml index 7b26928fa..945483fa3 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/serviceaccount.yaml @@ -3,17 +3,17 @@ apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.repoServer.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ template "argo-cd.repoServerServiceAccountName" . }} + name: {{ include "argo-cd.repoServer.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -{{- if .Values.repoServer.serviceAccount.annotations }} + {{- with .Values.repoServer.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.repoServer.serviceAccount.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }} - {{- range $key, $value := .Values.repoServer.serviceAccount.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- range $key, $value := .Values.repoServer.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml index 72e4d4504..27fd13d6d 100644 --- a/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml @@ -12,6 +12,6 @@ roleRef: name: {{ include "argo-cd.server.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "argo-cd.serverServiceAccountName" . }} + name: {{ include "argo-cd.server.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo/argo-cd/templates/argocd-server/deployment.yaml index 983121a98..a09b56565 100644 --- a/charts/argo/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/deployment.yaml @@ -56,7 +56,7 @@ spec: {{- if .Values.server.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} {{- end }} - serviceAccountName: {{ include "argo-cd.serverServiceAccountName" . }} + serviceAccountName: {{ include "argo-cd.server.serviceAccountName" . }} containers: - name: {{ .Values.server.name }} image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.server.image.tag }} @@ -357,13 +357,22 @@ spec: lifecycle: {{- toYaml . | nindent 10 }} {{- end }} + {{- with .Values.server.extraContainers }} + {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} + {{- if or .Values.server.initContainers (and .Values.server.extensions.enabled .Values.server.extensions.extensionList) }} + initContainers: + {{- with .Values.server.initContainers }} + {{- tpl (toYaml .) $ | nindent 6 }} + {{- end }} {{- if .Values.server.extensions.enabled }} - - name: argocd-extensions - image: {{ .Values.server.extensions.image.repository }}:{{ .Values.server.extensions.image.tag }} - imagePullPolicy: {{ .Values.server.extensions.image.imagePullPolicy }} + {{- range .Values.server.extensions.extensionList }} + - name: {{ .name }} + image: {{ $.Values.server.extensions.image.repository }}:{{ $.Values.server.extensions.image.tag }} + imagePullPolicy: {{ default $.Values.global.image.imagePullPolicy $.Values.server.extensions.image.imagePullPolicy }} resources: - {{- toYaml .Values.server.extensions.resources | nindent 10 }} - {{- with .Values.server.extensions.containerSecurityContext }} + {{- toYaml $.Values.server.extensions.resources | nindent 10 }} + {{- with $.Values.server.extensions.containerSecurityContext }} securityContext: {{- toYaml . | nindent 10 }} {{- end }} @@ -372,13 +381,10 @@ spec: mountPath: /tmp/extensions/ - name: tmp mountPath: /tmp + env: + {{- toYaml .env | nindent 10 }} {{- end }} - {{- with .Values.server.extraContainers }} - {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} - {{- with .Values.server.initContainers }} - initContainers: - {{- tpl (toYaml .) $ | nindent 6 }} {{- end }} {{- with include "argo-cd.affinity" (dict "context" . "component" .Values.server) }} affinity: diff --git a/charts/argo/argo-cd/templates/argocd-server/role.yaml b/charts/argo/argo-cd/templates/argocd-server/role.yaml index 6bfe32a49..adc6f0142 100644 --- a/charts/argo/argo-cd/templates/argocd-server/role.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/role.yaml @@ -27,9 +27,6 @@ rules: - applicationsets {{- end }} - appprojects - {{- if .Values.server.extensions.enabled }} - - argocdextensions - {{- end }} verbs: - create - get diff --git a/charts/argo/argo-cd/templates/argocd-server/rolebinding.yaml b/charts/argo/argo-cd/templates/argocd-server/rolebinding.yaml index 93b1fa948..61276d603 100644 --- a/charts/argo/argo-cd/templates/argocd-server/rolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/rolebinding.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-cd.server.fullname" . }} + name: {{ include "argo-cd.server.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} @@ -11,5 +11,5 @@ roleRef: name: {{ template "argo-cd.server.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "argo-cd.serverServiceAccountName" . }} - namespace: {{ .Release.Namespace }} \ No newline at end of file + name: {{ include "argo-cd.server.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml b/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml index 5d03aaf60..12f571fde 100644 --- a/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml @@ -3,17 +3,17 @@ apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.server.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ template "argo-cd.serverServiceAccountName" . }} + name: {{ include "argo-cd.server.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -{{- if .Values.server.serviceAccount.annotations }} + {{- with .Values.server.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.server.serviceAccount.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} - {{- range $key, $value := .Values.server.serviceAccount.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + {{- range $key, $value := .Values.server.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/crds/crd-extension.yaml b/charts/argo/argo-cd/templates/crds/crd-extension.yaml deleted file mode 100644 index 30fbce70b..000000000 --- a/charts/argo/argo-cd/templates/crds/crd-extension.yaml +++ /dev/null @@ -1,107 +0,0 @@ -{{- if and .Values.crds.install .Values.server.extensions.enabled }} -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - {{- if .Values.crds.keep }} - "helm.sh/resource-policy": keep - {{- end }} - {{- with .Values.crds.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - controller-gen.kubebuilder.io/version: v0.4.1 - labels: - app.kubernetes.io/name: argocdextensions.argoproj.io - app.kubernetes.io/part-of: argocd - {{- with .Values.crds.additionalLabels }} - {{- toYaml . | nindent 4}} - {{- end }} - name: argocdextensions.argoproj.io -spec: - group: argoproj.io - names: - kind: ArgoCDExtension - listKind: ArgoCDExtensionList - plural: argocdextensions - singular: argocdextension - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ArgoCDExtension is the Schema for the argocdextensions API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ArgoCDExtensionSpec defines the desired state of ArgoCDExtension - properties: - sources: - description: Sources specifies where the extension should come from - items: - description: ExtensionSource specifies where the extension should - be sourced from - properties: - git: - description: Git is specified if the extension should be sourced - from a git repository - properties: - revision: - description: Revision specifies the revision of the Repository - to fetch - type: string - url: - description: URL specifies the Git repository URL to fetch - type: string - type: object - web: - description: Web is specified if the extension should be sourced - from a web file - properties: - url: - description: URK specifies the remote file URL - type: string - type: object - type: object - type: array - required: - - sources - type: object - status: - description: ArgoCDExtensionStatus defines the observed state of ArgoCDExtension - properties: - conditions: - items: - properties: - message: - description: Message contains human-readable message indicating - details about condition - type: string - status: - description: Boolean status describing if the condition is currently - true - type: string - type: - description: Type is an ArgoCDExtension condition type - type: string - required: - - message - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true -{{- end }} diff --git a/charts/argo/argo-cd/templates/dex/deployment.yaml b/charts/argo/argo-cd/templates/dex/deployment.yaml index 9f782c8d6..c8e2c9293 100644 --- a/charts/argo/argo-cd/templates/dex/deployment.yaml +++ b/charts/argo/argo-cd/templates/dex/deployment.yaml @@ -58,7 +58,7 @@ spec: {{- if .Values.dex.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.dex.terminationGracePeriodSeconds }} {{- end }} - serviceAccountName: {{ template "argo-cd.dexServiceAccountName" . }} + serviceAccountName: {{ template "argo-cd.dex.serviceAccountName" . }} containers: - name: {{ .Values.dex.name }} image: {{ .Values.dex.image.repository }}:{{ .Values.dex.image.tag }} diff --git a/charts/argo/argo-cd/templates/dex/rolebinding.yaml b/charts/argo/argo-cd/templates/dex/rolebinding.yaml index 08da15442..30b92c06e 100644 --- a/charts/argo/argo-cd/templates/dex/rolebinding.yaml +++ b/charts/argo/argo-cd/templates/dex/rolebinding.yaml @@ -2,16 +2,16 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "argo-cd.dex.fullname" . }} + name: {{ include "argo-cd.dex.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "argo-cd.dex.fullname" . }} + name: {{ include "argo-cd.dex.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "argo-cd.dexServiceAccountName" . }} + name: {{ include "argo-cd.dex.serviceAccountName" . }} namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/argo/argo-cd/templates/dex/serviceaccount.yaml b/charts/argo/argo-cd/templates/dex/serviceaccount.yaml index 65abd57cd..66bf30768 100644 --- a/charts/argo/argo-cd/templates/dex/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/dex/serviceaccount.yaml @@ -3,14 +3,14 @@ apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.dex.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ template "argo-cd.dexServiceAccountName" . }} + name: {{ include "argo-cd.dex.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -{{- if .Values.dex.serviceAccount.annotations }} + {{- with .Values.dex.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.dex.serviceAccount.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" .Values.dex.name) | nindent 4 }} {{- end }} diff --git a/charts/argo/argo-cd/templates/redis/deployment.yaml b/charts/argo/argo-cd/templates/redis/deployment.yaml index 3f272d027..b3182245f 100644 --- a/charts/argo/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo/argo-cd/templates/redis/deployment.yaml @@ -51,7 +51,7 @@ spec: {{- if .Values.redis.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.redis.terminationGracePeriodSeconds }} {{- end }} - serviceAccountName: {{ include "argo-cd.redisServiceAccountName" . }} + serviceAccountName: {{ include "argo-cd.redis.serviceAccountName" . }} containers: - name: {{ .Values.redis.name }} image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }} diff --git a/charts/argo/argo-cd/templates/redis/serviceaccount.yaml b/charts/argo/argo-cd/templates/redis/serviceaccount.yaml index 503fb4347..f45ece132 100644 --- a/charts/argo/argo-cd/templates/redis/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/redis/serviceaccount.yaml @@ -3,14 +3,14 @@ apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.redis.serviceAccount.automountServiceAccountToken }} metadata: - name: {{ template "argo-cd.redisServiceAccountName" . }} + name: {{ include "argo-cd.redis.serviceAccountName" . }} namespace: {{ .Release.Namespace | quote }} -{{- if .Values.redis.serviceAccount.annotations }} + {{- with .Values.redis.serviceAccount.annotations }} annotations: - {{- range $key, $value := .Values.redis.serviceAccount.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} -{{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} {{- end }} diff --git a/charts/argo/argo-cd/values.yaml b/charts/argo/argo-cd/values.yaml index c4480e6ce..bc93065ee 100644 --- a/charts/argo/argo-cd/values.yaml +++ b/charts/argo/argo-cd/values.yaml @@ -1574,29 +1574,41 @@ server: # -- Specify postStart and preStop lifecycle hooks for your argo-cd-server container lifecycle: {} - ## Argo UI extensions + ## Argo CD extensions ## This function in tech preview stage, do expect instability or breaking changes in newer versions. - ## Ref: https://github.com/argoproj-labs/argocd-extensions + ## Ref: https://github.com/argoproj-labs/argocd-extension-installer extensions: - # -- Enable support for Argo UI extensions + # -- Enable support for Argo CD extensions enabled: false - ## Argo UI extensions image + ## Argo CD extension installer image image: - # -- Repository to use for extensions image - repository: "ghcr.io/argoproj-labs/argocd-extensions" - # -- Tag to use for extensions image - tag: "v0.2.1" + # -- Repository to use for extension installer image + repository: "quay.io/argoprojlabs/argocd-extension-installer" + # -- Tag to use for extension installer image + tag: "v0.0.1" # -- Image pull policy for extensions # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" + # -- Extensions for Argo CD + # @default -- `[]` (See [values.yaml]) + ## Ref: https://github.com/argoproj-labs/argocd-extension-metrics#install-ui-extension + extensionList: [] + # - name: extension-metrics + # env: + # - name: EXTENSION_URL + # value: https://github.com/argoproj-labs/argocd-extension-metrics/releases/download/v1.0.0/extension.tar.gz + # - name: EXTENSION_CHECKSUM_URL + # value: https://github.com/argoproj-labs/argocd-extension-metrics/releases/download/v1.0.0/extension_checksums.txt + # -- Server UI extensions container-level security context # @default -- See [values.yaml] containerSecurityContext: runAsNonRoot: true readOnlyRootFilesystem: true allowPrivilegeEscalation: false + runAsUser: 1000 seccompProfile: type: RuntimeDefault capabilities: diff --git a/charts/bitnami/airflow/Chart.lock b/charts/bitnami/airflow/Chart.lock index fde5ef124..6d3a801e7 100644 --- a/charts/bitnami/airflow/Chart.lock +++ b/charts/bitnami/airflow/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.4.0 + version: 18.6.1 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.2.16 + version: 13.2.27 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:00986f0bf8292bfaead2714784652230c1e6b9a36e39b2f0a55cf9e3883f050c -generated: "2023-11-24T19:10:36.648780489Z" + version: 2.14.1 +digest: sha256:bef0f24c8d9770d8e345aa48d54af3e778dce58c14f2219899cd8ad5a4e15b9c +generated: "2024-01-03T11:43:19.465902594Z" diff --git a/charts/bitnami/airflow/Chart.yaml b/charts/bitnami/airflow/Chart.yaml index c26776d89..8e1e386b4 100644 --- a/charts/bitnami/airflow/Chart.yaml +++ b/charts/bitnami/airflow/Chart.yaml @@ -6,20 +6,20 @@ annotations: category: WorkFlow images: | - name: airflow-exporter - image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r440 + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r441 - name: airflow-scheduler - image: docker.io/bitnami/airflow-scheduler:2.7.3-debian-11-r2 + image: docker.io/bitnami/airflow-scheduler:2.8.0-debian-11-r1 - name: airflow-worker - image: docker.io/bitnami/airflow-worker:2.7.3-debian-11-r2 + image: docker.io/bitnami/airflow-worker:2.8.0-debian-11-r1 - name: airflow - image: docker.io/bitnami/airflow:2.7.3-debian-11-r2 + image: docker.io/bitnami/airflow:2.8.0-debian-11-r1 - name: git - image: docker.io/bitnami/git:2.43.0-debian-11-r0 + image: docker.io/bitnami/git:2.43.0-debian-11-r5 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.7.3 +appVersion: 2.8.0 dependencies: - condition: redis.enabled name: redis @@ -50,4 +50,4 @@ maintainers: name: airflow sources: - https://github.com/bitnami/charts/tree/main/bitnami/airflow -version: 16.1.6 +version: 16.1.11 diff --git a/charts/bitnami/airflow/README.md b/charts/bitnami/airflow/README.md index 20d1fc104..e555f8e99 100644 --- a/charts/bitnami/airflow/README.md +++ b/charts/bitnami/airflow/README.md @@ -405,9 +405,9 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for Airflow pods | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for Airflow pods | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | | `rbac.create` | Create Role and RoleBinding | `false` | | `rbac.rules` | Custom RBAC rules to set | `[]` | @@ -523,7 +523,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/airfl ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -717,7 +717,7 @@ Refer to the [chart documentation for more information about how to upgrade from ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/airflow/charts/common/Chart.yaml b/charts/bitnami/airflow/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/airflow/charts/common/Chart.yaml +++ b/charts/bitnami/airflow/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/airflow/charts/common/README.md b/charts/bitnami/airflow/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/airflow/charts/common/README.md +++ b/charts/bitnami/airflow/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/airflow/charts/common/templates/_secrets.tpl b/charts/bitnami/airflow/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/airflow/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/airflow/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.lock b/charts/bitnami/airflow/charts/postgresql/Chart.lock index 35f80ca85..5f5e5abcf 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.lock +++ b/charts/bitnami/airflow/charts/postgresql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-11-03T20:45:06.276989379Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-20T20:39:13.141839286Z" diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/Chart.yaml index 517901609..27462200b 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/Chart.yaml @@ -2,11 +2,11 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r2 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r4 - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r9 + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r18 licenses: Apache-2.0 apiVersion: v2 appVersion: 16.1.0 @@ -34,4 +34,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 13.2.16 +version: 13.2.27 diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/README.md b/charts/bitnami/airflow/charts/postgresql/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/airflow/charts/postgresql/charts/common/README.md +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/airflow/charts/postgresql/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/airflow/charts/postgresql/templates/_helpers.tpl b/charts/bitnami/airflow/charts/postgresql/templates/_helpers.tpl index 2c5c7f9f2..0ab9fd037 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/_helpers.tpl +++ b/charts/bitnami/airflow/charts/postgresql/templates/_helpers.tpl @@ -66,7 +66,7 @@ Return the proper image name (for the init container volume-permissions image) Return the proper Docker Image Registry Secret Names */}} {{- define "postgresql.v1.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "context" $) }} {{- end -}} {{/* diff --git a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml index 9735ed5ec..cb9374d6b 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml @@ -509,15 +509,16 @@ spec: {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.v1.database" .) }} - name: DATA_SOURCE_URI value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.v1.service.port" .)) $database }} + {{- $pwdKey := ternary (include "postgresql.v1.adminPasswordKey" .) (include "postgresql.v1.userPasswordKey" .) (or (eq $customUser "postgres") (empty $customUser)) }} {{- if .Values.auth.usePasswordFiles }} - name: DATA_SOURCE_PASS_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.userPasswordKey" .) }} + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" $pwdKey }} {{- else }} - name: DATA_SOURCE_PASS valueFrom: secretKeyRef: name: {{ include "postgresql.v1.secretName" . }} - key: {{ include "postgresql.v1.userPasswordKey" . }} + key: {{ $pwdKey }} {{- end }} - name: DATA_SOURCE_USER value: {{ default "postgres" $customUser | quote }} diff --git a/charts/bitnami/airflow/charts/postgresql/values.yaml b/charts/bitnami/airflow/charts/postgresql/values.yaml index 921ffca27..aa62e4237 100644 --- a/charts/bitnami/airflow/charts/postgresql/values.yaml +++ b/charts/bitnami/airflow/charts/postgresql/values.yaml @@ -98,7 +98,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.1.0-debian-11-r9 + tag: 16.1.0-debian-11-r18 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1300,7 +1300,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1401,7 +1401,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r2 + tag: 0.15.0-debian-11-r4 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/airflow/charts/redis/Chart.lock b/charts/bitnami/airflow/charts/redis/Chart.lock index 694a2da76..01190b829 100644 --- a/charts/bitnami/airflow/charts/redis/Chart.lock +++ b/charts/bitnami/airflow/charts/redis/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-10-19T12:32:36.790999138Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-19T19:11:00.40217662Z" diff --git a/charts/bitnami/airflow/charts/redis/Chart.yaml b/charts/bitnami/airflow/charts/redis/Chart.yaml index 0aa1bc3cf..8d1b456d7 100644 --- a/charts/bitnami/airflow/charts/redis/Chart.yaml +++ b/charts/bitnami/airflow/charts/redis/Chart.yaml @@ -2,13 +2,13 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r92 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.55.0-debian-11-r2 + image: docker.io/bitnami/redis-exporter:1.55.0-debian-11-r3 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.3-debian-11-r1 + image: docker.io/bitnami/redis-sentinel:7.2.3-debian-11-r2 - name: redis - image: docker.io/bitnami/redis:7.2.3-debian-11-r1 + image: docker.io/bitnami/redis:7.2.3-debian-11-r2 licenses: Apache-2.0 apiVersion: v2 appVersion: 7.2.3 @@ -33,4 +33,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.4.0 +version: 18.6.1 diff --git a/charts/bitnami/airflow/charts/redis/README.md b/charts/bitnami/airflow/charts/redis/README.md index 6305aaf82..fb9f29bae 100644 --- a/charts/bitnami/airflow/charts/redis/README.md +++ b/charts/bitnami/airflow/charts/redis/README.md @@ -11,10 +11,10 @@ Disclaimer: Redis is a registered trademark of Redis Ltd. Any rights therein are ## TL;DR ```console -helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/redis +helm install my-release oci://registry-1.docker.io/bitnamicharts/redis ``` -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +Looking to use Redisreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. ## Introduction @@ -37,8 +37,6 @@ The main features of each chart are the following: | Single write point (single master) | Multiple write points (multiple masters) | | ![Redis® Topology](img/redis-topology.png) | ![Redis® Cluster Topology](img/redis-cluster-topology.png) | -Looking to use Redisreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ @@ -87,6 +85,7 @@ The command removes all the Kubernetes components associated with the chart and | `kubeVersion` | Override Kubernetes version | `""` | | `nameOverride` | String to partially override common.names.fullname | `""` | | `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | | `commonLabels` | Labels to add to all deployed objects | `{}` | | `commonAnnotations` | Annotations to add to all deployed objects | `{}` | | `secretAnnotations` | Annotations to add to secret | `{}` | @@ -222,6 +221,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | | `master.service.clusterIP` | Redis® master service Cluster IP | `""` | | `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | +| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | | `master.service.externalIPs` | Redis® master service External IPs | `[]` | | `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | @@ -335,6 +335,7 @@ The command removes all the Kubernetes components associated with the chart and | `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | | `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | | `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | | `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | @@ -437,6 +438,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | | `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | | `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | | `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | @@ -532,6 +534,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | | `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | | `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | | `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | @@ -616,7 +619,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis ``` > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](values.yaml) +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) ## Configuration and installation details @@ -864,7 +867,7 @@ The Redis® sentinel exporter was removed in this version because the upstrea - `sentinel.metrics.*` parameters are deprecated in favor of `metrics.sentinel.*` ones. - New parameters to add custom command, environment variables, sidecars, init containers, etc. were added. - Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). -- values.yaml metadata was adapted to follow the format supported by [Readme Generator for Helm](https://github.com/bitnami-labs/readme-generator-for-helm). +- values.yaml metadata was adapted to follow the format supported by [Readme Generator for Helm](https://github.com/bitnami/readme-generator-for-helm). Consequences: diff --git a/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml b/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml +++ b/charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/airflow/charts/redis/charts/common/README.md b/charts/bitnami/airflow/charts/redis/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/airflow/charts/redis/charts/common/README.md +++ b/charts/bitnami/airflow/charts/redis/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/airflow/charts/redis/charts/common/templates/_secrets.tpl b/charts/bitnami/airflow/charts/redis/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/airflow/charts/redis/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/airflow/charts/redis/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/airflow/charts/redis/templates/NOTES.txt b/charts/bitnami/airflow/charts/redis/templates/NOTES.txt index 2623ade3a..cc191dee6 100644 --- a/charts/bitnami/airflow/charts/redis/templates/NOTES.txt +++ b/charts/bitnami/airflow/charts/redis/templates/NOTES.txt @@ -12,11 +12,11 @@ The chart has been deployed in diagnostic mode. All probes have been disabled an Get the list of pods by executing: - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} Access the pod you want to debug by executing - kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + kubectl exec --namespace {{ include "common.names.namespace" . }} -ti -- bash In order to replicate the container startup scripts execute this command: @@ -58,7 +58,7 @@ For Redis Sentinel: Redis® can be accessed via port {{ .Values.sentinel.service.ports.redis }} on the following DNS name from within your cluster: - {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations + {{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} for read only operations For read/write operations, first access the Redis® Sentinel cluster, which is available in port {{ .Values.sentinel.service.ports.sentinel }} using the same domain name above. @@ -66,15 +66,15 @@ For read/write operations, first access the Redis® Sentinel cluster, which i Redis® can be accessed on the following DNS names from within your cluster: - {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }}) - {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }}) + {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" . ) .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }}) + {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" . ) .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }}) {{- end }} {{- else }} Redis® can be accessed via port {{ .Values.master.service.ports.redis }} on the following DNS name from within your cluster: - {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + {{ template "common.names.fullname" . }}-master.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{- end }} @@ -82,7 +82,7 @@ Redis® can be accessed via port {{ .Values.master.service.ports.redis }} on To get your password run: - export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 -d) + export REDIS_PASSWORD=$(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 -d) {{- end }} @@ -90,15 +90,15 @@ To connect to your Redis® server: 1. Run a Redis® pod that you can use as a client: - kubectl run --namespace {{ .Release.Namespace }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity + kubectl run --namespace {{ include "common.names.namespace" . }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity {{- if .Values.tls.enabled }} Copy your TLS certificates to the pod: - kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.cert redis-client:/tmp/client.cert - kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.key redis-client:/tmp/client.key - kubectl cp --namespace {{ .Release.Namespace }} /path/to/CA.cert redis-client:/tmp/CA.cert + kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/client.cert redis-client:/tmp/client.cert + kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/client.key redis-client:/tmp/client.key + kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/CA.cert redis-client:/tmp/CA.cert {{- end }} @@ -106,7 +106,7 @@ To connect to your Redis® server: kubectl exec --tty -i redis-client \ {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "common.names.fullname" . }}-client=true" \{{- end }} - --namespace {{ .Release.Namespace }} -- bash + --namespace {{ include "common.names.namespace" . }} -- bash 2. Connect using the Redis® CLI: @@ -133,42 +133,42 @@ To connect to your database from outside the cluster execute the following comma {{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} {{- if contains "NodePort" .Values.sentinel.service.type }} - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "LoadBalancer" .Values.sentinel.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "ClusterIP" .Values.sentinel.service.type }} - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} & {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- end }} {{- else }} {{- if contains "NodePort" .Values.master.service.type }} - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }}) {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "LoadBalancer" .Values.master.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "ClusterIP" .Values.master.service.type }} - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.ports.redis }}:{{ .Values.master.service.ports.redis }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.ports.redis }}:{{ .Values.master.service.ports.redis }} & {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl b/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl index a554418b6..9eb017f19 100644 --- a/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl +++ b/charts/bitnami/airflow/charts/redis/templates/_helpers.tpl @@ -240,7 +240,7 @@ Return Redis® password {{- else if not (empty .Values.auth.password) -}} {{- .Values.auth.password -}} {{- else -}} - {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "redis.secretName" .) "Length" 10 "Key" (include "redis.secretPasswordKey" .)) -}} + {{- include "getValueFromSecret" (dict "Namespace" (include "common.names.namespace" .) "Name" (include "redis.secretName" .) "Length" 10 "Key" (include "redis.secretPasswordKey" .)) -}} {{- end -}} {{- end -}} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/configmap.yaml b/charts/bitnami/airflow/charts/redis/templates/configmap.yaml index c616599c8..6c370a2aa 100644 --- a/charts/bitnami/airflow/charts/redis/templates/configmap.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-configuration" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -48,7 +48,7 @@ data: sentinel.conf: |- dir "/tmp" port {{ .Values.sentinel.containerPorts.sentinel }} - sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }} + sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }} sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} diff --git a/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml b/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml index bd6121dee..e69329f82 100644 --- a/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/headless-svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-headless" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} annotations: {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations }} diff --git a/charts/bitnami/airflow/charts/redis/templates/health-configmap.yaml b/charts/bitnami/airflow/charts/redis/templates/health-configmap.yaml index 95ade5c41..5d15b0639 100644 --- a/charts/bitnami/airflow/charts/redis/templates/health-configmap.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/health-configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-health" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/master/application.yaml b/charts/bitnami/airflow/charts/redis/templates/master/application.yaml index 8fdaec125..2da5bd5fc 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/application.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/application.yaml @@ -9,7 +9,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: {{ .Values.master.kind }} metadata: name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: master {{- if .Values.commonAnnotations }} diff --git a/charts/bitnami/airflow/charts/redis/templates/master/psp.yaml b/charts/bitnami/airflow/charts/redis/templates/master/psp.yaml index 368a2193b..5a47afbf7 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/psp.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/psp.yaml @@ -8,7 +8,7 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/master/pvc.yaml b/charts/bitnami/airflow/charts/redis/templates/master/pvc.yaml index 5c60d0694..019f60d14 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/pvc.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/pvc.yaml @@ -8,7 +8,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.persistence.labels .Values.commonLabels ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: master diff --git a/charts/bitnami/airflow/charts/redis/templates/master/service.yaml b/charts/bitnami/airflow/charts/redis/templates/master/service.yaml index 804f7b6e2..ba744dbce 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/service.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/service.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: master {{- if or .Values.master.service.annotations .Values.commonAnnotations }} @@ -26,6 +26,9 @@ spec: {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.master.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{ toYaml .Values.master.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml b/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml index bb6c42aee..4ba3052fe 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml @@ -9,7 +9,7 @@ kind: ServiceAccount automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }} metadata: name: {{ template "redis.masterServiceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.master.serviceAccount.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml b/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml index 7d1d683dc..5e24b6d35 100644 --- a/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} @@ -26,6 +26,9 @@ spec: {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.metrics.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{- toYaml .Values.metrics.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml b/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml index bd8594e36..84f5ada5d 100644 --- a/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml @@ -8,7 +8,7 @@ kind: NetworkPolicy apiVersion: {{ template "networkPolicy.apiVersion" . }} metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/pdb.yaml b/charts/bitnami/airflow/charts/redis/templates/pdb.yaml index 3306a8ce6..d2ca15d9d 100644 --- a/charts/bitnami/airflow/charts/redis/templates/pdb.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/pdb.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml b/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml index a7c8bd942..55bcd51ad 100644 --- a/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.podMonitor.namespace | quote }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.podMonitor.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.metrics.podMonitor.additionalLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.podMonitor.additionalLabels "context" $) | nindent 4 }} @@ -45,7 +45,7 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . | quote }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: metrics diff --git a/charts/bitnami/airflow/charts/redis/templates/prometheusrule.yaml b/charts/bitnami/airflow/charts/redis/templates/prometheusrule.yaml index 73c89e652..3406918b3 100644 --- a/charts/bitnami/airflow/charts/redis/templates/prometheusrule.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/prometheusrule.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.metrics.prometheusRule.additionalLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml b/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml index 821bf8d1a..67d83c8ba 100644 --- a/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: {{ .Values.replica.kind }} metadata: name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if .Values.commonAnnotations }} @@ -136,9 +136,9 @@ spec: {{- if .Values.replica.externalMaster.enabled }} value: {{ .Values.replica.externalMaster.host | quote }} {{- else if and (eq (int64 .Values.master.count) 1) (eq .Values.master.kind "StatefulSet") }} - value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{- else }} - value: {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + value: {{ template "common.names.fullname" . }}-master.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{- end }} - name: REDIS_MASTER_PORT_NUMBER {{- if .Values.replica.externalMaster.enabled }} diff --git a/charts/bitnami/airflow/charts/redis/templates/replicas/hpa.yaml b/charts/bitnami/airflow/charts/redis/templates/replicas/hpa.yaml index 37ecc8310..da69290a7 100644 --- a/charts/bitnami/airflow/charts/redis/templates/replicas/hpa.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/replicas/hpa.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) kind: HorizontalPodAutoscaler metadata: name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if .Values.commonAnnotations }} diff --git a/charts/bitnami/airflow/charts/redis/templates/replicas/service.yaml b/charts/bitnami/airflow/charts/redis/templates/replicas/service.yaml index 415771b64..b54b85a17 100644 --- a/charts/bitnami/airflow/charts/redis/templates/replicas/service.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/replicas/service.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if or .Values.replica.service.annotations .Values.commonAnnotations }} @@ -26,6 +26,9 @@ spec: {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.replica.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.replica.service.type "LoadBalancer") .Values.replica.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.replica.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{ toYaml .Values.replica.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml b/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml index 616e8bc87..ec5d66641 100644 --- a/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml @@ -9,7 +9,7 @@ kind: ServiceAccount automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }} metadata: name: {{ template "redis.replicaServiceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.replica.serviceAccount.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.replica.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/airflow/charts/redis/templates/role.yaml b/charts/bitnami/airflow/charts/redis/templates/role.yaml index be042294b..5bab3b7cc 100644 --- a/charts/bitnami/airflow/charts/redis/templates/role.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/role.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/rolebinding.yaml b/charts/bitnami/airflow/charts/redis/templates/rolebinding.yaml index 7a1043e1a..81c68f329 100644 --- a/charts/bitnami/airflow/charts/redis/templates/rolebinding.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/rolebinding.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: RoleBinding metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml b/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml index 9e81f8a23..f785faf34 100644 --- a/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/scripts-configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -48,7 +48,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -71,12 +71,12 @@ data: REDISPORT=$(get_port "$HOSTNAME" "REDIS") - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" if [ -n "$REDIS_EXTERNAL_MASTER_HOST" ]; then REDIS_SERVICE="$REDIS_EXTERNAL_MASTER_HOST" else - REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" fi SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "SENTINEL") @@ -251,8 +251,8 @@ data: . /opt/bitnami/scripts/libvalidations.sh . /opt/bitnami/scripts/libfile.sh - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" get_port() { hostname="$1" @@ -281,7 +281,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -450,7 +450,7 @@ data: . /opt/bitnami/scripts/libvalidations.sh . /opt/bitnami/scripts/libos.sh - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" get_full_hostname() { hostname="$1" @@ -458,7 +458,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -492,7 +492,7 @@ data: [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" {{ if .Values.auth.sentinel -}} # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable @@ -530,7 +530,7 @@ data: [[ "$REDIS_ROLE" == "master" ]] } - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{- include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" get_full_hostname() { hostname="$1" @@ -538,7 +538,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -572,7 +572,7 @@ data: [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" @@ -676,7 +676,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -698,7 +698,7 @@ data: } REDISPORT=$(get_port "$HOSTNAME" "REDIS") - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" diff --git a/charts/bitnami/airflow/charts/redis/templates/secret-svcbind.yaml b/charts/bitnami/airflow/charts/redis/templates/secret-svcbind.yaml index a1bfbe054..de74913e1 100644 --- a/charts/bitnami/airflow/charts/redis/templates/secret-svcbind.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/secret-svcbind.yaml @@ -17,7 +17,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "common.names.fullname" . }}-svcbind - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/secret.yaml b/charts/bitnami/airflow/charts/redis/templates/secret.yaml index 1838c7d4b..003a2768c 100644 --- a/charts/bitnami/airflow/charts/redis/templates/secret.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.secretAnnotations .Values.commonAnnotations }} annotations: diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/hpa.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/hpa.yaml index 80859c00c..f8bd35617 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/hpa.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/hpa.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) kind: HorizontalPodAutoscaler metadata: name: {{ printf "%s-node" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if .Values.commonAnnotations }} diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml index 721185bcb..35860bcc6 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/node-services.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- range $i := until (int .Values.replica.replicaCount) }} -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} +{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} {{ $sentinelport := 0}} {{ $redisport := 0}} @@ -20,7 +20,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" $ }}-node-{{ $i }} - namespace: {{ $.Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node {{- if or $.Values.commonAnnotations $.Values.sentinel.service.annotations }} diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/ports-configmap.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/ports-configmap.yaml index 1c0771a41..3efed7433 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/ports-configmap.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/ports-configmap.yaml @@ -71,14 +71,14 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "common.names.fullname" . }}-ports-configmap - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} +{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} {{- if $portsmap }} {{- /* configmap already exists, do not install again */ -}} {{- range $name, $value := $portsmap }} diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml index 18126f4ef..f80e6442a 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/service.yaml @@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} {{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} +{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} {{ $sentinelport := 0}} {{ $redisport := 0}} @@ -19,7 +19,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }} @@ -34,6 +34,9 @@ spec: {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.sentinel.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{ toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml index 55d0e90e0..5b28f8c4e 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml @@ -9,7 +9,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: name: {{ printf "%s-node" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node {{- if or .Values.commonAnnotations .Values.sentinel.annotations }} diff --git a/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml b/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml index 4306b3e85..95432dd37 100644 --- a/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml @@ -9,7 +9,7 @@ kind: ServiceAccount automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} metadata: name: {{ template "redis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml b/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml index ee925afc5..8641ea12a 100644 --- a/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.metrics.serviceMonitor.additionalLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} @@ -45,7 +45,7 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . | quote }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: metrics diff --git a/charts/bitnami/airflow/charts/redis/templates/tls-secret.yaml b/charts/bitnami/airflow/charts/redis/templates/tls-secret.yaml index b1f7153e1..8498394fe 100644 --- a/charts/bitnami/airflow/charts/redis/templates/tls-secret.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/tls-secret.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- if (include "redis.createTlsSecret" .) }} {{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} {{- $ca := genCA "redis-ca" 365 }} -{{- $releaseNamespace := .Release.Namespace }} +{{- $releaseNamespace := (include "common.names.namespace" .) }} {{- $clusterDomain := .Values.clusterDomain }} {{- $fullname := include "common.names.fullname" . }} {{- $serviceName := include "common.names.fullname" . }} @@ -18,7 +18,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/airflow/charts/redis/values.yaml b/charts/bitnami/airflow/charts/redis/values.yaml index f2d53313b..e37fce962 100644 --- a/charts/bitnami/airflow/charts/redis/values.yaml +++ b/charts/bitnami/airflow/charts/redis/values.yaml @@ -35,6 +35,9 @@ nameOverride: "" ## @param fullnameOverride String to fully override common.names.fullname ## fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" ## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} @@ -91,7 +94,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.3-debian-11-r1 + tag: 7.2.3-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -532,6 +535,10 @@ master: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param master.service.loadBalancerClass master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param master.service.loadBalancerSourceRanges Redis® master service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -979,6 +986,10 @@ replica: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param replica.service.loadBalancerClass replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param replica.service.loadBalancerSourceRanges Redis® replicas service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -1060,7 +1071,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.3-debian-11-r1 + tag: 7.2.3-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1327,6 +1338,10 @@ sentinel: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param sentinel.service.loadBalancerClass sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param sentinel.service.loadBalancerSourceRanges Redis® Sentinel service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -1539,7 +1554,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.55.0-debian-11-r2 + tag: 1.55.0-debian-11-r3 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1688,6 +1703,10 @@ metrics: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param metrics.service.loadBalancerClass exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param metrics.service.loadBalancerSourceRanges Redis® exporter service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -1851,7 +1870,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r92 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1899,7 +1918,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r92 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/airflow/values.yaml b/charts/bitnami/airflow/values.yaml index b6c0d6c2b..82fc2bcf3 100644 --- a/charts/bitnami/airflow/values.yaml +++ b/charts/bitnami/airflow/values.yaml @@ -121,7 +121,7 @@ dags: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -188,11 +188,11 @@ web: image: registry: docker.io repository: bitnami/airflow - tag: 2.7.3-debian-11-r2 + tag: 2.8.0-debian-11-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -291,7 +291,7 @@ web: ## customStartupProbe: {} ## Airflow web resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param web.resources.limits The resources limits for the Airflow web containers ## @param web.resources.requests The requested resources for the Airflow web containers ## @@ -363,7 +363,7 @@ web: ## values: [] ## @param web.nodeSelector Node labels for Airflow web pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param web.podAffinityPreset Pod affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard`. @@ -456,11 +456,11 @@ scheduler: image: registry: docker.io repository: bitnami/airflow-scheduler - tag: 2.7.3-debian-11-r2 + tag: 2.8.0-debian-11-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -505,7 +505,7 @@ scheduler: ## customStartupProbe: {} ## Airflow scheduler resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param scheduler.resources.limits The resources limits for the Airflow scheduler containers ## @param scheduler.resources.requests The requested resources for the Airflow scheduler containers ## @@ -577,7 +577,7 @@ scheduler: ## values: [] ## @param scheduler.nodeSelector Node labels for Airflow scheduler pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param scheduler.podAffinityPreset Pod affinity preset. Ignored if `scheduler.affinity` is set. Allowed values: `soft` or `hard`. @@ -670,11 +670,11 @@ worker: image: registry: docker.io repository: bitnami/airflow-worker - tag: 2.7.3-debian-11-r2 + tag: 2.8.0-debian-11-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -767,7 +767,7 @@ worker: ## customStartupProbe: {} ## Airflow worker resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param worker.resources.limits The resources limits for the Airflow worker containers ## @param worker.resources.requests The requested resources for the Airflow worker containers ## @@ -839,7 +839,7 @@ worker: ## values: [] ## @param worker.nodeSelector Node labels for Airflow worker pods assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param worker.podAffinityPreset Pod affinity preset. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard`. @@ -953,11 +953,11 @@ git: image: registry: docker.io repository: bitnami/git - tag: 2.43.0-debian-11-r0 + tag: 2.43.0-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1028,7 +1028,7 @@ git: extraEnvVarsCM: "" extraEnvVarsSecret: "" ## Clone init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## resources: {} ## Properties for the Sync sidecar container @@ -1050,7 +1050,7 @@ git: extraEnvVarsCM: "" extraEnvVarsSecret: "" ## Sync sidecar container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## resources: {} @@ -1118,7 +1118,7 @@ service: http: "" ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -1155,7 +1155,7 @@ service: extraPorts: [] ## Airflow ingress parameters -## ref: https://kubernetes.io/docs/user-guide/ingress/ +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: ## @param ingress.enabled Enable ingress record generation for Airflow @@ -1267,7 +1267,7 @@ ingress: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for Airflow pods ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -1275,7 +1275,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1316,7 +1316,7 @@ metrics: image: registry: docker.io repository: bitnami/airflow-exporter - tag: 0.20220314.0-debian-11-r440 + tag: 0.20220314.0-debian-11-r441 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1341,7 +1341,7 @@ metrics: containerPorts: http: 9112 ## Airflow exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.resources.limits The resources limits for the container ## @param metrics.resources.requests The requested resources for the container ## @@ -1430,7 +1430,7 @@ metrics: ## affinity: {} ## @param metrics.nodeSelector Node labels for pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param metrics.tolerations Tolerations for pod assignment @@ -1454,7 +1454,7 @@ metrics: clusterIP: "" ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param metrics.service.annotations [object] Annotations for the Airflow exporter service diff --git a/charts/bitnami/cassandra/Chart.yaml b/charts/bitnami/cassandra/Chart.yaml index 7864f711d..6234b1ca7 100644 --- a/charts/bitnami/cassandra/Chart.yaml +++ b/charts/bitnami/cassandra/Chart.yaml @@ -8,9 +8,9 @@ annotations: - name: cassandra-exporter image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r431 - name: cassandra - image: docker.io/bitnami/cassandra:4.1.3-debian-11-r76 + image: docker.io/bitnami/cassandra:4.1.3-debian-11-r78 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r92 licenses: Apache-2.0 apiVersion: v2 appVersion: 4.1.3 @@ -35,4 +35,4 @@ maintainers: name: cassandra sources: - https://github.com/bitnami/charts/tree/main/bitnami/cassandra -version: 10.6.6 +version: 10.6.9 diff --git a/charts/bitnami/cassandra/README.md b/charts/bitnami/cassandra/README.md index 46f6a8805..435fc9523 100644 --- a/charts/bitnami/cassandra/README.md +++ b/charts/bitnami/cassandra/README.md @@ -188,12 +188,12 @@ The command removes all the Kubernetes components associated with the chart and ### RBAC parameters -| Name | Description | Value | -| --------------------------------------------- | ---------------------------------------------------------- | ------ | -| `serviceAccount.create` | Enable the creation of a ServiceAccount for Cassandra pods | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.annotations` | Annotations for Cassandra Service Account | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `true` | +| Name | Description | Value | +| --------------------------------------------- | ---------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable the creation of a ServiceAccount for Cassandra pods | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Annotations for Cassandra Service Account | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `false` | ### Traffic Exposure Parameters @@ -319,7 +319,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/cassa ## Configuration and installation details -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -463,7 +463,7 @@ This release make it possible to specify custom initialization scripts in both c ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/cassandra/values.yaml b/charts/bitnami/cassandra/values.yaml index 40f8b70d6..e5a024f23 100644 --- a/charts/bitnami/cassandra/values.yaml +++ b/charts/bitnami/cassandra/values.yaml @@ -76,11 +76,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/cassandra - tag: 4.1.3-debian-11-r76 + tag: 4.1.3-debian-11-r78 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -264,7 +264,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -307,7 +307,7 @@ containerSecurityContext: type: "RuntimeDefault" readOnlyRootFilesystem: false ## Cassandra pods' resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## Minimum memory for development is 4GB and 2 CPU cores ## Minimum memory for production is 8GB and 4 CPU cores ## ref: http://docs.datastax.com/en/archived/cassandra/2.0/cassandra/architecture/architecturePlanningHardware_c.html @@ -472,7 +472,7 @@ serviceAccount: annotations: {} ## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account. ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @section Traffic Exposure Parameters ## @@ -561,7 +561,7 @@ networkPolicy: ## ## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable Cassandra data persistence using PVC, use a Persistent Volume Claim, If false, use emptyDir @@ -628,7 +628,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r92 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -640,7 +640,7 @@ volumePermissions: ## pullSecrets: [] ## Init container' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -708,7 +708,7 @@ metrics: ## pullSecrets: [] ## Cassandra Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/charts/bitnami/kafka/Chart.lock b/charts/bitnami/kafka/Chart.lock index c91e7ab30..aa7516883 100644 --- a/charts/bitnami/kafka/Chart.lock +++ b/charts/bitnami/kafka/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: zookeeper repository: oci://registry-1.docker.io/bitnamicharts - version: 12.3.2 + version: 12.4.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:36a6404578c8c05d0ca2d3bedefafbb22c339ba65472742fdeb35166e61650ca -generated: "2023-11-21T18:15:15.544843963Z" + version: 2.14.1 +digest: sha256:436dc8df38da8dfade2782e499dfea25d0dd1ed683bb42c8cc9f6b97f3ea66fe +generated: "2023-12-22T14:05:20.981818545Z" diff --git a/charts/bitnami/kafka/Chart.yaml b/charts/bitnami/kafka/Chart.yaml index 110ab3672..f9a5a90e5 100644 --- a/charts/bitnami/kafka/Chart.yaml +++ b/charts/bitnami/kafka/Chart.yaml @@ -6,18 +6,18 @@ annotations: category: Infrastructure images: | - name: jmx-exporter - image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r1 + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r2 - name: kafka-exporter - image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r133 + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r134 - name: kafka - image: docker.io/bitnami/kafka:3.6.0-debian-11-r2 + image: docker.io/bitnami/kafka:3.6.1-debian-11-r0 - name: kubectl - image: docker.io/bitnami/kubectl:1.28.4-debian-11-r0 + image: docker.io/bitnami/kubectl:1.29.0-debian-11-r0 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r92 licenses: Apache-2.0 apiVersion: v2 -appVersion: 3.6.0 +appVersion: 3.6.1 dependencies: - condition: zookeeper.enabled name: zookeeper @@ -45,4 +45,4 @@ maintainers: name: kafka sources: - https://github.com/bitnami/charts/tree/main/bitnami/kafka -version: 26.4.3 +version: 26.6.3 diff --git a/charts/bitnami/kafka/README.md b/charts/bitnami/kafka/README.md index 2bfdd22e8..5bb0d503b 100644 --- a/charts/bitnami/kafka/README.md +++ b/charts/bitnami/kafka/README.md @@ -181,6 +181,8 @@ The command removes all the Kubernetes components associated with the chart and | `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka container(s) | `[]` | | `sidecars` | Add additional sidecar containers to the Kafka pod(s) | `[]` | | `initContainers` | Add additional Add init containers to the Kafka pod(s) | `[]` | +| `dnsPolicy` | Specifies the DNS policy for the zookeeper pods | `""` | +| `dnsConfig` | allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | ### Controller-eligible statefulset parameters @@ -387,72 +389,79 @@ The command removes all the Kubernetes components associated with the chart and ### Traffic Exposure parameters -| Name | Description | Value | -| ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.ports.client` | Kafka svc port for client connections | `9092` | -| `service.ports.controller` | Kafka svc port for controller connections. It is used if "kraft.enabled: true" | `9093` | -| `service.ports.interbroker` | Kafka svc port for inter-broker connections | `9094` | -| `service.ports.external` | Kafka svc port for external connections | `9095` | -| `service.extraPorts` | Extra ports to expose in the Kafka service (normally used with the `sidecar` value) | `[]` | -| `service.nodePorts.client` | Node port for the Kafka client connections | `""` | -| `service.nodePorts.external` | Node port for the Kafka external connections | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | Kafka service Cluster IP | `""` | -| `service.loadBalancerIP` | Kafka service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | Kafka service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | Kafka service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for Kafka service | `{}` | -| `service.headless.controller.annotations` | Annotations for the controller-eligible headless service. | `{}` | -| `service.headless.controller.labels` | Labels for the controller-eligible headless service. | `{}` | -| `service.headless.broker.annotations` | Annotations for the broker-only headless service. | `{}` | -| `service.headless.broker.labels` | Labels for the broker-only headless service. | `{}` | -| `externalAccess.enabled` | Enable Kubernetes external cluster access to Kafka brokers | `false` | -| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs/ports by querying the K8s API | `false` | -| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | -| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `REPOSITORY_NAME/kubectl` | -| `externalAccess.autoDiscovery.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | -| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | -| `externalAccess.autoDiscovery.resources.limits` | The resources limits for the auto-discovery init container | `{}` | -| `externalAccess.autoDiscovery.resources.requests` | The requested resources for the auto-discovery init container | `{}` | -| `externalAccess.controller.forceExpose` | If set to true, force exposing controller-eligible nodes although they are configured as controller-only nodes | `false` | -| `externalAccess.controller.service.type` | Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | -| `externalAccess.controller.service.ports.external` | Kafka port used for external access when service type is LoadBalancer | `9094` | -| `externalAccess.controller.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.controller.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.controller.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.controller.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | -| `externalAccess.controller.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.controller.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | -| `externalAccess.controller.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | -| `externalAccess.controller.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` | -| `externalAccess.controller.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP | `""` | -| `externalAccess.controller.service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | -| `externalAccess.controller.service.labels` | Service labels for external access | `{}` | -| `externalAccess.controller.service.annotations` | Service annotations for external access | `{}` | -| `externalAccess.controller.service.extraPorts` | Extra ports to expose in the Kafka external service | `[]` | -| `externalAccess.broker.service.type` | Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | -| `externalAccess.broker.service.ports.external` | Kafka port used for external access when service type is LoadBalancer | `9094` | -| `externalAccess.broker.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.broker.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.broker.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.broker.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | -| `externalAccess.broker.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | -| `externalAccess.broker.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | -| `externalAccess.broker.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | -| `externalAccess.broker.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` | -| `externalAccess.broker.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP | `""` | -| `externalAccess.broker.service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | -| `externalAccess.broker.service.labels` | Service labels for external access | `{}` | -| `externalAccess.broker.service.annotations` | Service annotations for external access | `{}` | -| `externalAccess.broker.service.extraPorts` | Extra ports to expose in the Kafka external service | `[]` | -| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | -| `networkPolicy.externalAccess.from` | customize the from section for External Access on tcp-external port | `[]` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | +| Name | Description | Value | +| -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.client` | Kafka svc port for client connections | `9092` | +| `service.ports.controller` | Kafka svc port for controller connections. It is used if "kraft.enabled: true" | `9093` | +| `service.ports.interbroker` | Kafka svc port for inter-broker connections | `9094` | +| `service.ports.external` | Kafka svc port for external connections | `9095` | +| `service.extraPorts` | Extra ports to expose in the Kafka service (normally used with the `sidecar` value) | `[]` | +| `service.nodePorts.client` | Node port for the Kafka client connections | `""` | +| `service.nodePorts.external` | Node port for the Kafka external connections | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Kafka service Cluster IP | `""` | +| `service.loadBalancerIP` | Kafka service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | Kafka service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | Kafka service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for Kafka service | `{}` | +| `service.headless.controller.annotations` | Annotations for the controller-eligible headless service. | `{}` | +| `service.headless.controller.labels` | Labels for the controller-eligible headless service. | `{}` | +| `service.headless.broker.annotations` | Annotations for the broker-only headless service. | `{}` | +| `service.headless.broker.labels` | Labels for the broker-only headless service. | `{}` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to Kafka brokers | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs/ports by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.autoDiscovery.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resources.limits` | The resources limits for the auto-discovery init container | `{}` | +| `externalAccess.autoDiscovery.resources.requests` | The requested resources for the auto-discovery init container | `{}` | +| `externalAccess.autoDiscovery.containerSecurityContext.enabled` | Enable Kafka auto-discovery containers' Security Context | `true` | +| `externalAccess.autoDiscovery.containerSecurityContext.runAsUser` | Set Kafka auto-discovery containers' Security Context runAsUser | `1001` | +| `externalAccess.autoDiscovery.containerSecurityContext.runAsNonRoot` | Set Kafka auto-discovery containers' Security Context runAsNonRoot | `true` | +| `externalAccess.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka auto-discovery containers' Security Context allowPrivilegeEscalation | `false` | +| `externalAccess.autoDiscovery.containerSecurityContext.readOnlyRootFilesystem` | Set Kafka auto-discovery containers' Security Context readOnlyRootFilesystem | `true` | +| `externalAccess.autoDiscovery.containerSecurityContext.capabilities.drop` | Set Kafka auto-discovery containers' Security Context capabilities to be dropped | `["ALL"]` | +| `externalAccess.autoDiscovery.containerSecurityContext.seccompProfile.type` | Set Kafka auto-discovery seccomp profile type | `RuntimeDefault` | +| `externalAccess.controller.forceExpose` | If set to true, force exposing controller-eligible nodes although they are configured as controller-only nodes | `false` | +| `externalAccess.controller.service.type` | Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.controller.service.ports.external` | Kafka port used for external access when service type is LoadBalancer | `9094` | +| `externalAccess.controller.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.controller.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.controller.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | +| `externalAccess.controller.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` | +| `externalAccess.controller.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP | `""` | +| `externalAccess.controller.service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | +| `externalAccess.controller.service.labels` | Service labels for external access | `{}` | +| `externalAccess.controller.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.controller.service.extraPorts` | Extra ports to expose in the Kafka external service | `[]` | +| `externalAccess.broker.service.type` | Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.broker.service.ports.external` | Kafka port used for external access when service type is LoadBalancer | `9094` | +| `externalAccess.broker.service.loadBalancerIPs` | Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.loadBalancerNames` | Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.loadBalancerAnnotations` | Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.broker.service.nodePorts` | Array of node ports used for each Kafka broker. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.externalIPs` | Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.broker.service.useHostIPs` | Use service host IPs to configure Kafka external listener when service type is NodePort | `false` | +| `externalAccess.broker.service.usePodIPs` | using the MY_POD_IP address for external access. | `false` | +| `externalAccess.broker.service.domain` | Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP | `""` | +| `externalAccess.broker.service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | +| `externalAccess.broker.service.labels` | Service labels for external access | `{}` | +| `externalAccess.broker.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.broker.service.extraPorts` | Extra ports to expose in the Kafka external service | `[]` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | +| `networkPolicy.externalAccess.from` | customize the from section for External Access on tcp-external port | `[]` | +| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | ### Volume Permissions parameters @@ -474,7 +483,7 @@ The command removes all the Kubernetes components associated with the chart and | --------------------------------------------- | ---------------------------------------------------------------------------------------------- | ------- | | `serviceAccount.create` | Enable creation of ServiceAccount for Kafka pods | `true` | | `serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | | `rbac.create` | Whether to create & use RBAC resources or not | `false` | @@ -497,6 +506,27 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.kafka.command` | Override Kafka exporter container command | `[]` | | `metrics.kafka.args` | Override Kafka exporter container arguments | `[]` | | `metrics.kafka.containerPorts.metrics` | Kafka exporter metrics container port | `9308` | +| `metrics.kafka.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.kafka.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `metrics.kafka.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.kafka.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `metrics.kafka.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.kafka.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.kafka.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.kafka.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.kafka.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.kafka.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.kafka.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.kafka.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.kafka.startupProbe.enabled` | Enable startupProbe | `false` | +| `metrics.kafka.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `metrics.kafka.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `metrics.kafka.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.kafka.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` | +| `metrics.kafka.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.kafka.customStartupProbe` | Override default startup probe | `{}` | +| `metrics.kafka.customLivenessProbe` | Override default liveness probe | `{}` | +| `metrics.kafka.customReadinessProbe` | Override default readiness probe | `{}` | | `metrics.kafka.resources.limits` | The resources limits for the container | `{}` | | `metrics.kafka.resources.requests` | The requested resources for the container | `{}` | | `metrics.kafka.podSecurityContext.enabled` | Enable security context for the pods | `true` | @@ -533,7 +563,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.kafka.service.annotations` | Annotations for the Kafka exporter service | `{}` | | `metrics.kafka.serviceAccount.create` | Enable creation of ServiceAccount for Kafka exporter pods | `true` | | `metrics.kafka.serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | `""` | -| `metrics.kafka.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `metrics.kafka.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` | | `metrics.jmx.kafkaJmxPort` | JMX port where the exporter will collect metrics, exposed in the Kafka container. | `5555` | | `metrics.jmx.image.registry` | JMX exporter image registry | `REGISTRY_NAME` | @@ -608,9 +638,9 @@ The command removes all the Kubernetes components associated with the chart and | `provisioning.extraEnvVarsSecret` | Secret with extra environment variables | `""` | | `provisioning.podAnnotations` | Extra annotations for Kafka provisioning pods | `{}` | | `provisioning.podLabels` | Extra labels for Kafka provisioning pods | `{}` | -| `provisioning.serviceAccount.create` | Enable creation of ServiceAccount for Kafka provisioning pods | `false` | +| `provisioning.serviceAccount.create` | Enable creation of ServiceAccount for Kafka provisioning pods | `true` | | `provisioning.serviceAccount.name` | The name of the service account to use. If not set and `create` is `true`, a name is generated | `""` | -| `provisioning.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `provisioning.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `provisioning.resources.limits` | The resources limits for the Kafka provisioning container | `{}` | | `provisioning.resources.requests` | The requested resources for the Kafka provisioning container | `{}` | | `provisioning.podSecurityContext.enabled` | Enable security context for the pods | `true` | @@ -678,7 +708,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/kafka ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -1434,7 +1464,7 @@ kubectl delete statefulset kafka-zookeeper --cascade=false ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/kafka/charts/common/Chart.yaml b/charts/bitnami/kafka/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/kafka/charts/common/Chart.yaml +++ b/charts/bitnami/kafka/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/kafka/charts/common/README.md b/charts/bitnami/kafka/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/kafka/charts/common/README.md +++ b/charts/bitnami/kafka/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/kafka/charts/common/templates/_secrets.tpl b/charts/bitnami/kafka/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/kafka/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/kafka/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml index f58599294..6a75e04fc 100644 --- a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml @@ -2,9 +2,9 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r90 + image: docker.io/bitnami/os-shell:11-debian-11-r91 - name: zookeeper - image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r1 + image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r2 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.9.1 @@ -26,4 +26,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.3.2 +version: 12.4.0 diff --git a/charts/bitnami/kafka/charts/zookeeper/README.md b/charts/bitnami/kafka/charts/zookeeper/README.md index bdb7fd00d..22f0b9122 100644 --- a/charts/bitnami/kafka/charts/zookeeper/README.md +++ b/charts/bitnami/kafka/charts/zookeeper/README.md @@ -1,6 +1,6 @@ -# Apache ZooKeeper packaged by Bitnami +# Bitnami package for Apache ZooKeeper Apache ZooKeeper provides a reliable, centralized register of configuration data and services for distributed applications. @@ -11,10 +11,10 @@ Trademarks: This software listing is packaged by Bitnami. The respective tradema ## TL;DR ```console -helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/zookeeper +helm install my-release oci://registry-1.docker.io/bitnamicharts/zookeeper ``` -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +Looking to use Apache ZooKeeper in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. ## Introduction @@ -22,8 +22,6 @@ This chart bootstraps a [ZooKeeper](https://github.com/bitnami/containers/tree/m Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use Apache ZooKeeper in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ @@ -197,6 +195,8 @@ The command removes all the Kubernetes components associated with the chart and | `pdb.minAvailable` | Minimum available ZooKeeper replicas | `""` | | `pdb.maxUnavailable` | Maximum unavailable ZooKeeper replicas | `1` | | `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `dnsPolicy` | Specifies the DNS policy for the zookeeper pods | `""` | +| `dnsConfig` | allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | ### Traffic Exposure parameters @@ -342,7 +342,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/zooke ``` > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](values.yaml) +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/zookeeper/values.yaml) ## Configuration and installation details diff --git a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml index 4719f9bab..b4bdfceee 100644 --- a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml @@ -75,6 +75,12 @@ spec: {{- if .Values.podSecurityContext.enabled }} securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }} + {{- end }} initContainers: {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions @@ -443,7 +449,7 @@ spec: - name: scripts configMap: name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - defaultMode: 0755 + defaultMode: 493 {{- if or .Values.configuration .Values.existingConfigmap }} - name: config configMap: diff --git a/charts/bitnami/kafka/charts/zookeeper/values.yaml b/charts/bitnami/kafka/charts/zookeeper/values.yaml index 825d00e5d..77ae8912f 100644 --- a/charts/bitnami/kafka/charts/zookeeper/values.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/values.yaml @@ -79,7 +79,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.9.1-debian-11-r1 + tag: 3.9.1-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -490,6 +490,28 @@ pdb: ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. ## enableServiceLinks: true +## DNS-Pod services +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## @param dnsPolicy Specifies the DNS policy for the zookeeper pods +## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies. +## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" +## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` +## The dnsConfig field is optional and it can work with any dnsPolicy settings. +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +## E.g. +## dnsConfig: +## nameservers: +## - 192.0.2.1 # this is an example +## searches: +## - ns1.svc.cluster-domain.example +## - my.dns.search.suffix +## options: +## - name: ndots +## value: "2" +## - name: edns0 +dnsConfig: {} ## @section Traffic Exposure parameters @@ -678,7 +700,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r90 + tag: 11-debian-11-r91 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/kafka/templates/_helpers.tpl b/charts/bitnami/kafka/templates/_helpers.tpl index b60690930..1426e36c9 100644 --- a/charts/bitnami/kafka/templates/_helpers.tpl +++ b/charts/bitnami/kafka/templates/_helpers.tpl @@ -301,7 +301,7 @@ Create the name of the service account to use for the Kafka Provisioning client */}} {{- define "kafka.provisioning.serviceAccountName" -}} {{- if .Values.provisioning.serviceAccount.create -}} - {{ default (include "common.names.fullname" .) .Values.provisioning.serviceAccount.name }} + {{ default (printf "%s-provisioning" (include "common.names.fullname" .)) .Values.provisioning.serviceAccount.name }} {{- else -}} {{ default "default" .Values.provisioning.serviceAccount.name }} {{- end -}} @@ -598,7 +598,6 @@ Returns the controller quorum voters based on the number of controller-eligible Section of the server.properties configmap shared by both controller-eligible and broker nodes */}} {{- define "kafka.commonConfig" -}} -log.dir={{ printf "%s/data" .Values.controller.persistence.mountPath }} {{- if or (include "kafka.saslEnabled" .) }} sasl.enabled.mechanisms={{ upper .Values.sasl.enabledMechanisms }} {{- end }} @@ -965,6 +964,9 @@ Init container definition for waiting for Kubernetes autodiscovery fieldPath: metadata.name - name: AUTODISCOVERY_SERVICE_TYPE value: {{ $externalAccessService.service.type | quote }} + {{- if .context.Values.externalAccess.autoDiscovery.containerSecurityContext.enabled }} + securityContext: {{- omit .context.Values.externalAccess.autoDiscovery.containerSecurityContext "enabled" | toYaml | nindent 4 }} + {{- end }} {{- if .context.Values.externalAccess.autoDiscovery.resources }} resources: {{- toYaml .context.Values.externalAccess.autoDiscovery.resources | nindent 12 }} {{- end }} diff --git a/charts/bitnami/kafka/templates/broker/configmap.yaml b/charts/bitnami/kafka/templates/broker/configmap.yaml index 12a231c9f..4d4694555 100644 --- a/charts/bitnami/kafka/templates/broker/configmap.yaml +++ b/charts/bitnami/kafka/templates/broker/configmap.yaml @@ -40,6 +40,10 @@ data: inter.broker.protocol.version={{ default (regexFind "^[0-9].[0-9]+" .Chart.AppVersion) .Values.interBrokerProtocolVersion }} {{- end }} {{- end }} + # Kafka data logs directory + log.dir={{ printf "%s/data" .Values.broker.persistence.mountPath }} + # Kafka application logs directory + logs.dir={{ .Values.broker.logPersistence.mountPath }} {{- include "kafka.commonConfig" . | nindent 4 }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraConfig "context" $ ) | nindent 4 }} {{- include "common.tplvalues.render" ( dict "value" .Values.broker.extraConfig "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/kafka/templates/broker/statefulset.yaml b/charts/bitnami/kafka/templates/broker/statefulset.yaml index b684a32d7..76cf2d3d6 100644 --- a/charts/bitnami/kafka/templates/broker/statefulset.yaml +++ b/charts/bitnami/kafka/templates/broker/statefulset.yaml @@ -374,7 +374,7 @@ spec: - name: scripts configMap: name: {{ include "common.names.fullname" . }}-scripts - defaultMode: 0755 + defaultMode: 493 {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} - name: kafka-autodiscovery-shared emptyDir: {} diff --git a/charts/bitnami/kafka/templates/controller-eligible/configmap.yaml b/charts/bitnami/kafka/templates/controller-eligible/configmap.yaml index ed77b6533..4f8d79f83 100644 --- a/charts/bitnami/kafka/templates/controller-eligible/configmap.yaml +++ b/charts/bitnami/kafka/templates/controller-eligible/configmap.yaml @@ -39,6 +39,10 @@ data: inter.broker.protocol.version={{ default (regexFind "^[0-9].[0-9]+" .Chart.AppVersion) .Values.interBrokerProtocolVersion }} {{- include "kafka.zookeeperConfig" . | nindent 4 }} {{- end }} + # Kafka data logs directory + log.dir={{ printf "%s/data" .Values.controller.persistence.mountPath }} + # Kafka application logs directory + logs.dir={{ .Values.controller.logPersistence.mountPath }} {{- include "kafka.commonConfig" . | nindent 4 }} {{- include "common.tplvalues.render" ( dict "value" .Values.extraConfig "context" $ ) | nindent 4 }} {{- include "common.tplvalues.render" ( dict "value" .Values.controller.extraConfig "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml index fa462ee95..60235d650 100644 --- a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml +++ b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml @@ -91,6 +91,12 @@ spec: {{- end }} serviceAccountName: {{ include "kafka.serviceAccountName" . }} enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }} + {{- end }} initContainers: {{- if and .Values.volumePermissions.enabled .Values.controller.persistence.enabled }} - name: volume-permissions @@ -367,7 +373,7 @@ spec: - name: scripts configMap: name: {{ include "common.names.fullname" . }}-scripts - defaultMode: 0755 + defaultMode: 493 {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled }} - name: kafka-autodiscovery-shared emptyDir: {} diff --git a/charts/bitnami/kafka/templates/metrics/deployment.yaml b/charts/bitnami/kafka/templates/metrics/deployment.yaml index b32b36f91..7860a9711 100644 --- a/charts/bitnami/kafka/templates/metrics/deployment.yaml +++ b/charts/bitnami/kafka/templates/metrics/deployment.yaml @@ -135,6 +135,30 @@ spec: ports: - name: metrics containerPort: {{ .Values.metrics.kafka.containerPorts.metrics }} + {{- if .Values.metrics.kafka.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.kafka.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.kafka.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /metrics + port: metrics + {{- end }} + {{- if .Values.metrics.kafka.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.kafka.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.kafka.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /metrics + port: metrics + {{- end }} + {{- if .Values.metrics.kafka.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.kafka.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.kafka.startupProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: /metrics + port: metrics + {{- end }} {{- if .Values.metrics.kafka.resources }} resources: {{ toYaml .Values.metrics.kafka.resources | nindent 12 }} {{- end }} diff --git a/charts/bitnami/kafka/templates/provisioning/job.yaml b/charts/bitnami/kafka/templates/provisioning/job.yaml index 82c83eb92..8eec3a30e 100644 --- a/charts/bitnami/kafka/templates/provisioning/job.yaml +++ b/charts/bitnami/kafka/templates/provisioning/job.yaml @@ -184,7 +184,7 @@ spec: env: - name: BITNAMI_DEBUG value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - {{- if (regexFind "SSL" (upper .Values.listeners.client.protocol)) }} + {{- if and (regexFind "SSL" (upper .Values.listeners.client.protocol)) .Values.provisioning.auth.tls.passwordsSecret }} - name: KAFKA_CLIENT_KEY_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/bitnami/kafka/values.yaml b/charts/bitnami/kafka/values.yaml index a1fc241f3..7b1c6b3cd 100644 --- a/charts/bitnami/kafka/values.yaml +++ b/charts/bitnami/kafka/values.yaml @@ -80,11 +80,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/kafka - tag: 3.6.0-debian-11-r2 + tag: 3.6.1-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -440,6 +440,29 @@ sidecars: [] ## initContainers: [] +## DNS-Pod services +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## @param dnsPolicy Specifies the DNS policy for the zookeeper pods +## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies. +## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" +## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` +## The dnsConfig field is optional and it can work with any dnsPolicy settings. +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +## E.g. +## dnsConfig: +## nameservers: +## - 192.0.2.1 # this is an example +## searches: +## - ns1.svc.cluster-domain.example +## - my.dns.search.suffix +## options: +## - name: ndots +## value: "2" +## - name: edns0 +dnsConfig: {} + ## @section Controller-eligible statefulset parameters ## controller: @@ -562,7 +585,7 @@ controller: ## lifecycleHooks: {} ## Kafka init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## @param controller.initContainerResources.limits The resources limits for the init container ## @param controller.initContainerResources.requests The requested resources for the init container ## @@ -570,7 +593,7 @@ controller: limits: {} requests: {} ## Kafka resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param controller.resources.limits The resources limits for the container ## @param controller.resources.requests The requested resources for the container ## @@ -662,7 +685,7 @@ controller: ## affinity: {} ## @param controller.nodeSelector Node labels for pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param controller.tolerations Tolerations for pod assignment @@ -754,7 +777,7 @@ controller: minAvailable: "" maxUnavailable: 1 ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param controller.persistence.enabled Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected @@ -951,7 +974,7 @@ broker: ## lifecycleHooks: {} ## Kafka init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## @param broker.initContainerResources.limits The resources limits for the container ## @param broker.initContainerResources.requests The requested resources for the container ## @@ -959,7 +982,7 @@ broker: limits: {} requests: {} ## Kafka resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param broker.resources.limits The resources limits for the container ## @param broker.resources.requests The requested resources for the container ## @@ -1051,7 +1074,7 @@ broker: ## affinity: {} ## @param broker.nodeSelector Node labels for pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param broker.tolerations Tolerations for pod assignment @@ -1143,7 +1166,7 @@ broker: minAvailable: "" maxUnavailable: 1 ## Enable persistence using Persistent Volume Claims - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param broker.persistence.enabled Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected @@ -1221,7 +1244,6 @@ broker: ## mountPath: /opt/bitnami/kafka/logs - ## @section Traffic Exposure parameters ## @@ -1253,7 +1275,7 @@ service: external: "" ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -1268,7 +1290,7 @@ service: ## clusterIP: "" ## @param service.loadBalancerIP Kafka service Load Balancer IP - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ## loadBalancerIP: "" ## @param service.loadBalancerSourceRanges Kafka service Load Balancer sources @@ -1328,11 +1350,11 @@ externalAccess: image: registry: docker.io repository: bitnami/kubectl - tag: 1.28.4-debian-11-r0 + tag: 1.29.0-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1343,13 +1365,39 @@ externalAccess: ## pullSecrets: [] ## Init Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param externalAccess.autoDiscovery.resources.limits The resources limits for the auto-discovery init container ## @param externalAccess.autoDiscovery.resources.requests The requested resources for the auto-discovery init container ## resources: limits: {} requests: {} + ## Kafka provisioning containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param externalAccess.autoDiscovery.containerSecurityContext.enabled Enable Kafka auto-discovery containers' Security Context + ## @param externalAccess.autoDiscovery.containerSecurityContext.runAsUser Set Kafka auto-discovery containers' Security Context runAsUser + ## @param externalAccess.autoDiscovery.containerSecurityContext.runAsNonRoot Set Kafka auto-discovery containers' Security Context runAsNonRoot + ## @param externalAccess.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation Set Kafka auto-discovery containers' Security Context allowPrivilegeEscalation + ## @param externalAccess.autoDiscovery.containerSecurityContext.readOnlyRootFilesystem Set Kafka auto-discovery containers' Security Context readOnlyRootFilesystem + ## @param externalAccess.autoDiscovery.containerSecurityContext.capabilities.drop Set Kafka auto-discovery containers' Security Context capabilities to be dropped + ## @param externalAccess.autoDiscovery.containerSecurityContext.seccompProfile.type Set Kafka auto-discovery seccomp profile type + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Service settings controller: ## @param externalAccess.controller.forceExpose If set to true, force exposing controller-eligible nodes although they are configured as controller-only nodes @@ -1578,7 +1626,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r92 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1590,7 +1638,7 @@ volumePermissions: ## pullSecrets: [] ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits ## @param volumePermissions.resources.requests Init container volume-permissions resource requests ## @@ -1622,7 +1670,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -1660,11 +1708,11 @@ metrics: image: registry: docker.io repository: bitnami/kafka-exporter - tag: 1.7.0-debian-11-r133 + tag: 1.7.0-debian-11-r134 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1708,8 +1756,62 @@ metrics: ## containerPorts: metrics: 9308 + ## @param metrics.kafka.livenessProbe.enabled Enable livenessProbe + ## @param metrics.kafka.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.kafka.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.kafka.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.kafka.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.kafka.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## @param metrics.kafka.readinessProbe.enabled Enable readinessProbe + ## @param metrics.kafka.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.kafka.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.kafka.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.kafka.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.kafka.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## @param metrics.kafka.startupProbe.enabled Enable startupProbe + ## @param metrics.kafka.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.kafka.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.kafka.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.kafka.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.kafka.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Custom Startup probes + ## @param metrics.kafka.customStartupProbe Override default startup probe + ## + customStartupProbe: {} + ## Custom Liveness probes + ## @param metrics.kafka.customLivenessProbe Override default liveness probe + ## + customLivenessProbe: {} + ## Custom Rediness probes + ## @param metrics.kafka.customReadinessProbe Override default readiness probe + ## + customReadinessProbe: {} ## Kafka exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.kafka.resources.limits The resources limits for the container ## @param metrics.kafka.resources.requests The requested resources for the container ## @@ -1795,7 +1897,7 @@ metrics: ## affinity: {} ## @param metrics.kafka.nodeSelector Node labels for pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param metrics.kafka.tolerations Tolerations for pod assignment @@ -1869,7 +1971,7 @@ metrics: clusterIP: "" ## @param metrics.kafka.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param metrics.kafka.service.annotations [object] Annotations for the Kafka exporter service @@ -1892,7 +1994,7 @@ metrics: ## @param metrics.kafka.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Prometheus JMX exporter: exposes the majority of Kafka metrics ## jmx: @@ -1914,11 +2016,11 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.20.0-debian-11-r1 + tag: 0.20.0-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1956,7 +2058,7 @@ metrics: containerPorts: metrics: 5556 ## Prometheus JMX exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param metrics.jmx.resources.limits The resources limits for the JMX exporter container ## @param metrics.jmx.resources.requests The requested resources for the JMX exporter container ## @@ -1976,7 +2078,7 @@ metrics: clusterIP: "" ## @param metrics.jmx.service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param metrics.jmx.service.annotations [object] Annotations for the Prometheus JMX exporter service @@ -2100,7 +2202,7 @@ provisioning: ## topics: [] ## @param provisioning.nodeSelector Node labels for pod assignment - ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param provisioning.tolerations Tolerations for pod assignment @@ -2221,7 +2323,7 @@ provisioning: serviceAccount: ## @param provisioning.serviceAccount.create Enable creation of ServiceAccount for Kafka provisioning pods ## - create: false + create: true ## @param provisioning.serviceAccount.name The name of the service account to use. If not set and `create` is `true`, a name is generated ## If not set and create is true, a name is generated using the provisioning.serviceAccount.name template ## @@ -2229,9 +2331,9 @@ provisioning: ## @param provisioning.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Kafka provisioning resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param provisioning.resources.limits The resources limits for the Kafka provisioning container ## @param provisioning.resources.requests The requested resources for the Kafka provisioning container ## @@ -2379,7 +2481,7 @@ zookeeper: ## serverPasswords: "" ## ZooKeeper Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## @param zookeeper.persistence.enabled Enable persistence on ZooKeeper using PVC(s) ## @param zookeeper.persistence.storageClass Persistent Volume storage class ## @param zookeeper.persistence.accessModes Persistent Volume access modes diff --git a/charts/bitnami/mariadb/Chart.lock b/charts/bitnami/mariadb/Chart.lock index d1a0bc2eb..08b61c8af 100644 --- a/charts/bitnami/mariadb/Chart.lock +++ b/charts/bitnami/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-10-20T19:50:53.486382513Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-20T08:07:49.82584344Z" diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index cf345d79b..aefa53103 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.1.3-debian-11-r0 + image: docker.io/bitnami/mariadb:11.2.2-debian-11-r1 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.0-debian-11-r71 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r92 licenses: Apache-2.0 apiVersion: v2 -appVersion: 11.1.3 +appVersion: 11.2.2 dependencies: - name: common repository: file://./charts/common @@ -37,4 +37,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 14.1.4 +version: 15.0.1 diff --git a/charts/bitnami/mariadb/charts/common/Chart.yaml b/charts/bitnami/mariadb/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/mariadb/charts/common/Chart.yaml +++ b/charts/bitnami/mariadb/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/mariadb/charts/common/README.md b/charts/bitnami/mariadb/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/mariadb/charts/common/README.md +++ b/charts/bitnami/mariadb/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/mariadb/charts/common/templates/_secrets.tpl b/charts/bitnami/mariadb/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/mariadb/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/mariadb/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/mariadb/values.yaml b/charts/bitnami/mariadb/values.yaml index 6556fe1bf..feda971a7 100644 --- a/charts/bitnami/mariadb/values.yaml +++ b/charts/bitnami/mariadb/values.yaml @@ -90,7 +90,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.1.3-debian-11-r0 + tag: 11.2.2-debian-11-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1016,7 +1016,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r92 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1052,7 +1052,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.0-debian-11-r71 + tag: 0.15.1-debian-11-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) diff --git a/charts/bitnami/mysql/Chart.lock b/charts/bitnami/mysql/Chart.lock index 8920e138c..b8bc83494 100644 --- a/charts/bitnami/mysql/Chart.lock +++ b/charts/bitnami/mysql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-10-25T13:36:31.889996785Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-31T18:34:25.710573192Z" diff --git a/charts/bitnami/mysql/Chart.yaml b/charts/bitnami/mysql/Chart.yaml index 390d216a6..e6b4b011e 100644 --- a/charts/bitnami/mysql/Chart.yaml +++ b/charts/bitnami/mysql/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: mysql - image: docker.io/bitnami/mysql:8.0.35-debian-11-r0 + image: docker.io/bitnami/mysql:8.0.35-debian-11-r2 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.0-debian-11-r71 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 licenses: Apache-2.0 apiVersion: v2 appVersion: 8.0.35 @@ -36,4 +36,4 @@ maintainers: name: mysql sources: - https://github.com/bitnami/charts/tree/main/bitnami/mysql -version: 9.14.4 +version: 9.16.1 diff --git a/charts/bitnami/mysql/README.md b/charts/bitnami/mysql/README.md index 75a2812c1..103aa96f2 100644 --- a/charts/bitnami/mysql/README.md +++ b/charts/bitnami/mysql/README.md @@ -168,6 +168,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.extraEnvVars` | Extra environment variables to be set on MySQL primary containers | `[]` | | `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MySQL primary containers | `""` | | `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MySQL primary containers | `""` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec for the MySQL Primary pod(s) | `{}` | | `primary.extraPorts` | Extra ports to expose | `[]` | | `primary.persistence.enabled` | Enable persistence on MySQL primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir | `true` | | `primary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MySQL primary replicas | `""` | @@ -177,6 +178,9 @@ The command removes all the Kubernetes components associated with the chart and | `primary.persistence.accessModes` | MySQL primary persistent volume access Modes | `["ReadWriteOnce"]` | | `primary.persistence.size` | MySQL primary persistent volume size | `8Gi` | | `primary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `primary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for Primary StatefulSet | `false` | +| `primary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `primary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | | `primary.extraVolumes` | Optionally specify extra list of additional volumes to the MySQL Primary pod(s) | `[]` | | `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MySQL Primary container(s) | `[]` | | `primary.initContainers` | Add additional init containers for the MySQL Primary pod(s) | `[]` | @@ -261,6 +265,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.extraEnvVars` | An array to add extra environment variables on MySQL secondary containers | `[]` | | `secondary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for MySQL secondary containers | `""` | | `secondary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for MySQL secondary containers | `""` | +| `secondary.extraPodSpec` | Optionally specify extra PodSpec for the MySQL Secondary pod(s) | `{}` | | `secondary.extraPorts` | Extra ports to expose | `[]` | | `secondary.persistence.enabled` | Enable persistence on MySQL secondary replicas using a `PersistentVolumeClaim` | `true` | | `secondary.persistence.existingClaim` | Name of an existing `PersistentVolumeClaim` for MySQL secondary replicas | `""` | @@ -270,6 +275,9 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.persistence.accessModes` | MySQL secondary persistent volume access Modes | `["ReadWriteOnce"]` | | `secondary.persistence.size` | MySQL secondary persistent volume size | `8Gi` | | `secondary.persistence.selector` | Selector to match an existing Persistent Volume | `{}` | +| `secondary.persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for read only StatefulSet | `false` | +| `secondary.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `secondary.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | | `secondary.extraVolumes` | Optionally specify extra list of additional volumes to the MySQL secondary pod(s) | `[]` | | `secondary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MySQL secondary container(s) | `[]` | | `secondary.initContainers` | Add additional init containers for the MySQL secondary pod(s) | `[]` | diff --git a/charts/bitnami/mysql/charts/common/Chart.yaml b/charts/bitnami/mysql/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/mysql/charts/common/Chart.yaml +++ b/charts/bitnami/mysql/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/mysql/charts/common/README.md b/charts/bitnami/mysql/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/mysql/charts/common/README.md +++ b/charts/bitnami/mysql/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/mysql/charts/common/templates/_secrets.tpl b/charts/bitnami/mysql/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/mysql/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/mysql/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/mysql/templates/primary/statefulset.yaml b/charts/bitnami/mysql/templates/primary/statefulset.yaml index 35b066228..b6702b7f5 100644 --- a/charts/bitnami/mysql/templates/primary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/primary/statefulset.yaml @@ -36,6 +36,9 @@ spec: labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} app.kubernetes.io/component: primary spec: + {{- if .Values.primary.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} + {{- end }} serviceAccountName: {{ template "mysql.serviceAccountName" . }} {{- include "mysql.imagePullSecrets" . | nindent 6 }} {{- if .Values.primary.hostAliases }} @@ -367,6 +370,11 @@ spec: - name: data emptyDir: {} {{- else if and .Values.primary.persistence.enabled (not .Values.primary.persistence.existingClaim) }} + {{- if .Values.primary.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.primary.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} volumeClaimTemplates: - metadata: name: data diff --git a/charts/bitnami/mysql/templates/secondary/statefulset.yaml b/charts/bitnami/mysql/templates/secondary/statefulset.yaml index 371f59c5c..c22e5e66a 100644 --- a/charts/bitnami/mysql/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/secondary/statefulset.yaml @@ -37,6 +37,9 @@ spec: labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} app.kubernetes.io/component: secondary spec: + {{- if .Values.secondary.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.secondary.extraPodSpec "context" $) | nindent 6 }} + {{- end }} serviceAccountName: {{ include "mysql.serviceAccountName" . }} {{- include "mysql.imagePullSecrets" . | nindent 6 }} {{- if .Values.secondary.hostAliases }} @@ -347,6 +350,11 @@ spec: - name: data emptyDir: {} {{- else }} + {{- if .Values.secondary.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.secondary.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.secondary.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} volumeClaimTemplates: - metadata: name: data diff --git a/charts/bitnami/mysql/values.yaml b/charts/bitnami/mysql/values.yaml index 9398b3e6b..be02cb4f7 100644 --- a/charts/bitnami/mysql/values.yaml +++ b/charts/bitnami/mysql/values.yaml @@ -85,7 +85,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/mysql - tag: 8.0.35-debian-11-r0 + tag: 8.0.35-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -431,6 +431,9 @@ primary: ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MySQL primary containers ## extraEnvVarsSecret: "" + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the MySQL Primary pod(s) + ## + extraPodSpec: {} ## @param primary.extraPorts Extra ports to expose ## extraPorts: [] @@ -472,6 +475,19 @@ primary: ## app: my-app ## selector: {} + ## Primary Persistent Volume Claim Retention Policy + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + ## + persistentVolumeClaimRetentionPolicy: + ## @param primary.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for Primary StatefulSet + ## + enabled: false + ## @param primary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain ## @param primary.extraVolumes Optionally specify extra list of additional volumes to the MySQL Primary pod(s) ## extraVolumes: [] @@ -817,6 +833,9 @@ secondary: ## @param secondary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MySQL secondary containers ## extraEnvVarsSecret: "" + ## @param secondary.extraPodSpec Optionally specify extra PodSpec for the MySQL Secondary pod(s) + ## + extraPodSpec: {} ## @param secondary.extraPorts Extra ports to expose ## extraPorts: [] @@ -858,6 +877,19 @@ secondary: ## app: my-app ## selector: {} + ## Secondary Persistent Volume Claim Retention Policy + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + ## + persistentVolumeClaimRetentionPolicy: + ## @param secondary.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for read only StatefulSet + ## + enabled: false + ## @param secondary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param secondary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain ## @param secondary.extraVolumes Optionally specify extra list of additional volumes to the MySQL secondary pod(s) ## extraVolumes: [] @@ -1039,7 +1071,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1073,7 +1105,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.0-debian-11-r71 + tag: 0.15.1-debian-11-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/postgresql/Chart.lock b/charts/bitnami/postgresql/Chart.lock index 35f80ca85..5f5e5abcf 100644 --- a/charts/bitnami/postgresql/Chart.lock +++ b/charts/bitnami/postgresql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-11-03T20:45:06.276989379Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-20T20:39:13.141839286Z" diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index 3d7cfa3db..f35f894cb 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r2 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r5 - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r13 + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r19 licenses: Apache-2.0 apiVersion: v2 appVersion: 16.1.0 @@ -38,4 +38,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 13.2.21 +version: 13.2.29 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index 5348b1e66..e934eb378 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -546,7 +546,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postg ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -740,7 +740,7 @@ Refer to the [chart documentation for more information about how to upgrade from ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/postgresql/charts/common/Chart.yaml b/charts/bitnami/postgresql/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/postgresql/charts/common/Chart.yaml +++ b/charts/bitnami/postgresql/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/postgresql/charts/common/README.md b/charts/bitnami/postgresql/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/postgresql/charts/common/README.md +++ b/charts/bitnami/postgresql/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/postgresql/charts/common/templates/_secrets.tpl b/charts/bitnami/postgresql/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/postgresql/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/postgresql/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/postgresql/templates/_helpers.tpl b/charts/bitnami/postgresql/templates/_helpers.tpl index 2c5c7f9f2..0ab9fd037 100644 --- a/charts/bitnami/postgresql/templates/_helpers.tpl +++ b/charts/bitnami/postgresql/templates/_helpers.tpl @@ -66,7 +66,7 @@ Return the proper image name (for the init container volume-permissions image) Return the proper Docker Image Registry Secret Names */}} {{- define "postgresql.v1.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "context" $) }} {{- end -}} {{/* diff --git a/charts/bitnami/postgresql/templates/backup/cronjob.yaml b/charts/bitnami/postgresql/templates/backup/cronjob.yaml index 812fd848d..cdf87f743 100644 --- a/charts/bitnami/postgresql/templates/backup/cronjob.yaml +++ b/charts/bitnami/postgresql/templates/backup/cronjob.yaml @@ -74,7 +74,7 @@ spec: value: {{ .Values.backup.cronjob.storage.mountPath }} {{- if .Values.tls.enabled }} - name: PGSSLROOTCERT - {{- if .Values.tls.autoGenerated -}} + {{- if .Values.tls.autoGenerated }} value: /tmp/certs/ca.crt {{- else }} value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}} diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index bd829c1e8..02699af25 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -98,7 +98,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.1.0-debian-11-r13 + tag: 16.1.0-debian-11-r19 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1300,7 +1300,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1401,7 +1401,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r2 + tag: 0.15.0-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/redis/Chart.lock b/charts/bitnami/redis/Chart.lock index 694a2da76..01190b829 100644 --- a/charts/bitnami/redis/Chart.lock +++ b/charts/bitnami/redis/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-10-19T12:32:36.790999138Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-19T19:11:00.40217662Z" diff --git a/charts/bitnami/redis/Chart.yaml b/charts/bitnami/redis/Chart.yaml index af2b1359e..25aa5902a 100644 --- a/charts/bitnami/redis/Chart.yaml +++ b/charts/bitnami/redis/Chart.yaml @@ -6,16 +6,16 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.55.0-debian-11-r2 + image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r0 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.3-debian-11-r1 + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r0 - name: redis - image: docker.io/bitnami/redis:7.2.3-debian-11-r1 + image: docker.io/bitnami/redis:7.2.4-debian-11-r0 licenses: Apache-2.0 apiVersion: v2 -appVersion: 7.2.3 +appVersion: 7.2.4 dependencies: - name: common repository: file://./charts/common @@ -37,4 +37,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.4.0 +version: 18.6.3 diff --git a/charts/bitnami/redis/README.md b/charts/bitnami/redis/README.md index 6305aaf82..cc5c08ffe 100644 --- a/charts/bitnami/redis/README.md +++ b/charts/bitnami/redis/README.md @@ -11,10 +11,10 @@ Disclaimer: Redis is a registered trademark of Redis Ltd. Any rights therein are ## TL;DR ```console -helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/redis +helm install my-release oci://registry-1.docker.io/bitnamicharts/redis ``` -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +Looking to use Redisreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. ## Introduction @@ -37,8 +37,6 @@ The main features of each chart are the following: | Single write point (single master) | Multiple write points (multiple masters) | | ![Redis® Topology](img/redis-topology.png) | ![Redis® Cluster Topology](img/redis-cluster-topology.png) | -Looking to use Redisreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ @@ -87,6 +85,7 @@ The command removes all the Kubernetes components associated with the chart and | `kubeVersion` | Override Kubernetes version | `""` | | `nameOverride` | String to partially override common.names.fullname | `""` | | `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | | `commonLabels` | Labels to add to all deployed objects | `{}` | | `commonAnnotations` | Annotations to add to all deployed objects | `{}` | | `secretAnnotations` | Annotations to add to secret | `{}` | @@ -222,6 +221,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | | `master.service.clusterIP` | Redis® master service Cluster IP | `""` | | `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | +| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | | `master.service.externalIPs` | Redis® master service External IPs | `[]` | | `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | @@ -335,6 +335,7 @@ The command removes all the Kubernetes components associated with the chart and | `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | | `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | | `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | | `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | @@ -437,6 +438,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | | `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | | `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | | `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | @@ -532,6 +534,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | | `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | | `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | | `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | | `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | @@ -616,11 +619,11 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis ``` > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](values.yaml) +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -864,7 +867,7 @@ The Redis® sentinel exporter was removed in this version because the upstrea - `sentinel.metrics.*` parameters are deprecated in favor of `metrics.sentinel.*` ones. - New parameters to add custom command, environment variables, sidecars, init containers, etc. were added. - Chart labels were adapted to follow the [Helm charts standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). -- values.yaml metadata was adapted to follow the format supported by [Readme Generator for Helm](https://github.com/bitnami-labs/readme-generator-for-helm). +- values.yaml metadata was adapted to follow the format supported by [Readme Generator for Helm](https://github.com/bitnami/readme-generator-for-helm). Consequences: @@ -1004,7 +1007,7 @@ kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remo ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/redis/charts/common/Chart.yaml b/charts/bitnami/redis/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/redis/charts/common/Chart.yaml +++ b/charts/bitnami/redis/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/redis/charts/common/README.md b/charts/bitnami/redis/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/redis/charts/common/README.md +++ b/charts/bitnami/redis/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/redis/charts/common/templates/_secrets.tpl b/charts/bitnami/redis/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/redis/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/redis/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/redis/templates/NOTES.txt b/charts/bitnami/redis/templates/NOTES.txt index 2623ade3a..cc191dee6 100644 --- a/charts/bitnami/redis/templates/NOTES.txt +++ b/charts/bitnami/redis/templates/NOTES.txt @@ -12,11 +12,11 @@ The chart has been deployed in diagnostic mode. All probes have been disabled an Get the list of pods by executing: - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} Access the pod you want to debug by executing - kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + kubectl exec --namespace {{ include "common.names.namespace" . }} -ti -- bash In order to replicate the container startup scripts execute this command: @@ -58,7 +58,7 @@ For Redis Sentinel: Redis® can be accessed via port {{ .Values.sentinel.service.ports.redis }} on the following DNS name from within your cluster: - {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations + {{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} for read only operations For read/write operations, first access the Redis® Sentinel cluster, which is available in port {{ .Values.sentinel.service.ports.sentinel }} using the same domain name above. @@ -66,15 +66,15 @@ For read/write operations, first access the Redis® Sentinel cluster, which i Redis® can be accessed on the following DNS names from within your cluster: - {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }}) - {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }}) + {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" . ) .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }}) + {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" . ) .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }}) {{- end }} {{- else }} Redis® can be accessed via port {{ .Values.master.service.ports.redis }} on the following DNS name from within your cluster: - {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + {{ template "common.names.fullname" . }}-master.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{- end }} @@ -82,7 +82,7 @@ Redis® can be accessed via port {{ .Values.master.service.ports.redis }} on To get your password run: - export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 -d) + export REDIS_PASSWORD=$(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 -d) {{- end }} @@ -90,15 +90,15 @@ To connect to your Redis® server: 1. Run a Redis® pod that you can use as a client: - kubectl run --namespace {{ .Release.Namespace }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity + kubectl run --namespace {{ include "common.names.namespace" . }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity {{- if .Values.tls.enabled }} Copy your TLS certificates to the pod: - kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.cert redis-client:/tmp/client.cert - kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.key redis-client:/tmp/client.key - kubectl cp --namespace {{ .Release.Namespace }} /path/to/CA.cert redis-client:/tmp/CA.cert + kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/client.cert redis-client:/tmp/client.cert + kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/client.key redis-client:/tmp/client.key + kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/CA.cert redis-client:/tmp/CA.cert {{- end }} @@ -106,7 +106,7 @@ To connect to your Redis® server: kubectl exec --tty -i redis-client \ {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "common.names.fullname" . }}-client=true" \{{- end }} - --namespace {{ .Release.Namespace }} -- bash + --namespace {{ include "common.names.namespace" . }} -- bash 2. Connect using the Redis® CLI: @@ -133,42 +133,42 @@ To connect to your database from outside the cluster execute the following comma {{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} {{- if contains "NodePort" .Values.sentinel.service.type }} - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "LoadBalancer" .Values.sentinel.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "ClusterIP" .Values.sentinel.service.type }} - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} & {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- end }} {{- else }} {{- if contains "NodePort" .Values.master.service.type }} - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }}) {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "LoadBalancer" .Values.master.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- else if contains "ClusterIP" .Values.master.service.type }} - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.ports.redis }}:{{ .Values.master.service.ports.redis }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.ports.redis }}:{{ .Values.master.service.ports.redis }} & {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} {{- end }} diff --git a/charts/bitnami/redis/templates/_helpers.tpl b/charts/bitnami/redis/templates/_helpers.tpl index a554418b6..9eb017f19 100644 --- a/charts/bitnami/redis/templates/_helpers.tpl +++ b/charts/bitnami/redis/templates/_helpers.tpl @@ -240,7 +240,7 @@ Return Redis® password {{- else if not (empty .Values.auth.password) -}} {{- .Values.auth.password -}} {{- else -}} - {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "redis.secretName" .) "Length" 10 "Key" (include "redis.secretPasswordKey" .)) -}} + {{- include "getValueFromSecret" (dict "Namespace" (include "common.names.namespace" .) "Name" (include "redis.secretName" .) "Length" 10 "Key" (include "redis.secretPasswordKey" .)) -}} {{- end -}} {{- end -}} {{- end }} diff --git a/charts/bitnami/redis/templates/configmap.yaml b/charts/bitnami/redis/templates/configmap.yaml index c616599c8..6c370a2aa 100644 --- a/charts/bitnami/redis/templates/configmap.yaml +++ b/charts/bitnami/redis/templates/configmap.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-configuration" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -48,7 +48,7 @@ data: sentinel.conf: |- dir "/tmp" port {{ .Values.sentinel.containerPorts.sentinel }} - sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }} + sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }} sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} diff --git a/charts/bitnami/redis/templates/headless-svc.yaml b/charts/bitnami/redis/templates/headless-svc.yaml index bd6121dee..e69329f82 100644 --- a/charts/bitnami/redis/templates/headless-svc.yaml +++ b/charts/bitnami/redis/templates/headless-svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-headless" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} annotations: {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations }} diff --git a/charts/bitnami/redis/templates/health-configmap.yaml b/charts/bitnami/redis/templates/health-configmap.yaml index 95ade5c41..5d15b0639 100644 --- a/charts/bitnami/redis/templates/health-configmap.yaml +++ b/charts/bitnami/redis/templates/health-configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-health" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/master/application.yaml b/charts/bitnami/redis/templates/master/application.yaml index 8fdaec125..2da5bd5fc 100644 --- a/charts/bitnami/redis/templates/master/application.yaml +++ b/charts/bitnami/redis/templates/master/application.yaml @@ -9,7 +9,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: {{ .Values.master.kind }} metadata: name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: master {{- if .Values.commonAnnotations }} diff --git a/charts/bitnami/redis/templates/master/psp.yaml b/charts/bitnami/redis/templates/master/psp.yaml index 368a2193b..5a47afbf7 100644 --- a/charts/bitnami/redis/templates/master/psp.yaml +++ b/charts/bitnami/redis/templates/master/psp.yaml @@ -8,7 +8,7 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/master/pvc.yaml b/charts/bitnami/redis/templates/master/pvc.yaml index 5c60d0694..019f60d14 100644 --- a/charts/bitnami/redis/templates/master/pvc.yaml +++ b/charts/bitnami/redis/templates/master/pvc.yaml @@ -8,7 +8,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.persistence.labels .Values.commonLabels ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} app.kubernetes.io/component: master diff --git a/charts/bitnami/redis/templates/master/service.yaml b/charts/bitnami/redis/templates/master/service.yaml index 804f7b6e2..ba744dbce 100644 --- a/charts/bitnami/redis/templates/master/service.yaml +++ b/charts/bitnami/redis/templates/master/service.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: master {{- if or .Values.master.service.annotations .Values.commonAnnotations }} @@ -26,6 +26,9 @@ spec: {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.master.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{ toYaml .Values.master.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/redis/templates/master/serviceaccount.yaml b/charts/bitnami/redis/templates/master/serviceaccount.yaml index bb6c42aee..4ba3052fe 100644 --- a/charts/bitnami/redis/templates/master/serviceaccount.yaml +++ b/charts/bitnami/redis/templates/master/serviceaccount.yaml @@ -9,7 +9,7 @@ kind: ServiceAccount automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }} metadata: name: {{ template "redis.masterServiceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.master.serviceAccount.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/redis/templates/metrics-svc.yaml b/charts/bitnami/redis/templates/metrics-svc.yaml index 7d1d683dc..5e24b6d35 100644 --- a/charts/bitnami/redis/templates/metrics-svc.yaml +++ b/charts/bitnami/redis/templates/metrics-svc.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: metrics {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} @@ -26,6 +26,9 @@ spec: {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.metrics.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{- toYaml .Values.metrics.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/redis/templates/networkpolicy.yaml b/charts/bitnami/redis/templates/networkpolicy.yaml index bd8594e36..84f5ada5d 100644 --- a/charts/bitnami/redis/templates/networkpolicy.yaml +++ b/charts/bitnami/redis/templates/networkpolicy.yaml @@ -8,7 +8,7 @@ kind: NetworkPolicy apiVersion: {{ template "networkPolicy.apiVersion" . }} metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/pdb.yaml b/charts/bitnami/redis/templates/pdb.yaml index 3306a8ce6..d2ca15d9d 100644 --- a/charts/bitnami/redis/templates/pdb.yaml +++ b/charts/bitnami/redis/templates/pdb.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/podmonitor.yaml b/charts/bitnami/redis/templates/podmonitor.yaml index a7c8bd942..55bcd51ad 100644 --- a/charts/bitnami/redis/templates/podmonitor.yaml +++ b/charts/bitnami/redis/templates/podmonitor.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.podMonitor.namespace | quote }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.podMonitor.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.metrics.podMonitor.additionalLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.podMonitor.additionalLabels "context" $) | nindent 4 }} @@ -45,7 +45,7 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . | quote }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: metrics diff --git a/charts/bitnami/redis/templates/prometheusrule.yaml b/charts/bitnami/redis/templates/prometheusrule.yaml index 73c89e652..3406918b3 100644 --- a/charts/bitnami/redis/templates/prometheusrule.yaml +++ b/charts/bitnami/redis/templates/prometheusrule.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.metrics.prometheusRule.additionalLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/replicas/application.yaml b/charts/bitnami/redis/templates/replicas/application.yaml index 821bf8d1a..67d83c8ba 100644 --- a/charts/bitnami/redis/templates/replicas/application.yaml +++ b/charts/bitnami/redis/templates/replicas/application.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: {{ .Values.replica.kind }} metadata: name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if .Values.commonAnnotations }} @@ -136,9 +136,9 @@ spec: {{- if .Values.replica.externalMaster.enabled }} value: {{ .Values.replica.externalMaster.host | quote }} {{- else if and (eq (int64 .Values.master.count) 1) (eq .Values.master.kind "StatefulSet") }} - value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{- else }} - value: {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + value: {{ template "common.names.fullname" . }}-master.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{- end }} - name: REDIS_MASTER_PORT_NUMBER {{- if .Values.replica.externalMaster.enabled }} diff --git a/charts/bitnami/redis/templates/replicas/hpa.yaml b/charts/bitnami/redis/templates/replicas/hpa.yaml index 37ecc8310..da69290a7 100644 --- a/charts/bitnami/redis/templates/replicas/hpa.yaml +++ b/charts/bitnami/redis/templates/replicas/hpa.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) kind: HorizontalPodAutoscaler metadata: name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if .Values.commonAnnotations }} diff --git a/charts/bitnami/redis/templates/replicas/service.yaml b/charts/bitnami/redis/templates/replicas/service.yaml index 415771b64..b54b85a17 100644 --- a/charts/bitnami/redis/templates/replicas/service.yaml +++ b/charts/bitnami/redis/templates/replicas/service.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if or .Values.replica.service.annotations .Values.commonAnnotations }} @@ -26,6 +26,9 @@ spec: {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.replica.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.replica.service.type "LoadBalancer") .Values.replica.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.replica.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{ toYaml .Values.replica.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/redis/templates/replicas/serviceaccount.yaml b/charts/bitnami/redis/templates/replicas/serviceaccount.yaml index 616e8bc87..ec5d66641 100644 --- a/charts/bitnami/redis/templates/replicas/serviceaccount.yaml +++ b/charts/bitnami/redis/templates/replicas/serviceaccount.yaml @@ -9,7 +9,7 @@ kind: ServiceAccount automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }} metadata: name: {{ template "redis.replicaServiceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.replica.serviceAccount.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.replica.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/redis/templates/role.yaml b/charts/bitnami/redis/templates/role.yaml index be042294b..5bab3b7cc 100644 --- a/charts/bitnami/redis/templates/role.yaml +++ b/charts/bitnami/redis/templates/role.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: Role metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/rolebinding.yaml b/charts/bitnami/redis/templates/rolebinding.yaml index 7a1043e1a..81c68f329 100644 --- a/charts/bitnami/redis/templates/rolebinding.yaml +++ b/charts/bitnami/redis/templates/rolebinding.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} kind: RoleBinding metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/scripts-configmap.yaml b/charts/bitnami/redis/templates/scripts-configmap.yaml index 9e81f8a23..f785faf34 100644 --- a/charts/bitnami/redis/templates/scripts-configmap.yaml +++ b/charts/bitnami/redis/templates/scripts-configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -48,7 +48,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -71,12 +71,12 @@ data: REDISPORT=$(get_port "$HOSTNAME" "REDIS") - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" if [ -n "$REDIS_EXTERNAL_MASTER_HOST" ]; then REDIS_SERVICE="$REDIS_EXTERNAL_MASTER_HOST" else - REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" fi SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "SENTINEL") @@ -251,8 +251,8 @@ data: . /opt/bitnami/scripts/libvalidations.sh . /opt/bitnami/scripts/libfile.sh - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" get_port() { hostname="$1" @@ -281,7 +281,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -450,7 +450,7 @@ data: . /opt/bitnami/scripts/libvalidations.sh . /opt/bitnami/scripts/libos.sh - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" get_full_hostname() { hostname="$1" @@ -458,7 +458,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -492,7 +492,7 @@ data: [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" {{ if .Values.auth.sentinel -}} # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable @@ -530,7 +530,7 @@ data: [[ "$REDIS_ROLE" == "master" ]] } - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{- include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" get_full_hostname() { hostname="$1" @@ -538,7 +538,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -572,7 +572,7 @@ data: [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] } - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" @@ -676,7 +676,7 @@ data: {{- if .Values.useExternalDNS.enabled }} full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}" {{- else if eq .Values.sentinel.service.type "NodePort" }} - full_hostname="${hostname}.{{- .Release.Namespace }}" + full_hostname="${hostname}.{{- include "common.names.namespace" . }}" {{- else }} full_hostname="${hostname}.${HEADLESS_SERVICE}" {{- end }} @@ -698,7 +698,7 @@ data: } REDISPORT=$(get_port "$HOSTNAME" "REDIS") - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}" [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" diff --git a/charts/bitnami/redis/templates/secret-svcbind.yaml b/charts/bitnami/redis/templates/secret-svcbind.yaml index a1bfbe054..de74913e1 100644 --- a/charts/bitnami/redis/templates/secret-svcbind.yaml +++ b/charts/bitnami/redis/templates/secret-svcbind.yaml @@ -17,7 +17,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "common.names.fullname" . }}-svcbind - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/templates/secret.yaml b/charts/bitnami/redis/templates/secret.yaml index 1838c7d4b..003a2768c 100644 --- a/charts/bitnami/redis/templates/secret.yaml +++ b/charts/bitnami/redis/templates/secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.secretAnnotations .Values.commonAnnotations }} annotations: diff --git a/charts/bitnami/redis/templates/sentinel/hpa.yaml b/charts/bitnami/redis/templates/sentinel/hpa.yaml index 80859c00c..f8bd35617 100644 --- a/charts/bitnami/redis/templates/sentinel/hpa.yaml +++ b/charts/bitnami/redis/templates/sentinel/hpa.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) kind: HorizontalPodAutoscaler metadata: name: {{ printf "%s-node" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: replica {{- if .Values.commonAnnotations }} diff --git a/charts/bitnami/redis/templates/sentinel/node-services.yaml b/charts/bitnami/redis/templates/sentinel/node-services.yaml index 721185bcb..672de5cd2 100644 --- a/charts/bitnami/redis/templates/sentinel/node-services.yaml +++ b/charts/bitnami/redis/templates/sentinel/node-services.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- range $i := until (int .Values.replica.replicaCount) }} -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} +{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" $) (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} {{ $sentinelport := 0}} {{ $redisport := 0}} @@ -20,7 +20,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" $ }}-node-{{ $i }} - namespace: {{ $.Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" $ | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node {{- if or $.Values.commonAnnotations $.Values.sentinel.service.annotations }} diff --git a/charts/bitnami/redis/templates/sentinel/ports-configmap.yaml b/charts/bitnami/redis/templates/sentinel/ports-configmap.yaml index 1c0771a41..3efed7433 100644 --- a/charts/bitnami/redis/templates/sentinel/ports-configmap.yaml +++ b/charts/bitnami/redis/templates/sentinel/ports-configmap.yaml @@ -71,14 +71,14 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "common.names.fullname" . }}-ports-configmap - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} data: -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} +{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} {{- if $portsmap }} {{- /* configmap already exists, do not install again */ -}} {{- range $name, $value := $portsmap }} diff --git a/charts/bitnami/redis/templates/sentinel/service.yaml b/charts/bitnami/redis/templates/sentinel/service.yaml index 18126f4ef..f80e6442a 100644 --- a/charts/bitnami/redis/templates/sentinel/service.yaml +++ b/charts/bitnami/redis/templates/sentinel/service.yaml @@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} {{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} +{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} {{ $sentinelport := 0}} {{ $redisport := 0}} @@ -19,7 +19,7 @@ apiVersion: v1 kind: Service metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }} @@ -34,6 +34,9 @@ spec: {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerIP)) }} loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} {{- end }} + {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.sentinel.service.loadBalancerClass }} + {{- end }} {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerSourceRanges)) }} loadBalancerSourceRanges: {{ toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} diff --git a/charts/bitnami/redis/templates/sentinel/statefulset.yaml b/charts/bitnami/redis/templates/sentinel/statefulset.yaml index 55d0e90e0..5b28f8c4e 100644 --- a/charts/bitnami/redis/templates/sentinel/statefulset.yaml +++ b/charts/bitnami/redis/templates/sentinel/statefulset.yaml @@ -9,7 +9,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: name: {{ printf "%s-node" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: node {{- if or .Values.commonAnnotations .Values.sentinel.annotations }} diff --git a/charts/bitnami/redis/templates/serviceaccount.yaml b/charts/bitnami/redis/templates/serviceaccount.yaml index 4306b3e85..95432dd37 100644 --- a/charts/bitnami/redis/templates/serviceaccount.yaml +++ b/charts/bitnami/redis/templates/serviceaccount.yaml @@ -9,7 +9,7 @@ kind: ServiceAccount automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} metadata: name: {{ template "redis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/redis/templates/servicemonitor.yaml b/charts/bitnami/redis/templates/servicemonitor.yaml index ee925afc5..8641ea12a 100644 --- a/charts/bitnami/redis/templates/servicemonitor.yaml +++ b/charts/bitnami/redis/templates/servicemonitor.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.metrics.serviceMonitor.additionalLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} @@ -45,7 +45,7 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . | quote }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: metrics diff --git a/charts/bitnami/redis/templates/tls-secret.yaml b/charts/bitnami/redis/templates/tls-secret.yaml index b1f7153e1..8498394fe 100644 --- a/charts/bitnami/redis/templates/tls-secret.yaml +++ b/charts/bitnami/redis/templates/tls-secret.yaml @@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- if (include "redis.createTlsSecret" .) }} {{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} {{- $ca := genCA "redis-ca" 365 }} -{{- $releaseNamespace := .Release.Namespace }} +{{- $releaseNamespace := (include "common.names.namespace" .) }} {{- $clusterDomain := .Values.clusterDomain }} {{- $fullname := include "common.names.fullname" . }} {{- $serviceName := include "common.names.fullname" . }} @@ -18,7 +18,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/redis/values.yaml b/charts/bitnami/redis/values.yaml index f2d53313b..7ff978c35 100644 --- a/charts/bitnami/redis/values.yaml +++ b/charts/bitnami/redis/values.yaml @@ -35,6 +35,9 @@ nameOverride: "" ## @param fullnameOverride String to fully override common.names.fullname ## fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" ## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} @@ -91,7 +94,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.3-debian-11-r1 + tag: 7.2.4-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -532,6 +535,10 @@ master: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param master.service.loadBalancerClass master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param master.service.loadBalancerSourceRanges Redis® master service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -979,6 +986,10 @@ replica: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param replica.service.loadBalancerClass replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param replica.service.loadBalancerSourceRanges Redis® replicas service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -1060,7 +1071,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.3-debian-11-r1 + tag: 7.2.4-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1327,6 +1338,10 @@ sentinel: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param sentinel.service.loadBalancerClass sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param sentinel.service.loadBalancerSourceRanges Redis® Sentinel service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -1539,7 +1554,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.55.0-debian-11-r2 + tag: 1.56.0-debian-11-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1688,6 +1703,10 @@ metrics: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ## loadBalancerIP: "" + ## @param metrics.service.loadBalancerClass exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" ## @param metrics.service.loadBalancerSourceRanges Redis® exporter service Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## e.g. @@ -1851,7 +1870,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1899,7 +1918,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/spark/Chart.lock b/charts/bitnami/spark/Chart.lock index e8c46b19f..16acf443e 100644 --- a/charts/bitnami/spark/Chart.lock +++ b/charts/bitnami/spark/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-10-22T15:11:15.989938898Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-31T22:50:39.611750086Z" diff --git a/charts/bitnami/spark/Chart.yaml b/charts/bitnami/spark/Chart.yaml index 517590b84..0777f9ce5 100644 --- a/charts/bitnami/spark/Chart.yaml +++ b/charts/bitnami/spark/Chart.yaml @@ -6,7 +6,7 @@ annotations: category: Infrastructure images: | - name: spark - image: docker.io/bitnami/spark:3.5.0-debian-11-r16 + image: docker.io/bitnami/spark:3.5.0-debian-11-r17 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.5.0 @@ -30,4 +30,4 @@ maintainers: name: spark sources: - https://github.com/bitnami/charts/tree/main/bitnami/spark -version: 8.1.6 +version: 8.1.8 diff --git a/charts/bitnami/spark/README.md b/charts/bitnami/spark/README.md index 7b7847d1c..ed541540c 100644 --- a/charts/bitnami/spark/README.md +++ b/charts/bitnami/spark/README.md @@ -309,12 +309,12 @@ The command removes all the Kubernetes components associated with the chart and ### Other parameters -| Name | Description | Value | -| --------------------------------------------- | ------------------------------------------------------ | ------ | -| `serviceAccount.create` | Enable the creation of a ServiceAccount for Spark pods | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.annotations` | Annotations for Spark Service Account | `{}` | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `true` | +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------ | ------- | +| `serviceAccount.create` | Enable the creation of a ServiceAccount for Spark pods | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Annotations for Spark Service Account | `{}` | +| `serviceAccount.automountServiceAccountToken` | Automount API credentials for a service account. | `false` | ### Metrics parameters @@ -356,7 +356,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/spark ## Configuration and installation details -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -478,7 +478,7 @@ This version standardizes the way of defining Ingress rules. When configuring a ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/spark/charts/common/Chart.yaml b/charts/bitnami/spark/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/spark/charts/common/Chart.yaml +++ b/charts/bitnami/spark/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/spark/charts/common/README.md b/charts/bitnami/spark/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/spark/charts/common/README.md +++ b/charts/bitnami/spark/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/spark/charts/common/templates/_secrets.tpl b/charts/bitnami/spark/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/spark/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/spark/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/spark/values.yaml b/charts/bitnami/spark/values.yaml index 443a5fc1c..7d8280ab5 100644 --- a/charts/bitnami/spark/values.yaml +++ b/charts/bitnami/spark/values.yaml @@ -95,11 +95,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/spark - tag: 3.5.0-debian-11-r16 + tag: 3.5.0-debian-11-r17 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -248,7 +248,7 @@ master: ## affinity: {} ## @param master.nodeSelector Spark master node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param master.tolerations Spark master tolerations for pod assignment @@ -294,7 +294,7 @@ master: ## extraVolumeClaimTemplates: [] ## Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -534,7 +534,7 @@ worker: ## affinity: {} ## @param worker.nodeSelector Spark worker node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param worker.tolerations Spark worker tolerations for pod assignment @@ -584,7 +584,7 @@ worker: ## extraVolumeClaimTemplates: [] ## Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -749,7 +749,7 @@ security: ## truststorePassword: "" ## Container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -827,7 +827,7 @@ service: extraPorts: [] ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -844,7 +844,7 @@ service: annotations: {} ## Configure the ingress resource that allows you to access the ## Spark installation. Set up the URL -## ref: https://kubernetes.io/docs/user-guide/ingress/ +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: ## @param ingress.enabled Enable ingress controller resource @@ -869,7 +869,7 @@ ingress: path: / ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. ## For a full list of possible ingress annotations, please see - ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md ## Use this parameter to set the required annotations for cert-manager, see ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## @@ -960,7 +960,7 @@ serviceAccount: annotations: {} ## @param serviceAccount.automountServiceAccountToken Automount API credentials for a service account. ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @section Metrics parameters ## diff --git a/charts/bitnami/tomcat/Chart.lock b/charts/bitnami/tomcat/Chart.lock index 4c3ccd233..8766afb03 100644 --- a/charts/bitnami/tomcat/Chart.lock +++ b/charts/bitnami/tomcat/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-10-31T12:41:05.52315381+01:00" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2024-01-10T22:13:35.985599592Z" diff --git a/charts/bitnami/tomcat/Chart.yaml b/charts/bitnami/tomcat/Chart.yaml index 01847f68e..fe0862a20 100644 --- a/charts/bitnami/tomcat/Chart.yaml +++ b/charts/bitnami/tomcat/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: ApplicationServer images: | - name: jmx-exporter - image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r1 + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: tomcat - image: docker.io/bitnami/tomcat:10.1.16-debian-11-r2 + image: docker.io/bitnami/tomcat:10.1.18-debian-11-r0 licenses: Apache-2.0 apiVersion: v2 -appVersion: 10.1.16 +appVersion: 10.1.18 dependencies: - name: common repository: file://./charts/common @@ -38,4 +38,4 @@ maintainers: name: tomcat sources: - https://github.com/bitnami/charts/tree/main/bitnami/tomcat -version: 10.11.6 +version: 10.11.11 diff --git a/charts/bitnami/tomcat/README.md b/charts/bitnami/tomcat/README.md index 36e20cc19..6b25191b8 100644 --- a/charts/bitnami/tomcat/README.md +++ b/charts/bitnami/tomcat/README.md @@ -279,7 +279,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/tomca ## Configuration and installation details -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -402,7 +402,7 @@ kubectl patch deployment tomcat --type=json -p='[{"op": "remove", "path": "/spec ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/tomcat/charts/common/Chart.yaml b/charts/bitnami/tomcat/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/tomcat/charts/common/Chart.yaml +++ b/charts/bitnami/tomcat/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/tomcat/charts/common/README.md b/charts/bitnami/tomcat/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/tomcat/charts/common/README.md +++ b/charts/bitnami/tomcat/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/tomcat/charts/common/templates/_secrets.tpl b/charts/bitnami/tomcat/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/tomcat/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/tomcat/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/tomcat/values.yaml b/charts/bitnami/tomcat/values.yaml index 2ad1d2b3e..1130971d1 100644 --- a/charts/bitnami/tomcat/values.yaml +++ b/charts/bitnami/tomcat/values.yaml @@ -61,7 +61,7 @@ extraDeploy: [] image: registry: docker.io repository: bitnami/tomcat - tag: 10.1.16-debian-11-r2 + tag: 10.1.18-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -597,7 +597,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -657,7 +657,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.20.0-debian-11-r1 + tag: 0.20.0-debian-11-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' diff --git a/charts/bitnami/wordpress/Chart.lock b/charts/bitnami/wordpress/Chart.lock index 678b023f1..3549cfe40 100644 --- a/charts/bitnami/wordpress/Chart.lock +++ b/charts/bitnami/wordpress/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: memcached repository: oci://registry-1.docker.io/bitnamicharts - version: 6.7.1 + version: 6.7.2 - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 14.1.4 + version: 15.0.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:d6872ca9f6d3ba5637e0f7eba8e903cf7084034b65ded8009d5f9b623f20af4e -generated: "2023-11-21T23:55:03.718546053Z" + version: 2.14.1 +digest: sha256:0f019d585184ae51ee203b1fc7b65ad7105ac3499e87a5c23df020b0d79bcdfd +generated: "2024-01-10T22:14:18.371091937Z" diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index ae224fa90..02b07b102 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: CMS images: | - name: apache-exporter - image: docker.io/bitnami/apache-exporter:1.0.3-debian-11-r1 + image: docker.io/bitnami/apache-exporter:1.0.5-debian-11-r1 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: wordpress - image: docker.io/bitnami/wordpress:6.4.1-debian-11-r10 + image: docker.io/bitnami/wordpress:6.4.2-debian-11-r12 licenses: Apache-2.0 apiVersion: v2 -appVersion: 6.4.1 +appVersion: 6.4.2 dependencies: - condition: memcached.enabled name: memcached @@ -22,7 +22,7 @@ dependencies: - condition: mariadb.enabled name: mariadb repository: file://./charts/mariadb - version: 14.x.x + version: 15.x.x - name: common repository: file://./charts/common tags: @@ -47,4 +47,4 @@ maintainers: name: wordpress sources: - https://github.com/bitnami/charts/tree/main/bitnami/wordpress -version: 18.1.19 +version: 19.0.5 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index f86b79be4..4c17ec257 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -277,50 +277,58 @@ The command removes all the Kubernetes components associated with the chart and ### Metrics Parameters -| Name | Description | Value | -| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | --------------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | -| `metrics.image.registry` | Apache exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Apache exporter image repository | `REPOSITORY_NAME/apache-exporter` | -| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | -| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9117` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.resources.limits` | The resources limits for the Prometheus exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the Prometheus exporter container | `{}` | -| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | -| `metrics.service.annotations` | Additional custom annotations for Metrics service | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose metrics | `false` | +| `metrics.image.registry` | Apache exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Apache exporter image repository | `REPOSITORY_NAME/apache-exporter` | +| `metrics.image.digest` | Apache exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Apache exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Apache exporter image pull secrets | `[]` | +| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9117` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.resources.limits` | The resources limits for the Prometheus exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the Prometheus exporter container | `{}` | +| `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.service.ports.metrics` | Prometheus metrics service port | `9150` | +| `metrics.service.annotations` | Additional custom annotations for Metrics service | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | ### NetworkPolicy parameters @@ -398,7 +406,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/wordp ## Configuration and installation details -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -517,6 +525,10 @@ To enable the new features, it is not possible to do it by upgrading an existing ## Upgrading +### To 19.0.0 + +This major release bumps the MariaDB version to 11.2. No major issues are expected during the upgrade. + ### To 18.0.0 This major release bumps the MariaDB version to 11.1. No major issues are expected during the upgrade. @@ -638,7 +650,7 @@ kubectl delete statefulset wordpress-mariadb --cascade=false ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/wordpress/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/wordpress/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/wordpress/charts/common/README.md b/charts/bitnami/wordpress/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/wordpress/charts/common/README.md +++ b/charts/bitnami/wordpress/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/wordpress/charts/common/templates/_secrets.tpl b/charts/bitnami/wordpress/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/wordpress/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/wordpress/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.lock b/charts/bitnami/wordpress/charts/mariadb/Chart.lock index d1a0bc2eb..08b61c8af 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.lock +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-10-20T19:50:53.486382513Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-20T08:07:49.82584344Z" diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml index b61d6578b..6fd7a1572 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml @@ -2,14 +2,14 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.1.3-debian-11-r0 + image: docker.io/bitnami/mariadb:11.2.2-debian-11-r1 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.0-debian-11-r71 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r92 licenses: Apache-2.0 apiVersion: v2 -appVersion: 11.1.3 +appVersion: 11.2.2 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -33,4 +33,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 14.1.4 +version: 15.0.1 diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md b/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/wordpress/charts/mariadb/values.yaml b/charts/bitnami/wordpress/charts/mariadb/values.yaml index 6556fe1bf..feda971a7 100644 --- a/charts/bitnami/wordpress/charts/mariadb/values.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/values.yaml @@ -90,7 +90,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.1.3-debian-11-r0 + tag: 11.2.2-debian-11-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1016,7 +1016,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r92 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1052,7 +1052,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.0-debian-11-r71 + tag: 0.15.1-debian-11-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.lock b/charts/bitnami/wordpress/charts/memcached/Chart.lock index d176b2df0..995f241b3 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.lock +++ b/charts/bitnami/wordpress/charts/memcached/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-11-08T15:24:56.072439976Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2023-12-31T18:26:46.31299103Z" diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/Chart.yaml index 0e37dac5e..714fbde2b 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/Chart.yaml @@ -2,11 +2,11 @@ annotations: category: Infrastructure images: | - name: memcached-exporter - image: docker.io/bitnami/memcached-exporter:0.13.0-debian-11-r122 + image: docker.io/bitnami/memcached-exporter:0.14.2-debian-11-r0 - name: memcached - image: docker.io/bitnami/memcached:1.6.22-debian-11-r1 + image: docker.io/bitnami/memcached:1.6.22-debian-11-r2 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 licenses: Apache-2.0 apiVersion: v2 appVersion: 1.6.22 @@ -30,4 +30,4 @@ maintainers: name: memcached sources: - https://github.com/bitnami/charts/tree/main/bitnami/memcached -version: 6.7.1 +version: 6.7.2 diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/README.md b/charts/bitnami/wordpress/charts/memcached/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/README.md +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_secrets.tpl b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/wordpress/charts/memcached/values.yaml b/charts/bitnami/wordpress/charts/memcached/values.yaml index 8617ab8f3..948ce1b27 100644 --- a/charts/bitnami/wordpress/charts/memcached/values.yaml +++ b/charts/bitnami/wordpress/charts/memcached/values.yaml @@ -73,7 +73,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/memcached - tag: 1.6.22-debian-11-r1 + tag: 1.6.22-debian-11-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -527,7 +527,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -572,7 +572,7 @@ metrics: image: registry: docker.io repository: bitnami/memcached-exporter - tag: 0.13.0-debian-11-r122 + tag: 0.14.2-debian-11-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/wordpress/templates/deployment.yaml b/charts/bitnami/wordpress/templates/deployment.yaml index 96cee8242..58ce25f08 100644 --- a/charts/bitnami/wordpress/templates/deployment.yaml +++ b/charts/bitnami/wordpress/templates/deployment.yaml @@ -130,6 +130,14 @@ spec: value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - name: ALLOW_EMPTY_PASSWORD value: {{ ternary "yes" "no" .Values.allowEmptyPassword | quote }} + - name: WORDPRESS_SKIP_BOOTSTRAP + value: {{ ternary "yes" "no" .Values.wordpressSkipInstall | quote }} + {{- if or .Values.wordpressConfiguration .Values.existingWordPressConfigurationSecret }} + # Override the default data to persist omiting wp-config.php from the list since + # it is mounted as a read-only file from a Secret + - name: WORDPRESS_DATA_TO_PERSIST + value: "wp-content" + {{- else }} - name: MARIADB_HOST value: {{ include "wordpress.databaseHost" . | quote }} - name: MARIADB_PORT_NUMBER @@ -162,8 +170,6 @@ spec: value: {{ ternary "yes" "no" .Values.htaccessPersistenceEnabled | quote }} - name: WORDPRESS_BLOG_NAME value: {{ .Values.wordpressBlogName | quote }} - - name: WORDPRESS_SKIP_BOOTSTRAP - value: {{ ternary "yes" "no" .Values.wordpressSkipInstall | quote }} - name: WORDPRESS_TABLE_PREFIX value: {{ .Values.wordpressTablePrefix | quote }} - name: WORDPRESS_SCHEME @@ -172,13 +178,8 @@ spec: value: {{ .Values.wordpressExtraConfigContent | quote }} - name: WORDPRESS_PLUGINS value: {{ join "," .Values.wordpressPlugins | quote }} - - name: APACHE_HTTP_PORT_NUMBER - value: {{ .Values.containerPorts.http | quote }} - - name: APACHE_HTTPS_PORT_NUMBER - value: {{ .Values.containerPorts.https | quote }} - {{- if .Values.overrideDatabaseSettings }} - name: WORDPRESS_OVERRIDE_DATABASE_SETTINGS - value: "yes" + value: {{ ternary "yes" "no" .Values.overrideDatabaseSettings | quote }} {{- end }} {{- if .Values.multisite.enable }} - name: WORDPRESS_ENABLE_MULTISITE @@ -217,6 +218,10 @@ spec: - name: SMTP_PROTOCOL value: {{ .Values.smtpProtocol | quote }} {{- end }} + - name: APACHE_HTTP_PORT_NUMBER + value: {{ .Values.containerPorts.http | quote }} + - name: APACHE_HTTPS_PORT_NUMBER + value: {{ .Values.containerPorts.https | quote }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -331,6 +336,9 @@ spec: {{- if .Values.metrics.resources }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index 82ca1e9f6..eca0300fd 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -76,7 +76,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.4.1-debian-11-r10 + tag: 6.4.2-debian-11-r12 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -768,7 +768,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -862,7 +862,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 1.0.3-debian-11-r1 + tag: 1.0.5-debian-11-r1 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -938,6 +938,28 @@ metrics: resources: limits: {} requests: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param metrics.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## Prometheus exporter service parameters ## service: diff --git a/charts/bitnami/zookeeper/Chart.lock b/charts/bitnami/zookeeper/Chart.lock index a372b3855..b17a2237d 100644 --- a/charts/bitnami/zookeeper/Chart.lock +++ b/charts/bitnami/zookeeper/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.13.3 -digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83 -generated: "2023-11-08T15:19:54.720987032Z" + version: 2.14.1 +digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3 +generated: "2024-01-01T00:08:42.872982603Z" diff --git a/charts/bitnami/zookeeper/Chart.yaml b/charts/bitnami/zookeeper/Chart.yaml index d035ce733..d1ed86c62 100644 --- a/charts/bitnami/zookeeper/Chart.yaml +++ b/charts/bitnami/zookeeper/Chart.yaml @@ -6,9 +6,9 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r91 + image: docker.io/bitnami/os-shell:11-debian-11-r93 - name: zookeeper - image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r2 + image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r5 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.9.1 @@ -30,4 +30,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.3.3 +version: 12.4.4 diff --git a/charts/bitnami/zookeeper/README.md b/charts/bitnami/zookeeper/README.md index 5ce024137..70d4850ef 100644 --- a/charts/bitnami/zookeeper/README.md +++ b/charts/bitnami/zookeeper/README.md @@ -195,6 +195,8 @@ The command removes all the Kubernetes components associated with the chart and | `pdb.minAvailable` | Minimum available ZooKeeper replicas | `""` | | `pdb.maxUnavailable` | Maximum unavailable ZooKeeper replicas | `1` | | `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `dnsPolicy` | Specifies the DNS policy for the zookeeper pods | `""` | +| `dnsConfig` | allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | ### Traffic Exposure parameters @@ -226,9 +228,9 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | --------------------------------------------- | ---------------------------------------------------------------------- | ------- | -| `serviceAccount.create` | Enable creation of ServiceAccount for ZooKeeper pod | `false` | +| `serviceAccount.create` | Enable creation of ServiceAccount for ZooKeeper pod | `true` | | `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | | `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | ### Persistence parameters @@ -344,7 +346,7 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/zooke ## Configuration and installation details -### [Rolling vs Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. @@ -521,7 +523,7 @@ kubectl delete statefulset zookeeper-zookeeper --cascade=false ## License -Copyright © 2023 VMware, Inc. +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/bitnami/zookeeper/charts/common/Chart.yaml b/charts/bitnami/zookeeper/charts/common/Chart.yaml index 40cd22d77..9a6aa881f 100644 --- a/charts/bitnami/zookeeper/charts/common/Chart.yaml +++ b/charts/bitnami/zookeeper/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.13.3 +appVersion: 2.14.1 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.13.3 +version: 2.14.1 diff --git a/charts/bitnami/zookeeper/charts/common/README.md b/charts/bitnami/zookeeper/charts/common/README.md index 80da4cc2f..a76fa46a2 100644 --- a/charts/bitnami/zookeeper/charts/common/README.md +++ b/charts/bitnami/zookeeper/charts/common/README.md @@ -24,14 +24,14 @@ data: myvalue: "Hello World" ``` +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. + ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - ## Prerequisites - Kubernetes 1.23+ diff --git a/charts/bitnami/zookeeper/charts/common/templates/_secrets.tpl b/charts/bitnami/zookeeper/charts/common/templates/_secrets.tpl index a193c46b6..84dbe3803 100644 --- a/charts/bitnami/zookeeper/charts/common/templates/_secrets.tpl +++ b/charts/bitnami/zookeeper/charts/common/templates/_secrets.tpl @@ -78,6 +78,8 @@ Params: - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - context - Context - Required - Parent context. - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. The order in which this function returns a secret password: 1. Already existing 'Secret' resource (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) @@ -91,7 +93,6 @@ The order in which this function returns a secret password: {{- $password := "" }} {{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} {{- $chartName := default "" .chartName }} {{- $passwordLength := default 10 .length }} {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} @@ -99,12 +100,14 @@ The order in which this function returns a secret password: {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} {{- if $secretData }} {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} {{- end -}} {{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} + {{- $password = $providedPasswordValue | toString }} {{- else }} {{- if .context.Values.enabled }} @@ -120,12 +123,19 @@ The order in which this function returns a secret password: {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} {{- $password = randAscii $passwordLength }} {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- $password = randAlphaNum $passwordLength }} {{- end }} {{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} {{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} {{- end -}} {{/* diff --git a/charts/bitnami/zookeeper/templates/statefulset.yaml b/charts/bitnami/zookeeper/templates/statefulset.yaml index 4719f9bab..0aa6ffa34 100644 --- a/charts/bitnami/zookeeper/templates/statefulset.yaml +++ b/charts/bitnami/zookeeper/templates/statefulset.yaml @@ -75,6 +75,12 @@ spec: {{- if .Values.podSecurityContext.enabled }} securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }} + {{- end }} initContainers: {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions @@ -372,26 +378,20 @@ spec: {{- else if .Values.livenessProbe.enabled }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled" "probeCommandTimeout") "context" $) | nindent 12 }} exec: - {{- if not .Values.service.disableBaseClientPort }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} nc -w {{ .Values.livenessProbe.probeCommandTimeout }} -q 1 localhost {{ .Values.containerPorts.client }} | grep imok'] - {{- else if not .Values.tls.client.enabled }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok'] - {{- else }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.livenessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok'] - {{- end }} + command: + - /bin/bash + - -ec + - ZOO_HC_TIMEOUT={{ .Values.livenessProbe.probeCommandTimeout }} /opt/bitnami/scripts/zookeeper/healthcheck.sh {{- end }} {{- if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} {{- else if .Values.readinessProbe.enabled }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled" "probeCommandTimeout") "context" $) | nindent 12 }} exec: - {{- if not .Values.service.disableBaseClientPort }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} nc -w {{ .Values.readinessProbe.probeCommandTimeout }} -q 1 localhost {{ .Values.containerPorts.client }} | grep imok'] - {{- else if not .Values.tls.client.enabled }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} | grep imok'] - {{- else }} - command: ['/bin/bash', '-c', 'echo "ruok" | timeout {{ .Values.readinessProbe.probeCommandTimeout }} openssl s_client -quiet -crlf -connect localhost:{{ .Values.containerPorts.tls }} -cert {{ .Values.service.tls.client_cert_pem_path }} -key {{ .Values.service.tls.client_key_pem_path }} | grep imok'] - {{- end }} + command: + - /bin/bash + - -ec + - ZOO_HC_TIMEOUT={{ .Values.readinessProbe.probeCommandTimeout }} /opt/bitnami/scripts/zookeeper/healthcheck.sh {{- end }} {{- if .Values.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} @@ -443,7 +443,7 @@ spec: - name: scripts configMap: name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - defaultMode: 0755 + defaultMode: 493 {{- if or .Values.configuration .Values.existingConfigmap }} - name: config configMap: diff --git a/charts/bitnami/zookeeper/values.yaml b/charts/bitnami/zookeeper/values.yaml index cdf7228f9..a14aa2be8 100644 --- a/charts/bitnami/zookeeper/values.yaml +++ b/charts/bitnami/zookeeper/values.yaml @@ -79,11 +79,11 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.9.1-debian-11-r2 + tag: 3.9.1-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -312,7 +312,7 @@ customStartupProbe: {} ## lifecycleHooks: {} ## ZooKeeper resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources/ +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param resources.limits The resources limits for the ZooKeeper containers ## @param resources.requests.memory The requested memory for the ZooKeeper containers ## @param resources.requests.cpu The requested cpu for the ZooKeeper containers @@ -397,7 +397,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment @@ -490,6 +490,28 @@ pdb: ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. ## enableServiceLinks: true +## DNS-Pod services +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## @param dnsPolicy Specifies the DNS policy for the zookeeper pods +## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies. +## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" +## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` +## The dnsConfig field is optional and it can work with any dnsPolicy settings. +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +## E.g. +## dnsConfig: +## nameservers: +## - 192.0.2.1 # this is an example +## searches: +## - ns1.svc.cluster-domain.example +## - my.dns.search.suffix +## options: +## - name: ndots +## value: "2" +## - name: edns0 +dnsConfig: {} ## @section Traffic Exposure parameters @@ -520,7 +542,7 @@ service: disableBaseClientPort: false ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity @@ -535,7 +557,7 @@ service: ## clusterIP: "" ## @param service.loadBalancerIP ZooKeeper service Load Balancer IP - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ## loadBalancerIP: "" ## @param service.loadBalancerSourceRanges ZooKeeper service Load Balancer sources @@ -584,7 +606,7 @@ networkPolicy: serviceAccount: ## @param serviceAccount.create Enable creation of ServiceAccount for ZooKeeper pod ## - create: false + create: true ## @param serviceAccount.name The name of the ServiceAccount to use. ## If not set and create is true, a name is generated using the common.names.fullname template ## @@ -592,7 +614,7 @@ serviceAccount: ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created ## Can be set to false if pods using this serviceAccount do not need to use K8s API ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount ## annotations: {} @@ -600,7 +622,7 @@ serviceAccount: ## @section Persistence parameters ## Enable persistence using Persistent Volume Claims -## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ## persistence: ## @param persistence.enabled Enable ZooKeeper data persistence using PVC. If false, use emptyDir @@ -678,7 +700,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r91 + tag: 11-debian-11-r93 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -690,7 +712,7 @@ volumePermissions: ## pullSecrets: [] ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param volumePermissions.resources.limits Init container volume-permissions resource limits ## @param volumePermissions.resources.requests Init container volume-permissions resource requests ## @@ -888,7 +910,7 @@ tls: ## truststorePassword: "" ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## @param tls.resources.limits The resources limits for the TLS init container ## @param tls.resources.requests The requested resources for the TLS init container ## diff --git a/charts/cert-manager/cert-manager/Chart.yaml b/charts/cert-manager/cert-manager/Chart.yaml index c3ca8f4df..a058286e8 100644 --- a/charts/cert-manager/cert-manager/Chart.yaml +++ b/charts/cert-manager/cert-manager/Chart.yaml @@ -10,7 +10,7 @@ annotations: catalog.cattle.io/namespace: cert-manager catalog.cattle.io/release-name: cert-manager apiVersion: v1 -appVersion: v1.13.2 +appVersion: v1.13.3 description: A Helm chart for cert-manager home: https://github.com/cert-manager/cert-manager icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png @@ -27,4 +27,4 @@ maintainers: name: cert-manager sources: - https://github.com/cert-manager/cert-manager -version: v1.13.2 +version: v1.13.3 diff --git a/charts/cert-manager/cert-manager/README.md b/charts/cert-manager/cert-manager/README.md index 7fbee254c..bdff2abe8 100644 --- a/charts/cert-manager/cert-manager/README.md +++ b/charts/cert-manager/cert-manager/README.md @@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. ```bash -$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.crds.yaml +$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml ``` To install the chart with the release name `my-release`: @@ -29,7 +29,7 @@ To install the chart with the release name `my-release`: $ helm repo add jetstack https://charts.jetstack.io ## Install the cert-manager helm chart -$ helm install my-release --namespace cert-manager --version v1.13.2 jetstack/cert-manager +$ helm install my-release --namespace cert-manager --version v1.13.3 jetstack/cert-manager ``` In order to begin issuing certificates, you will need to set up a ClusterIssuer @@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als delete the previously installed CustomResourceDefinition resources: ```console -$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.crds.yaml +$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml ``` ## Configuration @@ -86,7 +86,7 @@ The following table lists the configurable parameters of the cert-manager chart | `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | | | `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | -| `image.tag` | Image tag | `v1.13.2` | +| `image.tag` | Image tag | `v1.13.3` | | `image.pullPolicy` | Image pull policy | `IfNotPresent` | | `replicaCount` | Number of cert-manager replicas | `1` | | `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | @@ -171,7 +171,7 @@ The following table lists the configurable parameters of the cert-manager chart | `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | | `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` | | `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | -| `webhook.image.tag` | Webhook image tag | `v1.13.2` | +| `webhook.image.tag` | Webhook image tag | `v1.13.3` | | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | | `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | | `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) | @@ -210,13 +210,13 @@ The following table lists the configurable parameters of the cert-manager chart | `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | | `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` | | `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | -| `cainjector.image.tag` | cainjector image tag | `v1.13.2` | +| `cainjector.image.tag` | cainjector image tag | `v1.13.3` | | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | | `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) | | `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) | | `cainjector.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | | `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` | -| `acmesolver.image.tag` | acmesolver image tag | `v1.13.2` | +| `acmesolver.image.tag` | acmesolver image tag | `v1.13.3` | | `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` | | `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` | | `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) | @@ -232,7 +232,7 @@ The following table lists the configurable parameters of the cert-manager chart | `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` | | `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` | | `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` | -| `startupapicheck.image.tag` | startupapicheck image tag | `v1.13.2` | +| `startupapicheck.image.tag` | startupapicheck image tag | `v1.13.3` | | `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` | | `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` | | `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | diff --git a/charts/clastix/kamaji/Chart.yaml b/charts/clastix/kamaji/Chart.yaml index dd9814922..c37e5b891 100644 --- a/charts/clastix/kamaji/Chart.yaml +++ b/charts/clastix/kamaji/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: kamaji apiVersion: v2 -appVersion: v0.3.5 +appVersion: v0.4.0 description: Kamaji is a Kubernetes Control Plane Manager. home: https://github.com/clastix/kamaji icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png @@ -20,4 +20,4 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.13.0 +version: 0.14.0 diff --git a/charts/clastix/kamaji/README.md b/charts/clastix/kamaji/README.md index fda4b928f..8a79a014b 100644 --- a/charts/clastix/kamaji/README.md +++ b/charts/clastix/kamaji/README.md @@ -1,6 +1,6 @@ # kamaji -![Version: 0.13.0](https://img.shields.io/badge/Version-0.13.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.3.5](https://img.shields.io/badge/AppVersion-v0.3.5-informational?style=flat-square) +![Version: 0.14.0](https://img.shields.io/badge/Version-0.14.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.0](https://img.shields.io/badge/AppVersion-v0.4.0-informational?style=flat-square) Kamaji is a Kubernetes Control Plane Manager. diff --git a/charts/clastix/kamaji/crds/tenantcontrolplane.yaml b/charts/clastix/kamaji/crds/tenantcontrolplane.yaml index 068d81e22..e4746204e 100644 --- a/charts/clastix/kamaji/crds/tenantcontrolplane.yaml +++ b/charts/clastix/kamaji/crds/tenantcontrolplane.yaml @@ -55,13 +55,18 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: TenantControlPlane is the Schema for the tenantcontrolplanes API. + description: TenantControlPlane is the Schema for the tenantcontrolplanes + API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -72,17 +77,24 @@ spec: description: Addons contain which addons are enabled properties: coreDNS: - description: Enables the DNS addon in the Tenant Cluster. The registry and the tag are configurable, the image is hard-coded to `coredns`. + description: Enables the DNS addon in the Tenant Cluster. The + registry and the tag are configurable, the image is hard-coded + to `coredns`. properties: imageRepository: - description: ImageRepository sets the container registry to pull images from. if not set, the default ImageRepository will be used instead. + description: ImageRepository sets the container registry to + pull images from. if not set, the default ImageRepository + will be used instead. type: string imageTag: - description: ImageTag allows to specify a tag for the image. In case this value is set, kubeadm does not change automatically the version of the above components during upgrades. + description: ImageTag allows to specify a tag for the image. + In case this value is set, kubeadm does not change automatically + the version of the above components during upgrades. type: string type: object konnectivity: - description: Enables the Konnectivity addon in the Tenant Cluster, required if the worker nodes are in a different network. + description: Enables the Konnectivity addon in the Tenant Cluster, + required if the worker nodes are in a different network. properties: agent: default: @@ -90,13 +102,15 @@ spec: version: v0.0.32 properties: extraArgs: - description: ExtraArgs allows adding additional arguments to said component. + description: ExtraArgs allows adding additional arguments + to said component. items: type: string type: array image: default: registry.k8s.io/kas-network-proxy/proxy-agent - description: AgentImage defines the container image for Konnectivity's agent. + description: AgentImage defines the container image for + Konnectivity's agent. type: string version: default: v0.0.32 @@ -110,108 +124,173 @@ spec: version: v0.0.32 properties: extraArgs: - description: ExtraArgs allows adding additional arguments to said component. + description: ExtraArgs allows adding additional arguments + to said component. items: type: string type: array image: default: registry.k8s.io/kas-network-proxy/proxy-server - description: Container image used by the Konnectivity server. + description: Container image used by the Konnectivity + server. type: string port: - description: The port which Konnectivity server is listening to. + description: The port which Konnectivity server is listening + to. format: int32 type: integer resources: - description: Resources define the amount of CPU and memory to allocate to the Konnectivity server. + description: Resources define the amount of CPU and memory + to allocate to the Konnectivity server. properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used by + this container. \n This is an alpha field and requires + enabling the DynamicResourceAllocation feature gate. + \n This field is immutable. It can only be set for + containers." items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + description: Name must match the name of one + entry in pod.spec.resourceClaims of the Pod + where this field is used. It makes that resource + available inside a container. type: string required: - - name + - name type: object type: array x-kubernetes-list-map-keys: - - name + - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object version: default: v0.0.32 - description: Container image version of the Konnectivity server. + description: Container image version of the Konnectivity + server. type: string required: - - port + - port type: object type: object kubeProxy: - description: Enables the kube-proxy addon in the Tenant Cluster. The registry and the tag are configurable, the image is hard-coded to `kube-proxy`. + description: Enables the kube-proxy addon in the Tenant Cluster. + The registry and the tag are configurable, the image is hard-coded + to `kube-proxy`. properties: imageRepository: - description: ImageRepository sets the container registry to pull images from. if not set, the default ImageRepository will be used instead. + description: ImageRepository sets the container registry to + pull images from. if not set, the default ImageRepository + will be used instead. type: string imageTag: - description: ImageTag allows to specify a tag for the image. In case this value is set, kubeadm does not change automatically the version of the above components during upgrades. + description: ImageTag allows to specify a tag for the image. + In case this value is set, kubeadm does not change automatically + the version of the above components during upgrades. type: string type: object type: object controlPlane: - description: ControlPlane defines how the Tenant Control Plane Kubernetes resources must be created in the Admin Cluster, such as the number of Pod replicas, the Service resource, or the Ingress. + description: ControlPlane defines how the Tenant Control Plane Kubernetes + resources must be created in the Admin Cluster, such as the number + of Pod replicas, the Service resource, or the Ingress. properties: deployment: - description: Defining the options for the deployed Tenant Control Plane as Deployment resource. + description: Defining the options for the deployed Tenant Control + Plane as Deployment resource. properties: additionalContainers: - description: AdditionalContainers allows adding additional containers to the Control Plane deployment. + description: AdditionalContainers allows adding additional + containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used + if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If + a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in the container. Cannot be updated. + description: List of environment variables to set in + the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -220,290 +299,467 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - - key + - key type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - - fieldPath + - fieldPath type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - - resource + - resource type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - - key + - key type: object x-kubernetes-map-type: atomic type: object required: - - name + - name type: object type: array envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic type: object type: array image: - description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. + description: Actions that the management system should + take in response to container lifecycle events. Cannot + be updated. properties: postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting + to the host. Defaults to HTTP. type: string required: - - port + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified. + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod''s termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting + to the host. Defaults to HTTP. type: string required: - - port + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified. + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." type: string required: - - port + - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -511,135 +767,213 @@ spec: type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting to + the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. type: string ports: - description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array x-kubernetes-list-map-keys: - - containerPort - - protocol + - containerPort + - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." type: string required: - - port + - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -647,225 +981,445 @@ spec: type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting to + the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource + resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this + resource resize policy applies. Supported values: + cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified + resource is resized. If not specified, it defaults + to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. type: string required: - - name + - name type: object type: array x-kubernetes-list-map-keys: - - name + - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. Requests cannot + exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior + of individual containers in a pod. This field may + only be set for init containers, and the only allowed + value is "Always". For non-init containers or when + this field is not specified, the restart behavior + is defined by the Pod''s restart policy and the container + type. Setting the RestartPolicy as "Always" for the + init container will have the following effect: this + init container will be continually restarted on exit + until all regular containers have terminated. Once + all regular containers have completed, all init containers + with restartPolicy "Always" will be shut down. This + lifecycle differs from normal init containers and + is often referred to as a "sidecar" container. Although + this init container still starts in the init container + sequence, it does not wait for the container to complete + before proceeding to the next init container. Instead, + the next init container starts immediately after this + init container is started, or after any startupProbe + has successfully completed.' + type: string securityContext: - description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields + of SecurityContext override the equivalent fields + of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. properties: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. type: boolean procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost". + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must be set if type is "Localhost". + Must NOT be set for any other type. type: string type: - description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied." + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." type: string required: - - type + - type type: object windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true. + description: HostProcess determines if a container + should be run as a 'Host Process' container. + All of a Pod's containers must have the same + effective HostProcess value (it is not allowed + to have a mix of HostProcess containers and + non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'StartupProbe indicates that the Pod has + successfully initialized. If specified, no other probes + are executed until this completes successfully. If + this probe fails, the Pod will be restarted, just + as if the livenessProbe failed. This can be used to + provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time + to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." type: string required: - - port + - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -873,146 +1427,269 @@ spec: type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting to + the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. type: string tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. type: boolean subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. type: string required: - - name + - name type: object type: array additionalInitContainers: - description: AdditionalInitContainers allows adding additional init containers to the Control Plane deployment. + description: AdditionalInitContainers allows adding additional + init containers to the Control Plane deployment. items: - description: A single application container that you want to run within a pod. + description: A single application container that you want + to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Arguments to the entrypoint. The container + image''s CMD is used if this is not provided. Variable + references $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, the + reference in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for escaping + the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce + the string literal "$(VAR_NAME)". Escaped references + will never be expanded, regardless of whether the + variable exists or not. Cannot be updated. More info: + https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is used + if this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. If + a variable cannot be resolved, the reference in the + input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) + syntax: i.e. "$$(VAR_NAME)" will produce the string + literal "$(VAR_NAME)". Escaped references will never + be expanded, regardless of whether the variable exists + or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in the container. Cannot be updated. + description: List of environment variables to set in + the container. Cannot be updated. items: - description: EnvVar represents an environment variable present in a Container. + description: EnvVar represents an environment variable + present in a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. + description: Name of the environment variable. + Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined environment + variables in the container and any service environment + variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults + to "".' type: string valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. + description: Source for the environment variable's + value. Cannot be used if value is not empty. properties: configMapKeyRef: description: Selects a key of a ConfigMap. @@ -1021,290 +1698,467 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its key must be defined + description: Specify whether the ConfigMap + or its key must be defined type: boolean required: - - key + - key type: object x-kubernetes-map-type: atomic fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.' + description: 'Selects a field of the pod: + supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - - fieldPath + - fieldPath type: object x-kubernetes-map-type: atomic resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported.' properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - - resource + - resource type: object x-kubernetes-map-type: atomic secretKeyRef: - description: Selects a key of a secret in the pod's namespace + description: Selects a key of a secret in + the pod's namespace properties: key: - description: The key of the secret to select from. Must be a valid secret key. + description: The key of the secret to + select from. Must be a valid secret + key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the Secret or its key must be defined + description: Specify whether the Secret + or its key must be defined type: boolean required: - - key + - key type: object x-kubernetes-map-type: atomic type: object required: - - name + - name type: object type: array envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + description: List of sources to populate environment + variables in the container. The keys defined within + a source must be a C_IDENTIFIER. All invalid keys + will be reported as an event when the container is + starting. When a key exists in multiple sources, the + value associated with the last source will take precedence. + Values defined by an Env with a duplicate key will + take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of a set of ConfigMaps + description: EnvFromSource represents the source of + a set of ConfigMaps properties: configMapRef: description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the ConfigMap must be defined + description: Specify whether the ConfigMap + must be defined type: boolean type: object x-kubernetes-map-type: atomic prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + description: An optional identifier to prepend + to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: description: The Secret to select from properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: Specify whether the Secret must be defined + description: Specify whether the Secret must + be defined type: boolean type: object x-kubernetes-map-type: atomic type: object type: array image: - description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config + management to default or override container images + in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + description: 'Image pull policy. One of Always, Never, + IfNotPresent. Defaults to Always if :latest tag is + specified, or IfNotPresent otherwise. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. + description: Actions that the management system should + take in response to container lifecycle events. Cannot + be updated. properties: postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: 'PostStart is called immediately after + a container is created. If the handler fails, + the container is terminated and restarted according + to its restart policy. Other management of the + container blocks until the hook completes. More + info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting + to the host. Defaults to HTTP. type: string required: - - port + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified. + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The Pod''s termination grace period countdown begins before the PreStop hook is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + description: 'PreStop is called immediately before + a container is terminated due to an API request + or management event such as liveness/startup probe + failure, preemption, resource contention, etc. + The handler is not called if the container crashes + or exits. The Pod''s termination grace period + countdown begins before the PreStop hook is executed. + Regardless of the outcome of the handler, the + container will eventually terminate within the + Pod''s termination grace period (unless delayed + by finalizers). Other management of the container + blocks until the hook completes or until the termination + grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line + to execute inside the container, the working + directory for the command is root ('/') + in the container's filesystem. The command + is simply exec'd, it is not run inside + a shell, so traditional shell instructions + ('|', etc) won't work. To use a shell, + you need to explicitly call out to that + shell. Exit status of 0 is treated as + live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set + "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the + request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names will + be understood as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: - description: Path to access on the HTTP server. + description: Path to access on the HTTP + server. type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting + to the host. Defaults to HTTP. type: string required: - - port + - port + type: object + sleep: + description: Sleep represents the duration that + the container should sleep before being terminated. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when tcp handler is specified. + description: Deprecated. TCPSocket is NOT supported + as a LifecycleHandler and kept for the backward + compatibility. There are no validation of + this field and lifecycle hooks will fail in + runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." type: string required: - - port + - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1312,135 +2166,213 @@ spec: type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting to + the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + description: Name of the container specified as a DNS_LABEL. + Each container in a pod must have a unique name (DNS_LABEL). + Cannot be updated. type: string ports: - description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. + description: List of ports to expose from the container. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: - description: ContainerPort represents a network port in a single container. + description: ContainerPort represents a network port + in a single container. properties: containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + description: Number of port to expose on the pod's + IP address. This must be a valid port number, + 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external port to. + description: What host IP to bind the external + port to. type: string hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. + description: Number of port to expose on the host. + If specified, this must be a valid port number, + 0 < x < 65536. If HostNetwork is specified, + this must match ContainerPort. Most containers + do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + description: If specified, this must be an IANA_SVC_NAME + and unique within the pod. Each named port in + a pod must have a unique name. Name for the + port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + description: Protocol for port. Must be UDP, TCP, + or SCTP. Defaults to "TCP". type: string required: - - containerPort + - containerPort type: object type: array x-kubernetes-list-map-keys: - - containerPort - - protocol + - containerPort + - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Periodic probe of container service readiness. + Container will be removed from service endpoints if + the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." type: string required: - - port + - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1448,225 +2380,445 @@ spec: type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting to + the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents resource + resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which this + resource resize policy applies. Supported values: + cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when specified + resource is resized. If not specified, it defaults + to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Compute Resources required by this container. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used + by this container. \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can + only be set for containers." items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + description: Name must match the name of one + entry in pod.spec.resourceClaims of the + Pod where this field is used. It makes that + resource available inside a container. type: string required: - - name + - name type: object type: array x-kubernetes-list-map-keys: - - name + - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount + of compute resources required. If Requests is + omitted for a container, it defaults to Limits + if that is explicitly specified, otherwise to + an implementation-defined value. Requests cannot + exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + restartPolicy: + description: 'RestartPolicy defines the restart behavior + of individual containers in a pod. This field may + only be set for init containers, and the only allowed + value is "Always". For non-init containers or when + this field is not specified, the restart behavior + is defined by the Pod''s restart policy and the container + type. Setting the RestartPolicy as "Always" for the + init container will have the following effect: this + init container will be continually restarted on exit + until all regular containers have terminated. Once + all regular containers have completed, all init containers + with restartPolicy "Always" will be shut down. This + lifecycle differs from normal init containers and + is often referred to as a "sidecar" container. Although + this init container still starts in the init container + sequence, it does not wait for the container to complete + before proceeding to the next init container. Instead, + the next init container starts immediately after this + init container is started, or after any startupProbe + has successfully completed.' + type: string securityContext: - description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + description: 'SecurityContext defines the security options + the container should be run with. If set, the fields + of SecurityContext override the equivalent fields + of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges than + its parent process. This bool directly controls + if the no_new_privs flag will be set on the container + process. AllowPrivilegeEscalation is true always + when the container is: 1) run as Privileged 2) + has CAP_SYS_ADMIN Note that this field cannot + be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. + description: The capabilities to add/drop when running + containers. Defaults to the default set of capabilities + granted by the container runtime. Note that this + field cannot be set when spec.os.name is windows. properties: add: description: Added capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array drop: description: Removed capabilities items: - description: Capability represent POSIX capabilities type + description: Capability represent POSIX capabilities + type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. + description: Run container in privileged mode. Processes + in privileged containers are essentially equivalent + to root on the host. Defaults to false. Note that + this field cannot be set when spec.os.name is + windows. type: boolean procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. + description: procMount denotes the type of proc + mount to use for the containers. The default is + DefaultProcMount which uses the container runtime + defaults for readonly paths and masked paths. + This requires the ProcMountType feature flag to + be enabled. Note that this field cannot be set + when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + description: Whether this container has a read-only + root filesystem. Default is false. Note that this + field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in PodSecurityContext. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence. Note that this + field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + description: The SELinux context to be applied to + the container. If unspecified, the container runtime + will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is windows. properties: level: - description: Level is SELinux level label that applies to the container. + description: Level is SELinux level label that + applies to the container. type: string role: - description: Role is a SELinux role label that applies to the container. + description: Role is a SELinux role label that + applies to the container. type: string type: - description: Type is a SELinux type label that applies to the container. + description: Type is a SELinux type label that + applies to the container. type: string user: - description: User is a SELinux user label that applies to the container. + description: User is a SELinux user label that + applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. + description: The seccomp options to use by this + container. If seccomp options are provided at + both the pod & container level, the container + options override the pod options. Note that this + field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost". + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must be set if type is "Localhost". + Must NOT be set for any other type. type: string type: - description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied." + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." type: string required: - - type + - type type: object windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. + description: The Windows specific settings applied + to all containers. If unspecified, the options + from the PodSecurityContext will be used. If set + in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true. + description: HostProcess determines if a container + should be run as a 'Host Process' container. + All of a Pod's containers must have the same + effective HostProcess value (it is not allowed + to have a mix of HostProcess containers and + non-HostProcess containers). In addition, + if HostProcess is true then HostNetwork must + also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'StartupProbe indicates that the Pod has + successfully initialized. If specified, no other probes + are executed until this completes successfully. If + this probe fails, the Pod will be restarted, just + as if the livenessProbe failed. This can be used to + provide different probe parameters at the beginning + of a Pod''s lifecycle, when it might take a long time + to load data or warm a cache, than during steady-state + operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: description: Exec specifies the action to take. properties: command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + description: Command is the command line to + execute inside the container, the working + directory for the command is root ('/') in + the container's filesystem. The command is + simply exec'd, it is not run inside a shell, + so traditional shell instructions ('|', etc) + won't work. To use a shell, you need to explicitly + call out to that shell. Exit status of 0 is + treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving a GRPC port. This is a beta field and requires enabling GRPCContainerProbe feature gate. + description: GRPC specifies an action involving + a GRPC port. properties: port: - description: Port number of the gRPC service. Number must be in the range 1 to 65535. + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + description: "Service is the name of the service + to place in the gRPC HealthCheckRequest (see + https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default behavior + is defined by gRPC." type: string required: - - port + - port type: object httpGet: - description: HTTPGet specifies the http request to perform. + description: HTTPGet specifies the http request + to perform. properties: host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + description: Host name to connect to, defaults + to the pod IP. You probably want to set "Host" + in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. + description: Custom headers to set in the request. + HTTP allows repeated headers. items: - description: HTTPHeader describes a custom header to be used in HTTP probes + description: HTTPHeader describes a custom + header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. This + will be canonicalized upon output, so + case-variant names will be understood + as the same header. type: string value: description: The header field value type: string required: - - name - - value + - name + - value type: object type: array path: @@ -1674,120 +2826,209 @@ spec: type: string port: anyOf: - - type: integer - - type: string - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Name or number of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. + description: Scheme to use for connecting to + the host. Defaults to HTTP. type: string required: - - port + - port type: object initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after the container + has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. + description: How often (in seconds) to perform the + probe. Default to 10 seconds. Minimum value is + 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + description: Minimum consecutive successes for the + probe to be considered successful after having + failed. Defaults to 1. Must be 1 for liveness + and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving a TCP port. + description: TCPSocket specifies an action involving + a TCP port. properties: host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' + description: 'Optional: Host name to connect + to, defaults to the pod IP.' type: string port: anyOf: - - type: integer - - type: string - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + - type: integer + - type: string + description: Number or name of the port to access + on the container. Number must be in the range + 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - - port + - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + description: Optional duration in seconds the pod + needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after + the processes running in the pod are sent a termination + signal and the time when the processes are forcibly + halted with a kill signal. Set this value longer + than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds + will be used. Otherwise, this value overrides + the value provided by the pod spec. Value must + be non-negative integer. The value zero indicates + stop immediately via the kill signal (no opportunity + to shut down). This is a beta field and requires + enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds + is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + description: 'Number of seconds after which the + probe times out. Defaults to 1 second. Minimum + value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. + description: Whether this container should allocate + a buffer for stdin in the container runtime. If this + is not set, reads from stdin in the container will + always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false + description: Whether the container runtime should close + the stdin channel after it has been opened by a single + attach. When stdin is true the stdin stream will remain + open across multiple attach sessions. If stdinOnce + is set to true, stdin is opened on container start, + is empty until the first client attaches to stdin, + and then remains open and accepts data until the client + disconnects, at which time stdin is closed and remains + closed until the container is restarted. If this flag + is false, a container processes that reads from stdin + will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + description: 'Optional: Path at which the file to which + the container''s termination message will be written + is mounted into the container''s filesystem. Message + written is intended to be brief final status, such + as an assertion failure message. Will be truncated + by the node if greater than 4096 bytes. The total + message length across all containers will be limited + to 12kb. Defaults to /dev/termination-log. Cannot + be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + description: Indicate how the termination message should + be populated. File will use the contents of terminationMessagePath + to populate the container status message on both success + and failure. FallbackToLogsOnError will use the last + chunk of container log output if the termination message + file is empty and the container exited with an error. + The log output is limited to 2048 bytes or 80 lines, + whichever is smaller. Defaults to File. Cannot be + updated. type: string tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be true. + Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. + description: volumeDevices is the list of block devices + to be used by the container. items: - description: volumeDevice describes a mapping of a raw block device within a container. + description: volumeDevice describes a mapping of a + raw block device within a container. properties: devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. + description: devicePath is the path inside of + the container that the device will be mapped + to. type: string name: - description: name must match the name of a persistentVolumeClaim in the pod + description: name must match the name of a persistentVolumeClaim + in the pod type: string required: - - devicePath - - name + - devicePath + - name type: object type: array volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a + Volume within a container. properties: mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. type: boolean subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + description: Path within the volume from which + the container's volume should be mounted. Defaults + to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment + variable references $(VAR_NAME) are expanded + using the container's environment. Defaults + to "" (volume's root). SubPathExpr and SubPath + are mutually exclusive. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + description: Container's working directory. If not specified, + the container runtime's default will be used, which + might be configured in the container image. Cannot + be updated. type: string required: - - name + - name type: object type: array additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -1799,1515 +3040,3030 @@ spec: type: object type: object additionalVolumeMounts: - description: AdditionalVolumeMounts allows to mount an additional volume into each component of the Control Plane (kube-apiserver, controller-manager, and scheduler). + description: AdditionalVolumeMounts allows to mount an additional + volume into each component of the Control Plane (kube-apiserver, + controller-manager, and scheduler). properties: apiServer: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. type: boolean subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + description: Path within the volume from which the + container's volume should be mounted. Defaults + to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable + references $(VAR_NAME) are expanded using the + container's environment. Defaults to "" (volume's + root). SubPathExpr and SubPath are mutually exclusive. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array controllerManager: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. type: boolean subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + description: Path within the volume from which the + container's volume should be mounted. Defaults + to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable + references $(VAR_NAME) are expanded using the + container's environment. Defaults to "" (volume's + root). SubPathExpr and SubPath are mutually exclusive. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array scheduler: items: - description: VolumeMount describes a mounting of a Volume within a container. + description: VolumeMount describes a mounting of a Volume + within a container. properties: mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. + description: Path within the container at which + the volume should be mounted. Must not contain + ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + description: mountPropagation determines how mounts + are propagated from the host to container and + the other way around. When not set, MountPropagationNone + is used. This field is beta in 1.10. type: string name: description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + description: Mounted read-only if true, read-write + otherwise (false or unspecified). Defaults to + false. type: boolean subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + description: Path within the volume from which the + container's volume should be mounted. Defaults + to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. + description: Expanded path within the volume from + which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable + references $(VAR_NAME) are expanded using the + container's environment. Defaults to "" (volume's + root). SubPathExpr and SubPath are mutually exclusive. type: string required: - - mountPath - - name + - mountPath + - name type: object type: array type: object additionalVolumes: - description: AdditionalVolumes allows to add additional volumes to the Control Plane deployment. + description: AdditionalVolumes allows to add additional volumes + to the Control Plane deployment. items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'awsElasticBlockStore represents an AWS + Disk resource that is attached to a kubelet''s host + machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string partition: - description: 'partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).' + description: 'partition is the partition in the + volume that you want to mount. If omitted, the + default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for /dev/sda + is "0" (or you can leave the property empty).' format: int32 type: integer readOnly: - description: 'readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'readOnly value true will force the + readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'volumeID is unique ID of the persistent + disk resource in AWS (Amazon EBS volume). More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - - volumeID + - volumeID type: object azureDisk: - description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + description: azureDisk represents an Azure Data Disk + mount on the host and bind mount to the pod. properties: cachingMode: - description: 'cachingMode is the Host Caching mode: None, Read Only, Read Write.' + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' type: string diskName: - description: diskName is the Name of the data disk in the blob storage + description: diskName is the Name of the data disk + in the blob storage type: string diskURI: - description: diskURI is the URI of data disk in the blob storage + description: diskURI is the URI of data disk in + the blob storage type: string fsType: - description: fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + description: fsType is Filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. type: string kind: - description: 'kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' type: string readOnly: - description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. type: boolean required: - - diskName - - diskURI + - diskName + - diskURI type: object azureFile: - description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. + description: azureFile represents an Azure File Service + mount on the host and bind mount to the pod. properties: readOnly: - description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. type: boolean secretName: - description: secretName is the name of secret that contains Azure Storage Account Name and Key + description: secretName is the name of secret that + contains Azure Storage Account Name and Key type: string shareName: description: shareName is the azure share Name type: string required: - - secretName - - shareName + - secretName + - shareName type: object cephfs: - description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime + description: cephFS represents a Ceph FS mount on the + host that shares a pod's lifetime properties: monitors: - description: 'monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'monitors is Required: Monitors is + a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /' + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' type: string readOnly: - description: 'readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'readOnly is Optional: Defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretRef is Optional: SecretRef is + reference to the authentication secret for User, + default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'user is optional: User is the rados + user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - - monitors + - monitors type: object cinder: - description: 'cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'cinder represents a cinder volume attached + and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Examples: "ext4", "xfs", "ntfs". + Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'secretRef is optional: points to a secret object containing parameters used to connect to OpenStack.' + description: 'secretRef is optional: points to a + secret object containing parameters used to connect + to OpenStack.' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic volumeID: - description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'volumeID used to identify the volume + in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - - volumeID + - volumeID type: object configMap: - description: configMap represents a configMap that should populate this volume + description: configMap represents a configMap that should + populate this volume properties: defaultMode: - description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer items: - description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each key-value + pair in the Data field of the referenced ConfigMap + will be projected into the volume as a file whose + name is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. + If a key is specified which is not present in + the ConfigMap, the volume setup will error unless + it is marked optional. Paths must be relative + and may not contain the '..' path or start with + '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits + used to set permissions on this file. Must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. If + not specified, the volume defaultMode will + be used. This might be in conflict with + other options that affect the file mode, + like fsGroup, and the result can be other + mode bits set.' format: int32 type: integer path: - description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of + the file to map the key to. May not be an + absolute path. May not contain the path + element '..'. May not start with the string + '..'. type: string required: - - key - - path + - key + - path type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether the ConfigMap + or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic csi: - description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers (Beta feature). properties: driver: - description: driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster. + description: driver is the name of the CSI driver + that handles this volume. Consult with your admin + for the correct name as registered in the cluster. type: string fsType: - description: fsType to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply. + description: fsType to mount. Ex. "ext4", "xfs", + "ntfs". If not provided, the empty value is passed + to the associated CSI driver which will determine + the default filesystem to apply. type: string nodePublishSecretRef: - description: nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed. + description: nodePublishSecretRef is a reference + to the secret object containing sensitive information + to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no + secret is required. If the secret object contains + more than one secret, all secret references are + passed. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic readOnly: - description: readOnly specifies a read-only configuration for the volume. Defaults to false (read/write). + description: readOnly specifies a read-only configuration + for the volume. Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for supported + values. type: object required: - - driver + - driver type: object downwardAPI: - description: downwardAPI represents downward API about the pod that should populate this volume + description: downwardAPI represents downward API about + the pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'Optional: mode bits to use on created + files by default. Must be a Optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer items: - description: Items is a list of downward API volume file + description: Items is a list of downward API volume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.' + description: 'Required: Selects a field of + the pod: only annotations, labels, name + and namespace are supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field to select + in the specified API version. type: string required: - - fieldPath + - fieldPath type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'Optional: mode bits used to + set permissions on this file, must be an + octal value between 0000 and 0777 or a decimal + value between 0 and 511. YAML accepts both + octal and decimal values, JSON requires + decimal values for mode bits. If not specified, + the volume defaultMode will be used. This + might be in conflict with other options + that affect the file mode, like fsGroup, + and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' + description: 'Selects a resource of the container: + only resources limits and requests (limits.cpu, + limits.memory, requests.cpu and requests.memory) + are currently supported.' properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: required + for volumes, optional for env vars' type: string divisor: anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: description: 'Required: resource to select' type: string required: - - resource + - resource type: object x-kubernetes-map-type: atomic required: - - path + - path type: object type: array type: object emptyDir: - description: 'emptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: 'emptyDir represents a temporary directory + that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'medium represents what type of storage medium should back this directory. The default is "" which means to use the node''s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: 'medium represents what type of storage + medium should back this directory. The default + is "" which means to use the node''s default medium. + Must be an empty string (default) or Memory. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - - type: integer - - type: string - description: 'sizeLimit is the total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + - type: integer + - type: string + description: 'sizeLimit is the total amount of local + storage required for this EmptyDir volume. The + size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would + be the minimum value between the SizeLimit specified + here and the sum of memory limits of all containers + in a pod. The default is nil which means that + the limit is undefined. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed. \n Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity tracking are needed, c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through a PersistentVolumeClaim (see EphemeralVolumeSource for more information on the connection between this volume type and PersistentVolumeClaim). \n Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. \n Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information. \n A pod can use both types of ephemeral volumes and persistent volumes at the same time." + description: "ephemeral represents a volume that is + handled by a cluster storage driver. The volume's + lifecycle is tied to the pod that defines it - it + will be created before the pod starts, and deleted + when the pod is removed. \n Use this if: a) the volume + is only needed while the pod runs, b) features of + normal volumes like restoring from snapshot or capacity + tracking are needed, c) the storage driver is specified + through a storage class, and d) the storage driver + supports dynamic volume provisioning through a PersistentVolumeClaim + (see EphemeralVolumeSource for more information on + the connection between this volume type and PersistentVolumeClaim). + \n Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the + lifecycle of an individual pod. \n Use CSI for light-weight + local ephemeral volumes if the CSI driver is meant + to be used that way - see the documentation of the + driver for more information. \n A pod can use both + types of ephemeral volumes and persistent volumes + at the same time." properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). \n An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster. \n This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. \n Required, must not be nil." + description: "Will be used to create a stand-alone + PVC to provision the volume. The pod in which + this EphemeralVolumeSource is embedded will be + the owner of the PVC, i.e. the PVC will be deleted + together with the pod. The name of the PVC will + be `-` where `` + is the name from the `PodSpec.Volumes` array entry. + Pod validation will reject the pod if the concatenated + name is not valid for a PVC (for example, too + long). \n An existing PVC with that name that + is not owned by the pod will *not* be used for + the pod to avoid using an unrelated volume by + mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created + PVC is meant to be used by the pod, the PVC has + to updated with an owner reference to the pod + once the pod exists. Normally this should not + be necessary, but it may be useful when manually + reconstructing a broken cluster. \n This field + is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. \n Required, + must not be nil." properties: metadata: - description: May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation. + description: May contain labels and annotations + that will be copied into the PVC when creating + it. No other fields are allowed and will be + rejected during validation. type: object spec: - description: The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here. + description: The specification for the PersistentVolumeClaim. + The entire content is copied unchanged into + the PVC that gets created from this template. + The same fields as in a PersistentVolumeClaim + are also valid here. properties: accessModes: - description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + description: 'accessModes contains the desired + access modes the volume should have. More + info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'dataSource field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.' + description: 'dataSource field can be used + to specify either: * An existing VolumeSnapshot + object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller + can support the specified data source, + it will create a new volume based on the + contents of the specified data source. + When the AnyVolumeDataSource feature gate + is enabled, dataSource contents will be + copied to dataSourceRef, and dataSourceRef + contents will be copied to dataSource + when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef + will not be copied to dataSource.' properties: apiGroup: - description: APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required. + description: APIGroup is the group for + the resource being referenced. If + APIGroup is not specified, the specified + Kind must be in the core API group. + For any other third-party types, APIGroup + is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string required: - - kind - - name + - kind + - name type: object x-kubernetes-map-type: atomic dataSourceRef: - description: 'dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn''t specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn''t set to the same value and must be empty. There are three important differences between dataSource and dataSourceRef: * While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects. * While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified. * While dataSource only allows local objects, dataSourceRef allows objects in any namespaces. (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.' + description: 'dataSourceRef specifies the + object from which to populate the volume + with data, if a non-empty volume is desired. + This may be any object from a non-empty + API group (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed if the + type of the specified object matches some + installed volume populator or dynamic + provisioner. This field will replace the + functionality of the dataSource field + and as such if both fields are non-empty, + they must have the same value. For backwards + compatibility, when namespace isn''t specified + in dataSourceRef, both fields (dataSource + and dataSourceRef) will be set to the + same value automatically if one of them + is empty and the other is non-empty. When + namespace is specified in dataSourceRef, + dataSource isn''t set to the same value + and must be empty. There are three important + differences between dataSource and dataSourceRef: + * While dataSource only allows two specific + types of objects, dataSourceRef allows + any non-core object, as well as PersistentVolumeClaim + objects. * While dataSource ignores disallowed + values (dropping them), dataSourceRef + preserves all values, and generates an + error if a disallowed value is specified. + * While dataSource only allows local objects, + dataSourceRef allows objects in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource + feature gate to be enabled. (Alpha) Using + the namespace field of dataSourceRef requires + the CrossNamespaceVolumeDataSource feature + gate to be enabled.' properties: apiGroup: - description: APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required. + description: APIGroup is the group for + the resource being referenced. If + APIGroup is not specified, the specified + Kind must be in the core API group. + For any other third-party types, APIGroup + is required. type: string kind: - description: Kind is the type of resource being referenced + description: Kind is the type of resource + being referenced type: string name: - description: Name is the name of resource being referenced + description: Name is the name of resource + being referenced type: string namespace: - description: Namespace is the namespace of resource being referenced Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + description: Namespace is the namespace + of resource being referenced Note + that when a namespace is specified, + a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. See + the ReferenceGrant documentation for + details. (Alpha) This field requires + the CrossNamespaceVolumeDataSource + feature gate to be enabled. type: string required: - - kind - - name + - kind + - name type: object resources: - description: 'resources represents the minimum resources the volume should have. If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than previous value but must still be higher than capacity recorded in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + description: 'resources represents the minimum + resources the volume should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed to + specify resource requirements that are + lower than previous value but must still + be higher than capacity recorded in the + status field of the claim. More info: + https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: - claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum + amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the + minimum amount of compute resources + required. If Requests is omitted for + a container, it defaults to Limits + if that is explicitly specified, otherwise + to an implementation-defined value. + Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: selector is a label query over volumes to consider for binding. + description: selector is a label query over + volumes to consider for binding. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. type: object type: object x-kubernetes-map-type: atomic storageClassName: - description: 'storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: 'storageClassName is the name + of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeAttributesClassName: + description: 'volumeAttributesClassName + may be used to set the VolumeAttributesClass + used by this claim. If specified, the + CSI driver will create or update the volume + with the attributes defined in the corresponding + VolumeAttributesClass. This has a different + purpose than storageClassName, it can + be changed after the claim is created. + An empty string value means that no VolumeAttributesClass + will be applied to the claim but it''s + not allowed to reset this field to empty + string once it is set. If unspecified + and the PersistentVolumeClaim is unbound, + the default VolumeAttributesClass will + be set by the persistentvolume controller + if it exists. If the resource referred + to by volumeAttributesClass does not exist, + this PersistentVolumeClaim will be set + to a Pending state, as reflected by the + modifyVolumeStatus field, until such as + a resource exists. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass + (Alpha) Using this field requires the + VolumeAttributesClass feature gate to + be enabled.' type: string volumeMode: - description: volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec. + description: volumeMode defines what type + of volume is required by the claim. Value + of Filesystem is implied when not included + in claim spec. type: string volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. + description: volumeName is the binding reference + to the PersistentVolume backing this claim. type: string type: object required: - - spec + - spec type: object type: object fc: - description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. properties: fsType: - description: 'fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine' + description: 'fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. TODO: how + do we prevent errors in the filesystem from compromising + the machine' type: string lun: description: 'lun is Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: Defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts.' type: boolean targetWWNs: - description: 'targetWWNs is Optional: FC target worldwide names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array wwids: - description: 'wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.' + description: 'wwids Optional: FC volume world wide + identifiers (wwids) Either wwids or combination + of targetWWNs and lun must be set, but not both + simultaneously.' items: type: string type: array type: object flexVolume: - description: flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. + description: flexVolume represents a generic volume + resource that is provisioned/attached using an exec + based plugin. properties: driver: - description: driver is the name of the driver to use for this volume. + description: driver is the name of the driver to + use for this volume. type: string fsType: - description: fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". The + default filesystem depends on FlexVolume script. type: string options: additionalProperties: type: string - description: 'options is Optional: this field holds extra command options if any.' + description: 'options is Optional: this field holds + extra command options if any.' type: object readOnly: - description: 'readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: defaults to + false (read/write). ReadOnly here will force the + ReadOnly setting in VolumeMounts.' type: boolean secretRef: - description: 'secretRef is Optional: secretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.' + description: 'secretRef is Optional: secretRef is + reference to the secret object containing sensitive + information to pass to the plugin scripts. This + may be empty if no secret object is specified. + If the secret object contains more than one secret, + all secrets are passed to the plugin scripts.' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic required: - - driver + - driver type: object flocker: - description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running + description: flocker represents a Flocker volume attached + to a kubelet's host machine. This depends on the Flocker + control service being running properties: datasetName: - description: datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset for + Flocker should be considered as deprecated type: string datasetUUID: - description: datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset type: string type: object gcePersistentDisk: - description: 'gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'gcePersistentDisk represents a GCE Disk + resource that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' + description: 'fsType is filesystem type of the volume + that you want to mount. Tip: Ensure that the filesystem + type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string partition: - description: 'partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'partition is the partition in the + volume that you want to mount. If omitted, the + default is to mount by volume name. Examples: + For volume /dev/sda1, you specify the partition + as "1". Similarly, the volume partition for /dev/sda + is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'pdName is unique name of the PD resource + in GCE. Used to identify the disk in GCE. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - - pdName + - pdName type: object gitRepo: - description: 'gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod''s container.' + description: 'gitRepo represents a git repository at + a particular revision. DEPRECATED: GitRepo is deprecated. + To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo + using git, then mount the EmptyDir into the Pod''s + container.' properties: directory: - description: directory is the target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name. + description: directory is the target directory name. + Must not contain or start with '..'. If '.' is + supplied, the volume directory will be the git + repository. Otherwise, if specified, the volume + will contain the git repository in the subdirectory + with the given name. type: string repository: description: repository is the URL type: string revision: - description: revision is the commit hash for the specified revision. + description: revision is the commit hash for the + specified revision. type: string required: - - repository + - repository type: object glusterfs: - description: 'glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' + description: 'glusterfs represents a Glusterfs mount + on the host that shares a pod''s lifetime. More info: + https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'endpoints is the endpoint name that + details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'readOnly here will force the Glusterfs + volume to be mounted with read-only permissions. + Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - - endpoints - - path + - endpoints + - path type: object hostPath: - description: 'hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath --- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.' + description: 'hostPath represents a pre-existing file + or directory on the host machine that is directly + exposed to the container. This is generally used for + system agents or other privileged things that are + allowed to see the host machine. Most containers will + NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + --- TODO(jonesdl) We need to restrict who can use + host directory mounts and who can/can not mount host + directories as read/write.' properties: path: - description: 'path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: 'path of the directory on the host. + If the path is a symlink, it will follow the link + to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - - path + - path type: object iscsi: - description: 'iscsi represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine and + then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: chapAuthSession defines whether support iSCSI Session CHAP authentication + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication type: boolean fsType: - description: 'fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine' + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string initiatorName: - description: initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection. + description: initiatorName is the custom iSCSI Initiator + Name. If initiatorName is specified with iscsiInterface + simultaneously, new iSCSI interface : will be created for the connection. type: string iqn: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: - description: iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). + description: iscsiInterface is the interface Name + that uses an iSCSI transport. Defaults to 'default' + (tcp). type: string lun: description: lun represents iSCSI Target Lun number. format: int32 type: integer portals: - description: portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP + ports 860 and 3260). items: type: string type: array readOnly: - description: readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. + description: readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: secretRef is the CHAP Secret for iSCSI target and initiator authentication + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic targetPortal: - description: targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). + description: targetPortal is iSCSI Target Portal. + The Portal is either an IP or ip_addr:port if + the port is other than default (typically TCP + ports 860 and 3260). type: string required: - - iqn - - lun - - targetPortal + - iqn + - lun + - targetPortal type: object name: - description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'nfs represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: 'nfs represents an NFS mount on the host + that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: 'path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: 'readOnly here will force the NFS export + to be mounted with read-only permissions. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + description: 'server is the hostname or IP address + of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - - path - - server + - path + - server type: object persistentVolumeClaim: - description: 'persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: 'persistentVolumeClaimVolumeSource represents + a reference to a PersistentVolumeClaim in the same + namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: readOnly Will force the ReadOnly setting in VolumeMounts. Default false. + description: readOnly Will force the ReadOnly setting + in VolumeMounts. Default false. type: boolean required: - - claimName + - claimName type: object photonPersistentDisk: - description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine + description: photonPersistentDisk represents a PhotonController + persistent disk attached and mounted on kubelets host + machine properties: fsType: - description: fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. type: string pdID: - description: pdID is the ID that identifies Photon Controller persistent disk + description: pdID is the ID that identifies Photon + Controller persistent disk type: string required: - - pdID + - pdID type: object portworxVolume: - description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine + description: portworxVolume represents a portworx volume + attached and mounted on kubelets host machine properties: fsType: - description: fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + description: fSType represents the filesystem type + to mount Must be a filesystem type supported by + the host operating system. Ex. "ext4", "xfs". + Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. type: boolean volumeID: - description: volumeID uniquely identifies a Portworx volume + description: volumeID uniquely identifies a Portworx + volume type: string required: - - volumeID + - volumeID type: object projected: - description: projected items for all in one resources secrets, configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: - description: defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + description: defaultMode are the mode bits used + to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Directories within the path + are not affected by this setting. This might be + in conflict with other options that affect the + file mode, like fsGroup, and the result can be + other mode bits set. format: int32 type: integer sources: description: sources is the list of volume projections items: - description: Projection that may be projected along with other supported volume types + description: Projection that may be projected + along with other supported volume types properties: + clusterTrustBundle: + description: "ClusterTrustBundle allows a + pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating + file. \n Alpha, gated by the ClusterTrustBundleProjection + feature gate. \n ClusterTrustBundle objects + can either be selected by name, or by the + combination of signer name and a label selector. + \n Kubelet performs aggressive normalization + of the PEM contents written into the pod + filesystem. Esoteric PEM features such + as inter-block comments and block headers + are stripped. Certificates are deduplicated. + The ordering of certificates within the + file is arbitrary, and Kubelet may change + the order over time." + properties: + labelSelector: + description: Select all ClusterTrustBundles + that match this label selector. Only + has effect if signerName is set. Mutually-exclusive + with name. If unset, interpreted as + "match nothing". If set but empty, + interpreted as "match everything". + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: Select a single ClusterTrustBundle + by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: If true, don't block pod + startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then + the named ClusterTrustBundle is allowed + not to exist. If using signerName, + then the combination of signerName and + labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: Select all ClusterTrustBundles + that match this signer name. Mutually-exclusive + with name. The contents of all selected + ClusterTrustBundles will be unified + and deduplicated. + type: string + required: + - path + type: object configMap: - description: configMap information about the configMap data to project + description: configMap information about the + configMap data to project properties: items: - description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each + key-value pair in the Data field of + the referenced ConfigMap will be projected + into the volume as a file whose name + is the key and content is the value. + If specified, the listed keys will be + projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not present + in the ConfigMap, the volume setup will + error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 or + a decimal value between 0 and + 511. YAML accepts both octal and + decimal values, JSON requires + decimal values for mode bits. + If not specified, the volume defaultMode + will be used. This might be in + conflict with other options that + affect the file mode, like fsGroup, + and the result can be other mode + bits set.' format: int32 type: integer path: - description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative + path of the file to map the key + to. May not be an absolute path. + May not contain the path element + '..'. May not start with the string + '..'. type: string required: - - key - - path + - key + - path type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: optional specify whether the ConfigMap or its keys must be defined + description: optional specify whether + the ConfigMap or its keys must be defined type: boolean type: object x-kubernetes-map-type: atomic downwardAPI: - description: downwardAPI information about the downwardAPI data to project + description: downwardAPI information about + the downwardAPI data to project properties: items: - description: Items is a list of DownwardAPIVolume file + description: Items is a list of DownwardAPIVolume + file items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.' + description: 'Required: Selects + a field of the pod: only annotations, + labels, name and namespace are + supported.' properties: apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field to select in the specified API version. + description: Path of the field + to select in the specified + API version. type: string required: - - fieldPath + - fieldPath type: object x-kubernetes-map-type: atomic mode: - description: 'Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'Optional: mode bits + used to set permissions on this + file, must be an octal value between + 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts + both octal and decimal values, + JSON requires decimal values for + mode bits. If not specified, the + volume defaultMode will be used. + This might be in conflict with + other options that affect the + file mode, like fsGroup, and the + result can be other mode bits + set.' format: int32 type: integer path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu and + requests.memory) are currently + supported.' properties: containerName: - description: 'Container name: required for volumes, optional for env vars' + description: 'Container name: + required for volumes, optional + for env vars' type: string divisor: anyOf: - - type: integer - - type: string - description: Specifies the output format of the exposed resources, defaults to "1" + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' + description: 'Required: resource + to select' type: string required: - - resource + - resource type: object x-kubernetes-map-type: atomic required: - - path + - path type: object type: array type: object secret: - description: secret information about the secret data to project + description: secret information about the + secret data to project properties: items: - description: items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items if unspecified, each + key-value pair in the Data field of + the referenced Secret will be projected + into the volume as a file whose name + is the key and content is the value. + If specified, the listed keys will be + projected into the specified paths, + and unlisted keys will not be present. + If a key is specified which is not present + in the Secret, the volume setup will + error unless it is marked optional. + Paths must be relative and may not contain + the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a + path within a volume. properties: key: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an octal + value between 0000 and 0777 or + a decimal value between 0 and + 511. YAML accepts both octal and + decimal values, JSON requires + decimal values for mode bits. + If not specified, the volume defaultMode + will be used. This might be in + conflict with other options that + affect the file mode, like fsGroup, + and the result can be other mode + bits set.' format: int32 type: integer path: - description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative + path of the file to map the key + to. May not be an absolute path. + May not contain the path element + '..'. May not start with the string + '..'. type: string required: - - key - - path + - key + - path type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string optional: - description: optional field specify whether the Secret or its key must be defined + description: optional field specify whether + the Secret or its key must be defined type: boolean type: object x-kubernetes-map-type: atomic serviceAccountToken: - description: serviceAccountToken is information about the serviceAccountToken data to project + description: serviceAccountToken is information + about the serviceAccountToken data to project properties: audience: - description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. + description: audience is the intended + audience of the token. A recipient of + a token must identify itself with an + identifier specified in the audience + of the token, and otherwise should reject + the token. The audience defaults to + the identifier of the apiserver. type: string expirationSeconds: - description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. + description: expirationSeconds is the + requested duration of validity of the + service account token. As the token + approaches expiration, the kubelet volume + plugin will proactively rotate the service + account token. The kubelet will start + trying to rotate the token if the token + is older than 80 percent of its time + to live or if the token is older than + 24 hours.Defaults to 1 hour and must + be at least 10 minutes. format: int64 type: integer path: - description: path is the path relative to the mount point of the file to project the token into. + description: path is the path relative + to the mount point of the file to project + the token into. type: string required: - - path + - path type: object type: object type: array type: object quobyte: - description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime + description: quobyte represents a Quobyte mount on the + host that shares a pod's lifetime properties: group: - description: group to map volume access to Default is no group + description: group to map volume access to Default + is no group type: string readOnly: - description: readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. + description: readOnly here will force the Quobyte + volume to be mounted with read-only permissions. + Defaults to false. type: boolean registry: - description: registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes + description: registry represents a single or multiple + Quobyte Registry services specified as a string + as host:port pair (multiple entries are separated + with commas) which acts as the central registry + for volumes type: string tenant: - description: tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin + description: tenant owning the given Quobyte volume + in the Backend Used with dynamically provisioned + Quobyte volumes, value is set by the plugin type: string user: - description: user to map volume access to Defaults to serivceaccount user + description: user to map volume access to Defaults + to serivceaccount user type: string volume: - description: volume is a string that references an already created Quobyte volume by name. + description: volume is a string that references + an already created Quobyte volume by name. type: string required: - - registry - - volume + - registry + - volume type: object rbd: - description: 'rbd represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' + description: 'rbd represents a Rados Block Device mount + on the host that shares a pod''s lifetime. More info: + https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' + description: 'fsType is the filesystem type of the + volume that you want to mount. Tip: Ensure that + the filesystem type is supported by the host operating + system. Examples: "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' type: string image: - description: 'image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'image is the rados image name. More + info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'keyring is the path to key ring for + RBDUser. Default is /etc/ceph/keyring. More info: + https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'pool is the rados pool name. Default + is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'readOnly here will force the ReadOnly + setting in VolumeMounts. Defaults to false. More + info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides keyring. + Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic user: - description: 'user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'user is the rados user name. Default + is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - - image - - monitors + - image + - monitors type: object scaleIO: - description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs". + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Default + is "xfs". type: string gateway: - description: gateway is the host address of the ScaleIO API Gateway. + description: gateway is the host address of the + ScaleIO API Gateway. type: string protectionDomain: - description: protectionDomain is the name of the ScaleIO Protection Domain for the configured storage. + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. type: string readOnly: - description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. type: boolean secretRef: - description: secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation will + fail. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic sslEnabled: - description: sslEnabled Flag enable/disable SSL communication with Gateway, default false + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false type: boolean storageMode: - description: storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. + description: storageMode indicates whether the storage + for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. type: string storagePool: - description: storagePool is the ScaleIO Storage Pool associated with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: system is the name of the storage system as configured in ScaleIO. + description: system is the name of the storage system + as configured in ScaleIO. type: string volumeName: - description: volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source. + description: volumeName is the name of a volume + already created in the ScaleIO system that is + associated with this volume source. type: string required: - - gateway - - secretRef - - system + - gateway + - secretRef + - system type: object secret: - description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secret represents a secret that should + populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode bits + used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or + a decimal value between 0 and 511. YAML accepts + both octal and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. Directories + within the path are not affected by this setting. + This might be in conflict with other options that + affect the file mode, like fsGroup, and the result + can be other mode bits set.' format: int32 type: integer items: - description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + description: items If unspecified, each key-value + pair in the Data field of the referenced Secret + will be projected into the volume as a file whose + name is the key and content is the value. If specified, + the listed keys will be projected into the specified + paths, and unlisted keys will not be present. + If a key is specified which is not present in + the Secret, the volume setup will error unless + it is marked optional. Paths must be relative + and may not contain the '..' path or start with + '..'. items: - description: Maps a string key to a path within a volume. + description: Maps a string key to a path within + a volume. properties: key: description: key is the key to project. type: string mode: - description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + description: 'mode is Optional: mode bits + used to set permissions on this file. Must + be an octal value between 0000 and 0777 + or a decimal value between 0 and 511. YAML + accepts both octal and decimal values, JSON + requires decimal values for mode bits. If + not specified, the volume defaultMode will + be used. This might be in conflict with + other options that affect the file mode, + like fsGroup, and the result can be other + mode bits set.' format: int32 type: integer path: - description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + description: path is the relative path of + the file to map the key to. May not be an + absolute path. May not contain the path + element '..'. May not start with the string + '..'. type: string required: - - key - - path + - key + - path type: object type: array optional: - description: optional field specify whether the Secret or its keys must be defined + description: optional field specify whether the + Secret or its keys must be defined type: boolean secretName: - description: 'secretName is the name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the secret + in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + description: storageOS represents a StorageOS volume + attached and mounted on Kubernetes nodes. properties: fsType: - description: fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. type: string readOnly: - description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. type: boolean secretRef: - description: secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. + description: secretRef specifies the secret to use + for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' type: string type: object x-kubernetes-map-type: atomic volumeName: - description: volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace. + description: volumeName is the human-readable name + of the StorageOS volume. Volume names are only + unique within a namespace. type: string volumeNamespace: - description: volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created. + description: volumeNamespace specifies the scope + of the volume within StorageOS. If no namespace + is specified then the Pod's namespace will be + used. This allows the Kubernetes name scoping + to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default + behaviour. Set to "default" if you are not using + namespaces within StorageOS. Namespaces that do + not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: - description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + description: vsphereVolume represents a vSphere volume + attached and mounted on kubelets host machine properties: fsType: - description: fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + description: fsType is filesystem type to mount. + Must be a filesystem type supported by the host + operating system. Ex. "ext4", "xfs", "ntfs". Implicitly + inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. type: string storagePolicyName: - description: storagePolicyName is the storage Policy Based Management (SPBM) profile name. + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. type: string volumePath: - description: volumePath is the path that identifies vSphere volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - - volumePath + - volumePath type: object required: - - name + - name type: object type: array affinity: - description: 'If specified, the Tenant Control Plane pod''s scheduling constraints. More info: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/' + description: 'If specified, the Tenant Control Plane pod''s + scheduling constraints. More info: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/' properties: nodeAffinity: - description: Describes node affinity scheduling rules for the pod. + description: Describes node affinity scheduling rules + for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + description: An empty preferred scheduling term + matches all objects with implicit weight 0 (i.e. + it's a no-op). A null preferred scheduling term + matches no objects (i.e. is also a no-op). properties: preference: - description: A node selector term, associated with the corresponding weight. + description: A node selector term, associated + with the corresponding weight. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. type: string values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. type: string values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object x-kubernetes-map-type: atomic weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. format: int32 type: integer required: - - preference - - weight + - preference + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to an update), the system may or may not try + to eventually evict the pod from its node. properties: nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. + description: Required. A list of node selector + terms. The terms are ORed. items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + description: A null or empty node selector term + matches no objects. The requirements of them + are ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. properties: matchExpressions: - description: A list of node selector requirements by node's labels. + description: A list of node selector requirements + by node's labels. items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. type: string values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchFields: - description: A list of node selector requirements by node's fields. + description: A list of node selector requirements + by node's fields. items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: The label key that the selector applies to. + description: The label key that the + selector applies to. type: string operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. type: string values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. + description: An array of string values. + If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, the + values array must have a single + element, which will be interpreted + as an integer. This array is replaced + during a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array type: object x-kubernetes-map-type: atomic type: array required: - - nodeSelectorTerms + - nodeSelectorTerms type: object x-kubernetes-map-type: atomic type: object podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements + of this field and adding "weight" to the sum if + the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of + resources, in this case pods. If it's + null, this PodAffinityTerm matches with + no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of + pod label keys to select which pods will + be taken into consideration. The keys + are used to lookup values from the incoming + pod labels, those key-value labels are + merged with `LabelSelector` as `key in + (value)` to select the group of existing + pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming + pod labels will be ignored. The default + value is empty. The same key is forbidden + to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when + LabelSelector isn't set. This is an alpha + field and requires enabling MatchLabelKeysInPodAffinity + feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set + of pod label keys to select which pods + will be taken into consideration. The + keys are used to lookup values from the + incoming pod labels, those key-value labels + are merged with `LabelSelector` as `key + notin (value)` to select the group of + existing pods which pods will be taken + into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist + in the incoming pod labels will be ignored. + The default value is empty. The same key + is forbidden to exist in both MismatchLabelKeys + and LabelSelector. Also, MismatchLabelKeys + cannot be set when LabelSelector isn't + set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature + gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + description: If the affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + affinity requirements specified by this field cease + to be met at some point during pod execution (e.g. + due to a pod label update), the system may or may + not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select which pods will be taken + into consideration. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are merged with `LabelSelector` + as `key in (value)` to select the group of + existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) + affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value + is empty. The same key is forbidden to exist + in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature + gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod + label keys to select which pods will be taken + into consideration. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are merged with `LabelSelector` + as `key notin (value)` to select the group + of existing pods which pods will be taken + into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist + in the incoming pod labels will be ignored. + The default value is empty. The same key is + forbidden to exist in both MismatchLabelKeys + and LabelSelector. Also, MismatchLabelKeys + cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node + that violates one or more of the expressions. The + node that is most preferred is the one with the + greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to + the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum + are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. + description: Required. A pod affinity term, + associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of + resources, in this case pods. If it's + null, this PodAffinityTerm matches with + no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of + pod label keys to select which pods will + be taken into consideration. The keys + are used to lookup values from the incoming + pod labels, those key-value labels are + merged with `LabelSelector` as `key in + (value)` to select the group of existing + pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. + Keys that don't exist in the incoming + pod labels will be ignored. The default + value is empty. The same key is forbidden + to exist in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when + LabelSelector isn't set. This is an alpha + field and requires enabling MatchLabelKeysInPodAffinity + feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set + of pod label keys to select which pods + will be taken into consideration. The + keys are used to lookup values from the + incoming pod labels, those key-value labels + are merged with `LabelSelector` as `key + notin (value)` to select the group of + existing pods which pods will be taken + into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist + in the incoming pod labels will be ignored. + The default value is empty. The same key + is forbidden to exist in both MismatchLabelKeys + and LabelSelector. Also, MismatchLabelKeys + cannot be set when LabelSelector isn't + set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature + gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + description: A label query over the set + of namespaces that the term applies to. + The term is applied to the union of the + namespaces selected by this field and + the ones listed in the namespaces field. + null selector and null or empty namespaces + list means "this pod's namespace". An + empty selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label + key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. + This array is replaced during + a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of + {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. + description: weight associated with matching + the corresponding podAffinityTerm, in the + range 1-100. format: int32 type: integer required: - - podAffinityTerm - - weight + - podAffinityTerm + - weight type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the + pod will not be scheduled onto the node. If the + anti-affinity requirements specified by this field + cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may + or may not try to eventually evict the pod from + its node. When there are multiple elements, the + lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running + description: Defines a set of pods (namely those + matching the labelSelector relative to the given + namespace(s)) that this pod should be co-located + (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node + whose value of the label with key + matches that of any node on which a pod of the + set of pods is running properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, + in this case pods. If it's null, this PodAffinityTerm + matches with no Pods. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select which pods will be taken + into consideration. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are merged with `LabelSelector` + as `key in (value)` to select the group of + existing pods which pods will be taken into + consideration for the incoming pod's pod (anti) + affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value + is empty. The same key is forbidden to exist + in both MatchLabelKeys and LabelSelector. + Also, MatchLabelKeys cannot be set when LabelSelector + isn't set. This is an alpha field and requires + enabling MatchLabelKeysInPodAffinity feature + gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod + label keys to select which pods will be taken + into consideration. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are merged with `LabelSelector` + as `key notin (value)` to select the group + of existing pods which pods will be taken + into consideration for the incoming pod's + pod (anti) affinity. Keys that don't exist + in the incoming pod labels will be ignored. + The default value is empty. The same key is + forbidden to exist in both MismatchLabelKeys + and LabelSelector. Also, MismatchLabelKeys + cannot be set when LabelSelector isn't set. + This is an alpha field and requires enabling + MatchLabelKeysInPodAffinity feature gate. + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: - description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key + that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. type: string required: - - topologyKey + - topologyKey type: object type: array type: object type: object extraArgs: - description: ExtraArgs allows adding additional arguments to the Control Plane components, such as kube-apiserver, controller-manager, and scheduler. + description: ExtraArgs allows adding additional arguments + to the Control Plane components, such as kube-apiserver, + controller-manager, and scheduler. properties: apiServer: items: @@ -3318,7 +6074,8 @@ spec: type: string type: array kine: - description: Available only if Kamaji is running using Kine as backing storage. + description: Available only if Kamaji is running using + Kine as backing storage. items: type: string type: array @@ -3330,7 +6087,10 @@ spec: nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + description: 'NodeSelector is a selector which must be true + for the pod to fit on a node. Selector which must match + a node''s labels for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object registrySettings: default: @@ -3338,7 +6098,10 @@ spec: controllerManagerImage: kube-controller-manager registry: registry.k8s.io schedulerImage: kube-scheduler - description: RegistrySettings allows to override the default images for the given Tenant Control Plane instance. It could be used to point to a different container registry rather than the public one. + description: RegistrySettings allows to override the default + images for the given Tenant Control Plane instance. It could + be used to point to a different container registry rather + than the public one. properties: apiServerImage: default: kube-apiserver @@ -3353,7 +6116,8 @@ spec: default: kube-scheduler type: string tagSuffix: - description: The tag to append to all the Control Plane container images. Optional. + description: The tag to append to all the Control Plane + container images. Optional. type: string type: object replicas: @@ -3361,159 +6125,231 @@ spec: format: int32 type: integer resources: - description: Resources defines the amount of memory and CPU to allocate to each component of the Control Plane (kube-apiserver, controller-manager, and scheduler). + description: Resources defines the amount of memory and CPU + to allocate to each component of the Control Plane (kube-apiserver, + controller-manager, and scheduler). properties: apiServer: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used by + this container. \n This is an alpha field and requires + enabling the DynamicResourceAllocation feature gate. + \n This field is immutable. It can only be set for + containers." items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + description: Name must match the name of one + entry in pod.spec.resourceClaims of the Pod + where this field is used. It makes that resource + available inside a container. type: string required: - - name + - name type: object type: array x-kubernetes-list-map-keys: - - name + - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object controllerManager: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used by + this container. \n This is an alpha field and requires + enabling the DynamicResourceAllocation feature gate. + \n This field is immutable. It can only be set for + containers." items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + description: Name must match the name of one + entry in pod.spec.resourceClaims of the Pod + where this field is used. It makes that resource + available inside a container. type: string required: - - name + - name type: object type: array x-kubernetes-list-map-keys: - - name + - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object kine: - description: Define the kine container resources. Available only if Kamaji is running using Kine as backing storage. + description: Define the kine container resources. Available + only if Kamaji is running using Kine as backing storage. properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used by + this container. \n This is an alpha field and requires + enabling the DynamicResourceAllocation feature gate. + \n This field is immutable. It can only be set for + containers." items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + description: Name must match the name of one + entry in pod.spec.resourceClaims of the Pod + where this field is used. It makes that resource + available inside a container. type: string required: - - name + - name type: object type: array x-kubernetes-list-map-keys: - - name + - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object scheduler: - description: ResourceRequirements describes the compute resource requirements. + description: ResourceRequirements describes the compute + resource requirements. properties: claims: - description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable." + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are used by + this container. \n This is an alpha field and requires + enabling the DynamicResourceAllocation feature gate. + \n This field is immutable. It can only be set for + containers." items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + description: Name must match the name of one + entry in pod.spec.resourceClaims of the Pod + where this field is used. It makes that resource + available inside a container. type: string required: - - name + - name type: object type: array x-kubernetes-list-map-keys: - - name + - name x-kubernetes-list-type: map limits: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object type: object runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run the Tenant Control Plane pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' + description: 'RuntimeClassName refers to a RuntimeClass object + in the node.k8s.io group, which should be used to run the + Tenant Control Plane pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset or empty, + the "legacy" RuntimeClass will be used, which is an implicit + class with an empty definition that uses the default runtime + handler. More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class' type: string strategy: default: @@ -3521,125 +6357,303 @@ spec: maxSurge: 100% maxUnavailable: 0 type: RollingUpdate - description: Strategy describes how to replace existing pods with new ones for the given Tenant Control Plane. Default value is set to Rolling Update, with a blue/green strategy. + description: Strategy describes how to replace existing pods + with new ones for the given Tenant Control Plane. Default + value is set to Rolling Update, with a blue/green strategy. properties: rollingUpdate: - description: 'Rolling update config params. Present only if DeploymentStrategyType = RollingUpdate. --- TODO: Update this to follow our convention for oneOf, whatever we decide it to be.' + description: 'Rolling update config params. Present only + if DeploymentStrategyType = RollingUpdate. --- TODO: + Update this to follow our convention for oneOf, whatever + we decide it to be.' properties: maxSurge: anyOf: - - type: integer - - type: string - description: 'The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods.' + - type: integer + - type: string + description: 'The maximum number of pods that can + be scheduled above the desired number of pods. Value + can be an absolute number (ex: 5) or a percentage + of desired pods (ex: 10%). This can not be 0 if + MaxUnavailable is 0. Absolute number is calculated + from percentage by rounding up. Defaults to 25%. + Example: when this is set to 30%, the new ReplicaSet + can be scaled up immediately when the rolling update + starts, such that the total number of old and new + pods do not exceed 130% of desired pods. Once old + pods have been killed, new ReplicaSet can be scaled + up further, ensuring that total number of pods running + at any time during the update is at most 130% of + desired pods.' x-kubernetes-int-or-string: true maxUnavailable: anyOf: - - type: integer - - type: string - description: 'The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods.' + - type: integer + - type: string + description: 'The maximum number of pods that can + be unavailable during the update. Value can be an + absolute number (ex: 5) or a percentage of desired + pods (ex: 10%). Absolute number is calculated from + percentage by rounding down. This can not be 0 if + MaxSurge is 0. Defaults to 25%. Example: when this + is set to 30%, the old ReplicaSet can be scaled + down to 70% of desired pods immediately when the + rolling update starts. Once new pods are ready, + old ReplicaSet can be scaled down further, followed + by scaling up the new ReplicaSet, ensuring that + the total number of pods available at all times + during the update is at least 70% of desired pods.' x-kubernetes-int-or-string: true type: object type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. + description: Type of deployment. Can be "Recreate" or + "RollingUpdate". Default is RollingUpdate. type: string type: object tolerations: - description: 'If specified, the Tenant Control Plane pod''s tolerations. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + description: 'If specified, the Tenant Control Plane pod''s + tolerations. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . properties: effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. type: string key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. type: string type: object type: array topologySpreadConstraints: - description: TopologySpreadConstraints describes how the Tenant Control Plane pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. In case of nil underlying LabelSelector, the Kamaji one for the given Tenant Control Plane will be used. All topologySpreadConstraints are ANDed. + description: TopologySpreadConstraints describes how the Tenant + Control Plane pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides by the + constraints. In case of nil underlying LabelSelector, the + Kamaji one for the given Tenant Control Plane will be used. + All topologySpreadConstraints are ANDed. items: - description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. properties: labelSelector: - description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain. + description: LabelSelector is used to find matching + pods. Pods that match this label selector are counted + to determine the number of pods in their corresponding + topology domain. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic matchLabelKeys: - description: MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. + description: "MatchLabelKeys is a set of pod label keys + to select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming + pod labels, those key-value labels are ANDed with + labelSelector to select the group of existing pods + over which spreading will be calculated for the incoming + pod. The same key is forbidden to exist in both MatchLabelKeys + and LabelSelector. MatchLabelKeys cannot be set when + LabelSelector isn't set. Keys that don't exist in + the incoming pod labels will be ignored. A null or + empty list means only match against labelSelector. + \n This is a beta field and requires the MatchLabelKeysInPodTopologySpread + feature gate to be enabled (enabled by default)." items: type: string type: array x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It''s a required field. Default value is 1 and 0 is not allowed.' + description: 'MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the + number of matching pods in the target topology and + the global minimum. The global minimum is the minimum + number of matching pods in an eligible domain or zero + if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to + 1, and pods with the same labelSelector spread as + 2/2/1: In this case, the global minimum is 1. | zone1 + | zone2 | zone3 | | P P | P P | P | - if MaxSkew + is 1, incoming pod can only be scheduled to zone3 + to become 2/2/2; scheduling it onto zone1(zone2) would + make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto + any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies + that satisfy it. It''s a required field. Default value + is 1 and 0 is not allowed.' format: int32 type: integer minDomains: - description: "MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats \"global minimum\" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. \n For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so \"global minimum\" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. \n This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default)." + description: "MinDomains indicates a minimum number + of eligible domains. When the number of eligible domains + with matching topology keys is less than minDomains, + Pod Topology Spread treats \"global minimum\" as 0, + and then the calculation of Skew is performed. And + when the number of eligible domains with matching + topology keys equals or greater than minDomains, this + value has no effect on scheduling. As a result, when + the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to + those domains. If value is nil, the constraint behaves + as if MinDomains is equal to 1. Valid values are integers + greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone + cluster, MaxSkew is set to 2, MinDomains is set to + 5 and pods with the same labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | | P P | P P | P P | + The number of domains is less than 5(MinDomains), + so \"global minimum\" is treated as 0. In this situation, + new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod + is scheduled to any of the three zones, it will violate + MaxSkew. \n This is a beta field and requires the + MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." format: int32 type: integer nodeAffinityPolicy: - description: "NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. \n If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." + description: "NodeAffinityPolicy indicates how we will + treat Pod's nodeAffinity/nodeSelector when calculating + pod topology spread skew. Options are: - Honor: only + nodes matching nodeAffinity/nodeSelector are included + in the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the calculations. + \n If this value is nil, the behavior is equivalent + to the Honor policy. This is a beta-level feature + default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." type: string nodeTaintsPolicy: - description: "NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. \n If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag." + description: "NodeTaintsPolicy indicates how we will + treat node taints when calculating pod topology spread + skew. Options are: - Honor: nodes without taints, + along with tainted nodes for which the incoming pod + has a toleration, are included. - Ignore: node taints + are ignored. All nodes are included. \n If this value + is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the + NodeInclusionPolicyInPodTopologySpread feature flag." type: string topologyKey: - description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field. + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", and try + to put balanced number of pods into each bucket. We + define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose + nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won''t make it *more* imbalanced. It''s a required field.' + description: 'WhenUnsatisfiable indicates how to deal + with a pod if it doesn''t satisfy the spread constraint. + - DoNotSchedule (default) tells the scheduler not + to schedule it. - ScheduleAnyway tells the scheduler + to schedule the pod in any location, but giving higher + precedence to topologies that would help reduce the + skew. A constraint is considered "Unsatisfiable" for + an incoming pod if and only if every possible node + assignment for that pod would violate "MaxSkew" on + some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector + spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P + | P | P | If WhenUnsatisfiable is set to DoNotSchedule, + incoming pod can only be scheduled to zone2(zone3) + to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) + satisfies MaxSkew(1). In other words, the cluster + can still be imbalanced, but scheduler won''t make + it *more* imbalanced. It''s a required field.' type: string required: - - maxSkew - - topologyKey - - whenUnsatisfiable + - maxSkew + - topologyKey + - whenUnsatisfiable type: object type: array type: object ingress: - description: Defining the options for an Optional Ingress which will expose API Server of the Tenant Control Plane + description: Defining the options for an Optional Ingress which + will expose API Server of the Tenant Control Plane properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -3651,16 +6665,22 @@ spec: type: object type: object hostname: - description: Hostname is an optional field which will be used as Ingress's Host. If it is not defined, Ingress's host will be "..", where domain is specified under NetworkProfileSpec + description: Hostname is an optional field which will be used + as Ingress's Host. If it is not defined, Ingress's host + will be "..", where domain is + specified under NetworkProfileSpec type: string ingressClassName: type: string type: object service: - description: Defining the options for the Tenant Control Plane Service resource. + description: Defining the options for the Tenant Control Plane + Service resource. properties: additionalMetadata: - description: AdditionalMetadata defines which additional metadata, such as labels and annotations, must be attached to the created resource. + description: AdditionalMetadata defines which additional metadata, + such as labels and annotations, must be attached to the + created resource. properties: annotations: additionalProperties: @@ -3672,106 +6692,116 @@ spec: type: object type: object serviceType: - description: ServiceType allows specifying how to expose the Tenant Control Plane. + description: ServiceType allows specifying how to expose the + Tenant Control Plane. enum: - - ClusterIP - - NodePort - - LoadBalancer + - ClusterIP + - NodePort + - LoadBalancer type: string required: - - serviceType + - serviceType type: object required: - - service + - service type: object dataStore: - description: DataStore allows to specify a DataStore that should be used to store the Kubernetes data for the given Tenant Control Plane. This parameter is optional and acts as an override over the default one which is used by the Kamaji Operator. Migration from a different DataStore to another one is not yet supported and the reconciliation will be blocked. + description: DataStore allows to specify a DataStore that should be + used to store the Kubernetes data for the given Tenant Control Plane. + This parameter is optional and acts as an override over the default + one which is used by the Kamaji Operator. Migration from a different + DataStore to another one is not yet supported and the reconciliation + will be blocked. type: string kubernetes: description: Kubernetes specification for tenant control plane properties: admissionControllers: default: + - CertificateApproval + - CertificateSigning + - CertificateSubjectRestriction + - DefaultIngressClass + - DefaultStorageClass + - DefaultTolerationSeconds + - LimitRanger + - MutatingAdmissionWebhook + - NamespaceLifecycle + - PersistentVolumeClaimResize + - Priority + - ResourceQuota + - RuntimeClass + - ServiceAccount + - StorageObjectInUseProtection + - TaintNodesByCondition + - ValidatingAdmissionWebhook + description: 'List of enabled Admission Controllers for the Tenant + cluster. Full reference available here: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers' + items: + enum: + - AlwaysAdmit + - AlwaysDeny + - AlwaysPullImages - CertificateApproval - CertificateSigning - CertificateSubjectRestriction - DefaultIngressClass - DefaultStorageClass - DefaultTolerationSeconds + - DenyEscalatingExec + - DenyExecOnPrivileged + - DenyServiceExternalIPs + - EventRateLimit + - ExtendedResourceToleration + - ImagePolicyWebhook + - LimitPodHardAntiAffinityTopology - LimitRanger - MutatingAdmissionWebhook + - NamespaceAutoProvision + - NamespaceExists - NamespaceLifecycle + - NodeRestriction + - OwnerReferencesPermissionEnforcement - PersistentVolumeClaimResize + - PersistentVolumeLabel + - PodNodeSelector + - PodSecurity + - PodSecurityPolicy + - PodTolerationRestriction - Priority - ResourceQuota - RuntimeClass + - SecurityContextDeny - ServiceAccount - StorageObjectInUseProtection - TaintNodesByCondition - ValidatingAdmissionWebhook - description: 'List of enabled Admission Controllers for the Tenant cluster. Full reference available here: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers' - items: - enum: - - AlwaysAdmit - - AlwaysDeny - - AlwaysPullImages - - CertificateApproval - - CertificateSigning - - CertificateSubjectRestriction - - DefaultIngressClass - - DefaultStorageClass - - DefaultTolerationSeconds - - DenyEscalatingExec - - DenyExecOnPrivileged - - DenyServiceExternalIPs - - EventRateLimit - - ExtendedResourceToleration - - ImagePolicyWebhook - - LimitPodHardAntiAffinityTopology - - LimitRanger - - MutatingAdmissionWebhook - - NamespaceAutoProvision - - NamespaceExists - - NamespaceLifecycle - - NodeRestriction - - OwnerReferencesPermissionEnforcement - - PersistentVolumeClaimResize - - PersistentVolumeLabel - - PodNodeSelector - - PodSecurity - - PodSecurityPolicy - - PodTolerationRestriction - - Priority - - ResourceQuota - - RuntimeClass - - SecurityContextDeny - - ServiceAccount - - StorageObjectInUseProtection - - TaintNodesByCondition - - ValidatingAdmissionWebhook type: string type: array kubelet: properties: cgroupfs: - description: CGroupFS defines the cgroup driver for Kubelet https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/ + description: CGroupFS defines the cgroup driver for Kubelet + https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/ enum: - - systemd - - cgroupfs + - systemd + - cgroupfs type: string preferredAddressTypes: default: + - Hostname + - InternalIP + - ExternalIP + description: Ordered list of the preferred NodeAddressTypes + to use for kubelet connections. Default to Hostname, InternalIP, + ExternalIP. + items: + enum: - Hostname - InternalIP - ExternalIP - description: Ordered list of the preferred NodeAddressTypes to use for kubelet connections. Default to Hostname, InternalIP, ExternalIP. - items: - enum: - - Hostname - - InternalIP - - ExternalIP - - InternalDNS - - ExternalDNS + - InternalDNS + - ExternalDNS type: string minItems: 1 type: array @@ -3780,26 +6810,33 @@ spec: description: Kubernetes Version for the tenant control plane type: string required: - - kubelet - - version + - kubelet + - version type: object networkProfile: description: NetworkProfile specifies how the network is properties: address: - description: Address where API server of will be exposed. In case of LoadBalancer Service, this can be empty in order to use the exposed IP provided by the cloud controller manager. + description: Address where API server of will be exposed. In case + of LoadBalancer Service, this can be empty in order to use the + exposed IP provided by the cloud controller manager. type: string allowAddressAsExternalIP: - description: AllowAddressAsExternalIP will include tenantControlPlane.Spec.NetworkProfile.Address in the section of ExternalIPs of the Kubernetes Service (only ClusterIP or NodePort) + description: AllowAddressAsExternalIP will include tenantControlPlane.Spec.NetworkProfile.Address + in the section of ExternalIPs of the Kubernetes Service (only + ClusterIP or NodePort) type: boolean certSANs: - description: CertSANs sets extra Subject Alternative Names (SANs) for the API Server signing certificate. Use this field to add additional hostnames when exposing the Tenant Control Plane with third solutions. + description: CertSANs sets extra Subject Alternative Names (SANs) + for the API Server signing certificate. Use this field to add + additional hostnames when exposing the Tenant Control Plane + with third solutions. items: type: string type: array dnsServiceIPs: default: - - 10.96.0.10 + - 10.96.0.10 items: type: string type: array @@ -3818,8 +6855,8 @@ spec: type: string type: object required: - - controlPlane - - kubernetes + - controlPlane + - kubernetes type: object status: description: TenantControlPlaneStatus defines the observed state of TenantControlPlane. @@ -3836,10 +6873,11 @@ spec: format: date-time type: string required: - - enabled + - enabled type: object konnectivity: - description: KonnectivityStatus defines the status of Konnectivity as Addon. + description: KonnectivityStatus defines the status of Konnectivity + as Addon. properties: agent: properties: @@ -3884,7 +6922,8 @@ spec: enabled: type: boolean kubeconfig: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the + generated kubeconfig. properties: checksum: type: string @@ -3906,89 +6945,163 @@ spec: type: string type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for + the Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect + of the current state of this API Resource. --- This + struct is intended for direct use as an array at the + field path .status.conditions. For example, \n type + FooStatus struct{ // Represents the observations of + a foo's current state. // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\" + // +patchMergeKey=type // +patchStrategy=merge // + +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time + the condition transitioned from one status to + another. This should be when the underlying condition + changed. If that is not known, then using the + time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating details about the transition. This may be an empty string. + description: message is a human readable message + indicating details about the transition. This + may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the + .status.conditions[x].observedGeneration is 9, + the condition is out of date with respect to the + current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types + may define expected values and meanings for this + field, and whether the values are considered a + guaranteed API. The value should be a CamelCase + string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, + False, Unknown. enum: - - "True" - - "False" - - Unknown + - "True" + - "False" + - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in + foo.example.com/CamelCase. --- Many .condition.type + values are consistent across resources like Available, + but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to + deconflict is important. The regex it matches + is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - lastTransitionTime + - message + - reason + - status + - type type: object type: array x-kubernetes-list-map-keys: - - type + - type x-kubernetes-list-type: map loadBalancer: - description: LoadBalancer contains the current status of the load-balancer, if one is present. + description: LoadBalancer contains the current status + of the load-balancer, if one is present. properties: ingress: - description: Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points. + description: Ingress is a list containing ingress + points for the load-balancer. Traffic intended for + the service should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.' + description: 'LoadBalancerIngress represents the + status of a load-balancer ingress point: traffic + intended for the service should be sent to an + ingress point.' properties: hostname: - description: Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers) + description: Hostname is set for load-balancer + ingress points that are DNS based (typically + AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) + description: IP is set for load-balancer ingress + points that are IP based (typically GCE or + OpenStack load-balancers) + type: string + ipMode: + description: IPMode specifies how the load-balancer + IP behaves, and may only be specified when + the ip field is specified. Setting this to + "VIP" indicates that traffic is delivered + to the node with the destination set to the + load-balancer's IP and port. Setting this + to "Proxy" indicates that traffic is delivered + to the node or pod with the destination set + to the node's IP and node port or the pod's + IP and port. Service implementations may use + this information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports If used, every port defined in the service should have an entry in it + description: Ports is a list of records of service + ports If used, every port defined in the service + should have an entry in it items: properties: error: - description: 'Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use CamelCase names - cloud provider specific error values must have names that comply with the format foo.example.com/CamelCase. --- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: 'Error is to record the problem + with the service port The format of + the error shall comply with the following + rules: - built-in error values shall + be specified in this file and those + shall use CamelCase names - cloud provider + specific error values must have names + that comply with the format foo.example.com/CamelCase. + --- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of + the service port of which status is + recorded here format: int32 type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service port of which status is recorded here The supported values are: "TCP", "UDP", "SCTP"' + description: 'Protocol is the protocol + of the service port of which status + is recorded here The supported values + are: "TCP", "UDP", "SCTP"' type: string required: - - port - - protocol + - port + - protocol type: object type: array x-kubernetes-list-type: atomic @@ -3999,19 +7112,20 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running format: int32 type: integer required: - - name - - namespace - - port + - name + - namespace + - port type: object required: - - enabled + - enabled type: object kubeProxy: description: AddonStatus defines the observed state of an Addon. @@ -4022,11 +7136,12 @@ spec: format: date-time type: string required: - - enabled + - enabled type: object type: object certificates: - description: Certificates contains information about the different certificates that are necessary to run a kubernetes control plane + description: Certificates contains information about the different + certificates that are necessary to run a kubernetes control plane properties: apiServer: description: CertificatePrivateKeyPairStatus defines the status. @@ -4062,10 +7177,12 @@ spec: type: string type: object etcd: - description: ETCDCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificatesStatus defines the observed state + of ETCD Certificate for API server. properties: apiServer: - description: APIServerCertificatesStatus defines the observed state of ETCD Certificate for API server. + description: APIServerCertificatesStatus defines the observed + state of ETCD Certificate for API server. properties: checksum: type: string @@ -4076,7 +7193,8 @@ spec: type: string type: object ca: - description: ETCDCertificateStatus defines the observed state of ETCD Certificate for API server. + description: ETCDCertificateStatus defines the observed state + of ETCD Certificate for API server. properties: checksum: type: string @@ -4122,13 +7240,16 @@ spec: type: object type: object controlPlaneEndpoint: - description: ControlPlaneEndpoint contains the status of the kubernetes control plane + description: ControlPlaneEndpoint contains the status of the kubernetes + control plane type: string kubeadmPhase: - description: KubeadmPhase contains the status of the kubeadm phases action + description: KubeadmPhase contains the status of the kubeadm phases + action properties: bootstrapToken: - description: KubeadmPhaseStatus contains the status of a kubeadm phase action. + description: KubeadmPhaseStatus contains the status of a kubeadm + phase action. properties: checksum: type: string @@ -4137,10 +7258,11 @@ spec: type: string type: object required: - - bootstrapToken + - bootstrapToken type: object kubeadmconfig: - description: KubeadmConfig contains the status of the configuration required by kubeadm + description: KubeadmConfig contains the status of the configuration + required by kubeadm properties: checksum: description: Checksum of the kubeadm configuration to detect changes @@ -4152,10 +7274,12 @@ spec: type: string type: object kubeconfig: - description: KubeConfig contains information about the kubenconfigs that control plane pieces need + description: KubeConfig contains information about the kubenconfigs + that control plane pieces need properties: admin: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -4166,7 +7290,8 @@ spec: type: string type: object controllerManager: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -4177,7 +7302,8 @@ spec: type: string type: object scheduler: - description: KubeconfigStatus contains information about the generated kubeconfig. + description: KubeconfigStatus contains information about the generated + kubeconfig. properties: checksum: type: string @@ -4189,26 +7315,35 @@ spec: type: object type: object kubernetesResources: - description: Kubernetes contains information about the reconciliation of the required Kubernetes resources deployed in the admin cluster + description: Kubernetes contains information about the reconciliation + of the required Kubernetes resources deployed in the admin cluster properties: deployment: - description: KubernetesDeploymentStatus defines the status for the Tenant Control Plane Deployment in the management cluster. + description: KubernetesDeploymentStatus defines the status for + the Tenant Control Plane Deployment in the management cluster. properties: availableReplicas: - description: Total number of available pods (ready for at least minReadySeconds) targeted by this deployment. + description: Total number of available pods (ready for at + least minReadySeconds) targeted by this deployment. format: int32 type: integer collisionCount: - description: Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet. + description: Count of hash collisions for the Deployment. + The Deployment controller uses this field as a collision + avoidance mechanism when it needs to create the name for + the newest ReplicaSet. format: int32 type: integer conditions: - description: Represents the latest available observations of a deployment's current state. + description: Represents the latest available observations + of a deployment's current state. items: - description: DeploymentCondition describes the state of a deployment at a certain point. + description: DeploymentCondition describes the state of + a deployment at a certain point. properties: lastTransitionTime: - description: Last time the condition transitioned from one status to another. + description: Last time the condition transitioned from + one status to another. format: date-time type: string lastUpdateTime: @@ -4216,20 +7351,22 @@ spec: format: date-time type: string message: - description: A human readable message indicating details about the transition. + description: A human readable message indicating details + about the transition. type: string reason: description: The reason for the condition's last transition. type: string status: - description: Status of the condition, one of True, False, Unknown. + description: Status of the condition, one of True, False, + Unknown. type: string type: description: Type of deployment condition. type: string required: - - status - - type + - status + - type type: object type: array lastUpdate: @@ -4240,74 +7377,102 @@ spec: description: The name of the Deployment for the given cluster. type: string namespace: - description: The namespace which the Deployment for the given cluster is deployed. + description: The namespace which the Deployment for the given + cluster is deployed. type: string observedGeneration: description: The generation observed by the deployment controller. format: int64 type: integer readyReplicas: - description: readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. + description: readyReplicas is the number of pods targeted + by this Deployment with a Ready Condition. format: int32 type: integer replicas: - description: Total number of non-terminated pods targeted by this deployment (their labels match the selector). + description: Total number of non-terminated pods targeted + by this deployment (their labels match the selector). format: int32 type: integer selector: - description: Selector is the label selector used to group the Tenant Control Plane Pods used by the scale subresource. + description: Selector is the label selector used to group + the Tenant Control Plane Pods used by the scale subresource. type: string unavailableReplicas: - description: Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created. + description: Total number of unavailable pods targeted by + this deployment. This is the total number of pods that are + still required for the deployment to have 100% available + capacity. They may either be pods that are running but not + yet available or pods that still have not been created. format: int32 type: integer updatedReplicas: - description: Total number of non-terminated pods targeted by this deployment that have the desired template spec. + description: Total number of non-terminated pods targeted + by this deployment that have the desired template spec. format: int32 type: integer required: - - name - - namespace - - selector + - name + - namespace + - selector type: object ingress: - description: KubernetesIngressStatus defines the status for the Tenant Control Plane Ingress in the management cluster. + description: KubernetesIngressStatus defines the status for the + Tenant Control Plane Ingress in the management cluster. properties: loadBalancer: - description: LoadBalancer contains the current status of the load-balancer. + description: loadBalancer contains the current status of the + load-balancer. properties: ingress: - description: Ingress is a list containing ingress points for the load-balancer. + description: ingress is a list containing ingress points + for the load-balancer. items: - description: IngressLoadBalancerIngress represents the status of a load-balancer ingress point. + description: IngressLoadBalancerIngress represents the + status of a load-balancer ingress point. properties: hostname: - description: Hostname is set for load-balancer ingress points that are DNS based. + description: hostname is set for load-balancer ingress + points that are DNS based. type: string ip: - description: IP is set for load-balancer ingress points that are IP based. + description: ip is set for load-balancer ingress + points that are IP based. type: string ports: - description: Ports provides information about the ports exposed by this LoadBalancer. + description: ports provides information about the + ports exposed by this LoadBalancer. items: - description: IngressPortStatus represents the error condition of a service port + description: IngressPortStatus represents the + error condition of a service port properties: error: - description: 'Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use CamelCase names - cloud provider specific error values must have names that comply with the format foo.example.com/CamelCase. --- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: 'error is to record the problem + with the service port The format of the + error shall comply with the following rules: + - built-in error values shall be specified + in this file and those shall use CamelCase + names - cloud provider specific error values + must have names that comply with the format + foo.example.com/CamelCase. --- The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the ingress port. + description: port is the port number of the + ingress port. format: int32 type: integer protocol: default: TCP - description: 'Protocol is the protocol of the ingress port. The supported values are: "TCP", "UDP", "SCTP"' + description: 'protocol is the protocol of + the ingress port. The supported values are: + "TCP", "UDP", "SCTP"' type: string required: - - port - - protocol + - port + - protocol type: object type: array x-kubernetes-list-type: atomic @@ -4318,96 +7483,165 @@ spec: description: The name of the Ingress for the given cluster. type: string namespace: - description: The namespace which the Ingress for the given cluster is deployed. + description: The namespace which the Ingress for the given + cluster is deployed. type: string required: - - name - - namespace + - name + - namespace type: object service: - description: KubernetesServiceStatus defines the status for the Tenant Control Plane Service in the management cluster. + description: KubernetesServiceStatus defines the status for the + Tenant Control Plane Service in the management cluster. properties: conditions: description: Current service state items: - description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + description: "Condition contains details for one aspect + of the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" + patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + This should be when the underlying condition changed. If + that is not known, then using the time when the API + field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating details about the transition. This may be an empty string. + description: message is a human readable message indicating + details about the transition. This may be an empty + string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to + the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value + should be a CamelCase string. This field may not be + empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: - description: status of the condition, one of True, False, Unknown. + description: status of the condition, one of True, False, + Unknown. enum: - - "True" - - "False" - - Unknown + - "True" + - "False" + - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - lastTransitionTime + - message + - reason + - status + - type type: object type: array x-kubernetes-list-map-keys: - - type + - type x-kubernetes-list-type: map loadBalancer: - description: LoadBalancer contains the current status of the load-balancer, if one is present. + description: LoadBalancer contains the current status of the + load-balancer, if one is present. properties: ingress: - description: Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points. + description: Ingress is a list containing ingress points + for the load-balancer. Traffic intended for the service + should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.' + description: 'LoadBalancerIngress represents the status + of a load-balancer ingress point: traffic intended + for the service should be sent to an ingress point.' properties: hostname: - description: Hostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers) + description: Hostname is set for load-balancer ingress + points that are DNS based (typically AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) + description: IP is set for load-balancer ingress + points that are IP based (typically GCE or OpenStack + load-balancers) + type: string + ipMode: + description: IPMode specifies how the load-balancer + IP behaves, and may only be specified when the + ip field is specified. Setting this to "VIP" indicates + that traffic is delivered to the node with the + destination set to the load-balancer's IP and + port. Setting this to "Proxy" indicates that traffic + is delivered to the node or pod with the destination + set to the node's IP and node port or the pod's + IP and port. Service implementations may use this + information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports If used, every port defined in the service should have an entry in it + description: Ports is a list of records of service + ports If used, every port defined in the service + should have an entry in it items: properties: error: - description: 'Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use CamelCase names - cloud provider specific error values must have names that comply with the format foo.example.com/CamelCase. --- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: 'Error is to record the problem + with the service port The format of the + error shall comply with the following rules: + - built-in error values shall be specified + in this file and those shall use CamelCase + names - cloud provider specific error values + must have names that comply with the format + foo.example.com/CamelCase. --- The regex + it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string port: - description: Port is the port number of the service port of which status is recorded here + description: Port is the port number of the + service port of which status is recorded + here format: int32 type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service port of which status is recorded here The supported values are: "TCP", "UDP", "SCTP"' + description: 'Protocol is the protocol of + the service port of which status is recorded + here The supported values are: "TCP", "UDP", + "SCTP"' type: string required: - - port - - protocol + - port + - protocol type: object type: array x-kubernetes-list-type: atomic @@ -4418,38 +7652,43 @@ spec: description: The name of the Service for the given cluster. type: string namespace: - description: The namespace which the Service for the given cluster is deployed. + description: The namespace which the Service for the given + cluster is deployed. type: string port: description: The port where the service is running format: int32 type: integer required: - - name - - namespace - - port + - name + - namespace + - port type: object version: - description: KubernetesVersion contains the information regarding the running Kubernetes version, and its upgrade status. + description: KubernetesVersion contains the information regarding + the running Kubernetes version, and its upgrade status. properties: status: default: Provisioning - description: Status returns the current status of the Kubernetes version, such as its provisioning state, or completed upgrade. + description: Status returns the current status of the Kubernetes + version, such as its provisioning state, or completed upgrade. enum: - - Provisioning - - CertificateAuthorityRotating - - Upgrading - - Migrating - - Ready - - NotReady + - Provisioning + - CertificateAuthorityRotating + - Upgrading + - Migrating + - Ready + - NotReady type: string version: - description: Version is the running Kubernetes version of the Tenant Control Plane. + description: Version is the running Kubernetes version of + the Tenant Control Plane. type: string type: object type: object storage: - description: Storage Status contains information about Kubernetes storage system + description: Storage Status contains information about Kubernetes + storage system properties: certificate: properties: diff --git a/charts/cockroach-labs/cockroachdb/Chart.yaml b/charts/cockroach-labs/cockroachdb/Chart.yaml index e60c575ad..391f738e1 100644 --- a/charts/cockroach-labs/cockroachdb/Chart.yaml +++ b/charts/cockroach-labs/cockroachdb/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.8-0' catalog.cattle.io/release-name: cockroachdb apiVersion: v1 -appVersion: 23.1.12 +appVersion: 23.1.13 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. home: https://www.cockroachlabs.com icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png @@ -14,4 +14,4 @@ maintainers: name: cockroachdb sources: - https://github.com/cockroachdb/cockroach -version: 11.2.2 +version: 11.2.3 diff --git a/charts/cockroach-labs/cockroachdb/README.md b/charts/cockroach-labs/cockroachdb/README.md index a84383a6c..e363e29dc 100644 --- a/charts/cockroach-labs/cockroachdb/README.md +++ b/charts/cockroach-labs/cockroachdb/README.md @@ -229,10 +229,10 @@ kubectl get pods \ ``` ``` -my-release-cockroachdb-0 cockroachdb/cockroach:v23.1.12 -my-release-cockroachdb-1 cockroachdb/cockroach:v23.1.12 -my-release-cockroachdb-2 cockroachdb/cockroach:v23.1.12 -my-release-cockroachdb-3 cockroachdb/cockroach:v23.1.12 +my-release-cockroachdb-0 cockroachdb/cockroach:v23.1.13 +my-release-cockroachdb-1 cockroachdb/cockroach:v23.1.13 +my-release-cockroachdb-2 cockroachdb/cockroach:v23.1.13 +my-release-cockroachdb-3 cockroachdb/cockroach:v23.1.13 ``` Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade: @@ -316,7 +316,7 @@ For details see the [`values.yaml`](values.yaml) file. | `conf.store.size` | CockroachDB storage size | `""` | | `conf.store.attrs` | CockroachDB storage attributes | `""` | | `image.repository` | Container image name | `cockroachdb/cockroach` | -| `image.tag` | Container image tag | `v23.1.12` | +| `image.tag` | Container image tag | `v23.1.13` | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | | `statefulset.replicas` | StatefulSet replicas number | `3` | diff --git a/charts/cockroach-labs/cockroachdb/values.yaml b/charts/cockroach-labs/cockroachdb/values.yaml index 5441cebd6..084c0b8d5 100644 --- a/charts/cockroach-labs/cockroachdb/values.yaml +++ b/charts/cockroach-labs/cockroachdb/values.yaml @@ -7,7 +7,7 @@ fullnameOverride: "" image: repository: cockroachdb/cockroach - tag: v23.1.12 + tag: v23.1.13 pullPolicy: IfNotPresent credentials: {} # registry: docker.io diff --git a/charts/confluent/confluent-for-kubernetes/Chart.yaml b/charts/confluent/confluent-for-kubernetes/Chart.yaml index 4a276ac04..1798f78ff 100644 --- a/charts/confluent/confluent-for-kubernetes/Chart.yaml +++ b/charts/confluent/confluent-for-kubernetes/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.15-0' catalog.cattle.io/release-name: confluent-for-kubernetes apiVersion: v1 -appVersion: 2.7.2 +appVersion: 2.7.3 description: A Helm chart to deploy Confluent for Kubernetes home: https://www.confluent.io/ icon: https://cdn.confluent.io/wp-content/uploads/seo-logo-meadow.png @@ -19,4 +19,4 @@ maintainers: name: confluent-for-kubernetes sources: - https://docs.confluent.io/current/index.html -version: 0.824.33 +version: 0.824.40 diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_clusterlinks.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_clusterlinks.yaml index 5d45a643e..5ae62f3e9 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_clusterlinks.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_clusterlinks.yaml @@ -462,6 +462,7 @@ spec: enum: - Source - Destination + - Bidirectional type: string required: - linkMode diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_connects.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_connects.yaml index 4e1469010..4c834880c 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_connects.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_connects.yaml @@ -4999,6 +4999,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -5006,6 +5009,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -5042,6 +5048,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -5049,6 +5058,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_controlcenters.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_controlcenters.yaml index 8fc1095d5..1d41fcf56 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_controlcenters.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_controlcenters.yaml @@ -4730,6 +4730,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -4737,6 +4740,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -4773,6 +4779,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -4780,6 +4789,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkarestproxies.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkarestproxies.yaml index 695ddcd78..67e33a3f8 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkarestproxies.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkarestproxies.yaml @@ -4383,6 +4383,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -4390,6 +4393,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -4426,6 +4432,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -4433,6 +4442,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkas.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkas.yaml index adc6c8238..50043a8dd 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkas.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kafkas.yaml @@ -6244,6 +6244,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -6251,6 +6254,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -6287,6 +6293,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -6294,6 +6303,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kraftcontrollers.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kraftcontrollers.yaml index 7b7685ed1..5df326d00 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kraftcontrollers.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_kraftcontrollers.yaml @@ -3723,6 +3723,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -3730,6 +3733,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -3766,6 +3772,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -3773,6 +3782,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_ksqldbs.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_ksqldbs.yaml index b7bbee2b4..4a8b7201d 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_ksqldbs.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_ksqldbs.yaml @@ -5079,6 +5079,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -5086,6 +5089,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -5122,6 +5128,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -5129,6 +5138,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_schemaregistries.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_schemaregistries.yaml index 83d71183b..9a12ff1a8 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_schemaregistries.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_schemaregistries.yaml @@ -4550,6 +4550,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -4557,6 +4560,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -4593,6 +4599,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -4600,6 +4609,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_zookeepers.yaml b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_zookeepers.yaml index 8a9de7d3c..c58150913 100644 --- a/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_zookeepers.yaml +++ b/charts/confluent/confluent-for-kubernetes/crds/platform.confluent.io_zookeepers.yaml @@ -3678,6 +3678,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -3685,6 +3688,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful @@ -3721,6 +3727,9 @@ spec: to change most of the time. format: int32 type: integer + path: + description: Path for the HTTP probe + type: string periodSeconds: description: periodSeconds specifies how often to perform the probe. Confluent Platform components come with the @@ -3728,6 +3737,9 @@ spec: to change most of the time. format: int32 type: integer + port: + description: Number of the port to access on the container + type: integer successThreshold: description: successThreshold is the minimum consecutive successes for the probe to be considered successful diff --git a/charts/confluent/confluent-for-kubernetes/values.yaml b/charts/confluent/confluent-for-kubernetes/values.yaml index cd1559224..f0b9c4b94 100644 --- a/charts/confluent/confluent-for-kubernetes/values.yaml +++ b/charts/confluent/confluent-for-kubernetes/values.yaml @@ -81,7 +81,7 @@ image: registry: docker.io repository: confluentinc/confluent-operator pullPolicy: IfNotPresent - tag: "0.824.33" + tag: "0.824.40" ### ## Priority class for Confluent Operator pod diff --git a/charts/crowdstrike/falcon-sensor/Chart.yaml b/charts/crowdstrike/falcon-sensor/Chart.yaml index 7d31e57eb..284a33a8d 100644 --- a/charts/crowdstrike/falcon-sensor/Chart.yaml +++ b/charts/crowdstrike/falcon-sensor/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>1.22.0-0' catalog.cattle.io/release-name: falcon-sensor apiVersion: v2 -appVersion: 1.23.1 +appVersion: 1.24.1 description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes clusters. home: https://crowdstrike.com icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg @@ -24,4 +24,4 @@ name: falcon-sensor sources: - https://github.com/CrowdStrike/falcon-helm type: application -version: 1.23.1 +version: 1.24.1 diff --git a/charts/crowdstrike/falcon-sensor/templates/_helpers.tpl b/charts/crowdstrike/falcon-sensor/templates/_helpers.tpl index 3f3c1efe4..8eccbda5b 100644 --- a/charts/crowdstrike/falcon-sensor/templates/_helpers.tpl +++ b/charts/crowdstrike/falcon-sensor/templates/_helpers.tpl @@ -119,7 +119,8 @@ resources: {{- end }} {{- else -}} {{- if .Values.node.daemonset.resources -}} -{{- toYaml .Values.node.daemonset.resources -}} +resources: +{{- toYaml .Values.node.daemonset.resources | trim | nindent 2 -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/crowdstrike/falcon-sensor/templates/container_deployment_webhook.yaml b/charts/crowdstrike/falcon-sensor/templates/container_deployment_webhook.yaml index 6bb37abf8..0934e8f91 100644 --- a/charts/crowdstrike/falcon-sensor/templates/container_deployment_webhook.yaml +++ b/charts/crowdstrike/falcon-sensor/templates/container_deployment_webhook.yaml @@ -102,6 +102,9 @@ spec: topologySpreadConstraints: {{- toYaml .Values.container.topologySpreadConstraints | nindent 6 }} {{- end }} + {{- if .Values.container.hostNetwork }} + hostNetwork: true + {{- end }} securityContext: runAsNonRoot: true {{- if .Values.container.image.pullSecrets.enable }} diff --git a/charts/crowdstrike/falcon-sensor/templates/daemonset.yaml b/charts/crowdstrike/falcon-sensor/templates/daemonset.yaml index a39291045..4149f96ea 100644 --- a/charts/crowdstrike/falcon-sensor/templates/daemonset.yaml +++ b/charts/crowdstrike/falcon-sensor/templates/daemonset.yaml @@ -166,6 +166,7 @@ spec: - SYS_RESOURCE - NET_RAW - CHOWN + - NET_ADMIN {{- end }} {{- if (eq .Values.node.backend "bpf") }} {{- include "falcon-sensor.daemonsetResources" . | nindent 8 }} diff --git a/charts/crowdstrike/falcon-sensor/values.schema.json b/charts/crowdstrike/falcon-sensor/values.schema.json index f8666c5b7..217cf747b 100644 --- a/charts/crowdstrike/falcon-sensor/values.schema.json +++ b/charts/crowdstrike/falcon-sensor/values.schema.json @@ -317,6 +317,10 @@ } } }, + "hostNetwork": { + "type": "boolean", + "default": "false" + }, "autoCertificateUpdate": { "type": "boolean", "default": "true" diff --git a/charts/crowdstrike/falcon-sensor/values.yaml b/charts/crowdstrike/falcon-sensor/values.yaml index 4b586b9d1..1907a1a57 100644 --- a/charts/crowdstrike/falcon-sensor/values.yaml +++ b/charts/crowdstrike/falcon-sensor/values.yaml @@ -136,6 +136,9 @@ container: networkPolicy: enabled: false + # Enable using hostNetwork for the injector pod + hostNetwork: false + # Disable injection for all Namespaces disableNSInjection: false diff --git a/charts/datadog/datadog-operator/CHANGELOG.md b/charts/datadog/datadog-operator/CHANGELOG.md index f53c3f4d7..06d1f6fd5 100644 --- a/charts/datadog/datadog-operator/CHANGELOG.md +++ b/charts/datadog/datadog-operator/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## 1.4.1 + +* Add configuration for Operator flag `datadogSLOEnabled` : this parameter is used to enable the Datadog SLO Controller. It is disabled by default. + +## 1.4.0 + +* Update Datadog Operator version to 1.3.0. + ## 1.3.0 * Add configuration to mount volumes (`volumes` and `volumeMounts`) in the container. Empty by default. @@ -38,7 +46,7 @@ ## 1.0.6 -* Fix conversionWebhook.enabled parameter to correctly set user-configured value when enabling the conversion webhook. +* Fix conversionWebhook.enabled parameter to correctly set user-configured value when enabling the conversion webhook. ## 1.0.5 diff --git a/charts/datadog/datadog-operator/Chart.lock b/charts/datadog/datadog-operator/Chart.lock index 71be3d7ee..b6e053faf 100644 --- a/charts/datadog/datadog-operator/Chart.lock +++ b/charts/datadog/datadog-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: datadog-crds repository: https://helm.datadoghq.com - version: 1.2.0 -digest: sha256:f15e9cdbd781b18515ec93187be4b6e0b03ad5bdced752ab0fde493cf0b9ec5f -generated: "2023-10-04T10:24:15.813204-04:00" + version: 1.3.0 +digest: sha256:c0d897e7b5648db215c1c051fed5a3d431fadb1d92784ed0eb5b0f0f6574821e +generated: "2023-12-11T14:56:49.631017-05:00" diff --git a/charts/datadog/datadog-operator/Chart.yaml b/charts/datadog/datadog-operator/Chart.yaml index 9313c7b70..b3dd3cdd4 100644 --- a/charts/datadog/datadog-operator/Chart.yaml +++ b/charts/datadog/datadog-operator/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: Datadog Operator catalog.cattle.io/release-name: datadog-operator apiVersion: v2 -appVersion: 1.2.0 +appVersion: 1.3.0 dependencies: - alias: datadogCRDs condition: installCRDs @@ -11,7 +11,7 @@ dependencies: repository: file://./charts/datadog-crds tags: - install-crds - version: =1.2.0 + version: =1.3.0 description: Datadog Operator home: https://www.datadoghq.com icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png @@ -26,4 +26,4 @@ name: datadog-operator sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 1.3.0 +version: 1.4.1 diff --git a/charts/datadog/datadog-operator/README.md b/charts/datadog/datadog-operator/README.md index 6cbc08d96..0e9d28def 100644 --- a/charts/datadog/datadog-operator/README.md +++ b/charts/datadog/datadog-operator/README.md @@ -1,6 +1,6 @@ # Datadog Operator -![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) +![Version: 1.4.1](https://img.shields.io/badge/Version-1.4.1-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square) ## Values @@ -14,21 +14,23 @@ | collectOperatorMetrics | bool | `true` | Configures an openmetrics check to collect operator metrics | | containerSecurityContext | object | `{}` | A security context defines privileges and access control settings for a container. | | datadogAgent.enabled | bool | `true` | Enables Datadog Agent controller | -| datadogCRDs.crds.datadogAgents | bool | `true` | | -| datadogCRDs.crds.datadogMetrics | bool | `true` | | -| datadogCRDs.crds.datadogMonitors | bool | `true` | | +| datadogCRDs.crds.datadogAgents | bool | `true` | Set to true to deploy the DatadogAgents CRD | +| datadogCRDs.crds.datadogMetrics | bool | `true` | Set to true to deploy the DatadogMetrics CRD | +| datadogCRDs.crds.datadogMonitors | bool | `true` | Set to true to deploy the DatadogMonitors CRD | +| datadogCRDs.crds.datadogSLOs | bool | `false` | Set to true to deploy the DatadogSLO CRD | | datadogCRDs.migration.datadogAgents.conversionWebhook.enabled | bool | `false` | | | datadogCRDs.migration.datadogAgents.conversionWebhook.name | string | `"datadog-operator-webhook-service"` | | | datadogCRDs.migration.datadogAgents.conversionWebhook.namespace | string | `"default"` | | | datadogCRDs.migration.datadogAgents.useCertManager | bool | `false` | | | datadogCRDs.migration.datadogAgents.version | string | `"v2alpha1"` | | | datadogMonitor.enabled | bool | `false` | Enables the Datadog Monitor controller | +| datadogSLO.enabled | bool | `false` | Enables the Datadog SLO controller | | dd_url | string | `nil` | The host of the Datadog intake server to send Agent data to, only set this option if you need the Agent to send data to a custom URL | | env | list | `[]` | Define any environment variables to be passed to the operator. | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | Define the pullPolicy for Datadog Operator image | | image.repository | string | `"gcr.io/datadoghq/operator"` | Repository to use for Datadog Operator image | -| image.tag | string | `"1.2.0"` | Define the Datadog Operator version to use | +| image.tag | string | `"1.3.0"` | Define the Datadog Operator version to use | | imagePullSecrets | list | `[]` | Datadog Operator repository pullSecret (ex: specify docker registry credentials) | | installCRDs | bool | `true` | Set to true to deploy the Datadog's CRDs | | logLevel | string | `"info"` | Set Datadog Operator log level (debug, info, error, panic, fatal) | @@ -118,7 +120,7 @@ You can update with the following: ``` helm upgrade \ datadog-operator datadog/datadog-operator \ - --set image.tag=1.2.0 \ + --set image.tag=1.3.0 \ --set datadogCRDs.migration.datadogAgents.version=v2alpha1 \ --set datadogCRDs.migration.datadogAgents.useCertManager=true \ --set datadogCRDs.migration.datadogAgents.conversionWebhook.enabled=true diff --git a/charts/datadog/datadog-operator/README.md.gotmpl b/charts/datadog/datadog-operator/README.md.gotmpl index 15058b06d..c21bb39ed 100644 --- a/charts/datadog/datadog-operator/README.md.gotmpl +++ b/charts/datadog/datadog-operator/README.md.gotmpl @@ -68,7 +68,7 @@ You can update with the following: ``` helm upgrade \ datadog-operator datadog/datadog-operator \ - --set image.tag=1.2.0 \ + --set image.tag=1.3.0 \ --set datadogCRDs.migration.datadogAgents.version=v2alpha1 \ --set datadogCRDs.migration.datadogAgents.useCertManager=true \ --set datadogCRDs.migration.datadogAgents.conversionWebhook.enabled=true diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/CHANGELOG.md b/charts/datadog/datadog-operator/charts/datadog-crds/CHANGELOG.md index 893f772e8..3e4c23ef8 100644 --- a/charts/datadog/datadog-operator/charts/datadog-crds/CHANGELOG.md +++ b/charts/datadog/datadog-operator/charts/datadog-crds/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 1.3.0 +* Update CRDs from Datadog Operator v1.3.0 tag. + ## 1.2.0 * Update CRDs from Datadog Operator v1.2.0 tag. diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/Chart.yaml b/charts/datadog/datadog-operator/charts/datadog-crds/Chart.yaml index b1903c93e..f51e23a74 100644 --- a/charts/datadog/datadog-operator/charts/datadog-crds/Chart.yaml +++ b/charts/datadog/datadog-operator/charts/datadog-crds/Chart.yaml @@ -15,4 +15,4 @@ sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-operator - https://docs.datadoghq.com/agent/cluster_agent/external_metrics -version: 1.2.0 +version: 1.3.0 diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/README.md b/charts/datadog/datadog-operator/charts/datadog-crds/README.md index 2d4ec3365..40d5ee6d0 100644 --- a/charts/datadog/datadog-operator/charts/datadog-crds/README.md +++ b/charts/datadog/datadog-operator/charts/datadog-crds/README.md @@ -1,6 +1,6 @@ # Datadog CRDs -![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 1](https://img.shields.io/badge/AppVersion-1-informational?style=flat-square) +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![AppVersion: 1](https://img.shields.io/badge/AppVersion-1-informational?style=flat-square) This chart was designed to allow other "datadog" charts to share `CustomResourceDefinitions` such as the `DatadogMetric`. @@ -25,6 +25,7 @@ But the recommended Kubernetes versions are `1.16+`. | crds.datadogAgents | bool | `false` | Set to true to deploy the DatadogAgents CRD | | crds.datadogMetrics | bool | `false` | Set to true to deploy the DatadogMetrics CRD | | crds.datadogMonitors | bool | `false` | Set to true to deploy the DatadogMonitors CRD | +| crds.datadogSLOs | bool | `false` | Set to true to deploy the DatadogSLO CRD | | fullnameOverride | string | `""` | Override the fully qualified app name | | migration.datadogAgents.conversionWebhook.enabled | bool | `false` | | | migration.datadogAgents.conversionWebhook.name | string | `"datadog-operator-webhook-service"` | | diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml b/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml index 56ea30924..d54a9d840 100644 --- a/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml +++ b/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1.yaml @@ -6064,6 +6064,8 @@ spec: type: object originDetectionEnabled: type: boolean + tagCardinality: + type: string unixDomainSocketConfig: properties: enabled: @@ -6119,6 +6121,8 @@ spec: port: format: int32 type: integer + registerAPIService: + type: boolean useDatadogMetrics: type: boolean wpaController: @@ -6275,6 +6279,11 @@ spec: type: object type: object type: object + processDiscovery: + properties: + enabled: + type: boolean + type: object prometheusScrape: properties: additionalConfigs: @@ -6291,6 +6300,31 @@ spec: enabled: type: boolean type: object + sbom: + properties: + containerImage: + properties: + analyzers: + items: + type: string + type: array + x-kubernetes-list-type: set + enabled: + type: boolean + type: object + enabled: + type: boolean + host: + properties: + analyzers: + items: + type: string + type: array + x-kubernetes-list-type: set + enabled: + type: boolean + type: object + type: object tcpQueueLength: properties: enabled: @@ -7501,148 +7535,6 @@ spec: type: string type: object type: object - securityContextConstraints: - properties: - create: - type: boolean - customConfiguration: - properties: - allowHostDirVolumePlugin: - type: boolean - allowHostIPC: - type: boolean - allowHostNetwork: - type: boolean - allowHostPID: - type: boolean - allowHostPorts: - type: boolean - allowPrivilegedContainer: - type: boolean - allowedCapabilities: - items: - type: string - type: array - allowedFlexVolumes: - items: - properties: - driver: - type: string - type: object - type: array - apiVersion: - type: string - defaultAddCapabilities: - items: - type: string - type: array - fsGroup: - properties: - ranges: - items: - properties: - max: - format: int64 - type: integer - min: - format: int64 - type: integer - type: object - type: array - type: - type: string - type: object - groups: - items: - type: string - type: array - kind: - type: string - metadata: - type: object - priority: - format: int32 - type: integer - readOnlyRootFilesystem: - type: boolean - requiredDropCapabilities: - items: - type: string - type: array - runAsUser: - properties: - type: - type: string - uid: - format: int64 - type: integer - uidRangeMax: - format: int64 - type: integer - uidRangeMin: - format: int64 - type: integer - type: object - seLinuxContext: - properties: - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - type: - type: string - type: object - seccompProfiles: - items: - type: string - type: array - supplementalGroups: - properties: - ranges: - items: - properties: - max: - format: int64 - type: integer - min: - format: int64 - type: integer - type: object - type: array - type: - type: string - type: object - users: - items: - type: string - type: array - volumes: - items: - type: string - type: array - required: - - allowHostDirVolumePlugin - - allowHostIPC - - allowHostNetwork - - allowHostPID - - allowHostPorts - - allowPrivilegedContainer - - allowedCapabilities - - allowedFlexVolumes - - defaultAddCapabilities - - priority - - readOnlyRootFilesystem - - requiredDropCapabilities - - volumes - type: object - type: object serviceAccountName: type: string tolerations: diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1beta1.yaml b/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1beta1.yaml index f4f45b7df..fd1004c1e 100644 --- a/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1beta1.yaml +++ b/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogagents_v1beta1.yaml @@ -6053,6 +6053,8 @@ spec: type: object originDetectionEnabled: type: boolean + tagCardinality: + type: string unixDomainSocketConfig: properties: enabled: @@ -6108,6 +6110,8 @@ spec: port: format: int32 type: integer + registerAPIService: + type: boolean useDatadogMetrics: type: boolean wpaController: @@ -6264,6 +6268,11 @@ spec: type: object type: object type: object + processDiscovery: + properties: + enabled: + type: boolean + type: object prometheusScrape: properties: additionalConfigs: @@ -6280,6 +6289,31 @@ spec: enabled: type: boolean type: object + sbom: + properties: + containerImage: + properties: + analyzers: + items: + type: string + type: array + x-kubernetes-list-type: set + enabled: + type: boolean + type: object + enabled: + type: boolean + host: + properties: + analyzers: + items: + type: string + type: array + x-kubernetes-list-type: set + enabled: + type: boolean + type: object + type: object tcpQueueLength: properties: enabled: @@ -7490,148 +7524,6 @@ spec: type: string type: object type: object - securityContextConstraints: - properties: - create: - type: boolean - customConfiguration: - properties: - allowHostDirVolumePlugin: - type: boolean - allowHostIPC: - type: boolean - allowHostNetwork: - type: boolean - allowHostPID: - type: boolean - allowHostPorts: - type: boolean - allowPrivilegedContainer: - type: boolean - allowedCapabilities: - items: - type: string - type: array - allowedFlexVolumes: - items: - properties: - driver: - type: string - type: object - type: array - apiVersion: - type: string - defaultAddCapabilities: - items: - type: string - type: array - fsGroup: - properties: - ranges: - items: - properties: - max: - format: int64 - type: integer - min: - format: int64 - type: integer - type: object - type: array - type: - type: string - type: object - groups: - items: - type: string - type: array - kind: - type: string - metadata: - type: object - priority: - format: int32 - type: integer - readOnlyRootFilesystem: - type: boolean - requiredDropCapabilities: - items: - type: string - type: array - runAsUser: - properties: - type: - type: string - uid: - format: int64 - type: integer - uidRangeMax: - format: int64 - type: integer - uidRangeMin: - format: int64 - type: integer - type: object - seLinuxContext: - properties: - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - type: - type: string - type: object - seccompProfiles: - items: - type: string - type: array - supplementalGroups: - properties: - ranges: - items: - properties: - max: - format: int64 - type: integer - min: - format: int64 - type: integer - type: object - type: array - type: - type: string - type: object - users: - items: - type: string - type: array - volumes: - items: - type: string - type: array - required: - - allowHostDirVolumePlugin - - allowHostIPC - - allowHostNetwork - - allowHostPID - - allowHostPorts - - allowPrivilegedContainer - - allowedCapabilities - - allowedFlexVolumes - - defaultAddCapabilities - - priority - - readOnlyRootFilesystem - - requiredDropCapabilities - - volumes - type: object - type: object serviceAccountName: type: string tolerations: diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogslos_v1.yaml b/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogslos_v1.yaml new file mode 100644 index 000000000..d95be534c --- /dev/null +++ b/charts/datadog/datadog-operator/charts/datadog-crds/templates/datadoghq.com_datadogslos_v1.yaml @@ -0,0 +1,205 @@ +{{- if and .Values.crds.datadogSLOs (semverCompare ">1.21-0" .Capabilities.KubeVersion.GitVersion ) }} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + creationTimestamp: null + name: datadogslos.datadoghq.com + labels: + helm.sh/chart: '{{ include "datadog-crds.chart" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + app.kubernetes.io/name: '{{ include "datadog-crds.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' +spec: + group: datadoghq.com + names: + kind: DatadogSLO + listKind: DatadogSLOList + plural: datadogslos + shortNames: + - ddslo + singular: datadogslo + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.id + name: id + type: string + - jsonPath: .status.syncStatus + name: sync status + type: string + - jsonPath: .metadata.creationTimestamp + name: age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: DatadogSLO allows a user to define and manage datadog SLOs from Kubernetes cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + controllerOptions: + description: ControllerOptions are the optional parameters in the DatadogSLO controller + properties: + disableRequiredTags: + description: DisableRequiredTags disables the automatic addition of required tags to SLOs. + type: boolean + type: object + description: + description: Description is a user-defined description of the service level objective. Always included in service level objective responses (but may be null). Optional in create/update requests. + type: string + groups: + description: Groups is a list of (up to 100) monitor groups that narrow the scope of a monitor service level objective. Included in service level objective responses if it is not empty. Optional in create/update requests for monitor service level objectives, but may only be used when the length of the monitor_ids field is one. + items: + type: string + type: array + x-kubernetes-list-type: set + monitorIDs: + description: MonitorIDs is a list of monitor IDs that defines the scope of a monitor service level objective. Required if type is monitor. + items: + format: int64 + type: integer + type: array + x-kubernetes-list-type: set + name: + description: Name is the name of the service level objective. + type: string + query: + description: Query is the query for a metric-based SLO. Required if type is metric. Note that only the `sum by` aggregator is allowed, which sums all request counts. `Average`, `max`, nor `min` request aggregators are not supported. + properties: + denominator: + description: Denominator is a Datadog metric query for total (valid) events. + type: string + numerator: + description: Numerator is a Datadog metric query for good events. + type: string + required: + - denominator + - numerator + type: object + tags: + description: 'Tags is a list of tags to associate with your service level objective. This can help you categorize and filter service level objectives in the service level objectives page of the UI. Note: it''s not currently possible to filter by these tags when querying via the API.' + items: + type: string + type: array + x-kubernetes-list-type: set + targetThreshold: + anyOf: + - type: integer + - type: string + description: TargetThreshold is the target threshold such that when the service level indicator is above this threshold over the given timeframe, the objective is being met. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + timeframe: + description: The SLO time window options. + type: string + type: + description: Type is the type of the service level objective. + type: string + warningThreshold: + anyOf: + - type: integer + - type: string + description: WarningThreshold is a optional warning threshold such that when the service level indicator is below this value for the given threshold, but above the target threshold, the objective appears in a "warning" state. This value must be greater than the target threshold. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - name + - targetThreshold + - timeframe + - type + type: object + status: + description: DatadogSLOStatus defines the observed state of a DatadogSLO. + properties: + conditions: + description: Conditions represents the latest available observations of the state of a DatadogSLO. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, type FooStatus struct{ // Represents the observations of a foo's current state. // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge // +listType=map // +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + created: + description: Created is the time the SLO was created. + format: date-time + type: string + creator: + description: Creator is the identity of the SLO creator. + type: string + currentHash: + description: CurrentHash tracks the hash of the current DatadogSLOSpec to know if the Spec has changed and needs an update. + type: string + id: + description: ID is the SLO ID generated in Datadog. + type: string + lastForceSyncTime: + description: LastForceSyncTime is the last time the API SLO was last force synced with the DatadogSLO resource. + format: date-time + type: string + syncStatus: + description: SyncStatus shows the health of syncing the SLO state to Datadog. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/update-crds.sh b/charts/datadog/datadog-operator/charts/datadog-crds/update-crds.sh index 167d4015e..c1ff364ce 100644 --- a/charts/datadog/datadog-operator/charts/datadog-crds/update-crds.sh +++ b/charts/datadog/datadog-operator/charts/datadog-crds/update-crds.sh @@ -59,3 +59,4 @@ download_crd "$DATADOG_OPERATOR_REPO" "$DATADOG_OPERATOR_TAG" datadogagents data download_crd "$DATADOG_OPERATOR_REPO" "$DATADOG_OPERATOR_TAG" datadogagents datadogAgents v1 download_crd "$DATADOG_OPERATOR_REPO" "$DATADOG_OPERATOR_TAG" datadogmonitors datadogMonitors v1beta1 download_crd "$DATADOG_OPERATOR_REPO" "$DATADOG_OPERATOR_TAG" datadogmonitors datadogMonitors v1 +download_crd "$DATADOG_OPERATOR_REPO" "$DATADOG_OPERATOR_TAG" datadogslos datadogSLOs v1 diff --git a/charts/datadog/datadog-operator/charts/datadog-crds/values.yaml b/charts/datadog/datadog-operator/charts/datadog-crds/values.yaml index 4ac5922dc..696f33411 100644 --- a/charts/datadog/datadog-operator/charts/datadog-crds/values.yaml +++ b/charts/datadog/datadog-operator/charts/datadog-crds/values.yaml @@ -9,6 +9,8 @@ crds: datadogAgents: false # crds.datadogMonitors -- Set to true to deploy the DatadogMonitors CRD datadogMonitors: false + # crds.datadogSLOs -- Set to true to deploy the DatadogSLO CRD + datadogSLOs: false migration: datadogAgents: diff --git a/charts/datadog/datadog-operator/templates/clusterrole.yaml b/charts/datadog/datadog-operator/templates/clusterrole.yaml index 152ef288f..2699c37c7 100644 --- a/charts/datadog/datadog-operator/templates/clusterrole.yaml +++ b/charts/datadog/datadog-operator/templates/clusterrole.yaml @@ -498,6 +498,38 @@ rules: - get - list - watch +- apiGroups: + - datadoghq.com + resources: + - datadogslos + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - datadoghq.com + resources: + - datadogslos/finalizers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - datadoghq.com + resources: + - datadogslos/status + verbs: + - get + - patch + - update - apiGroups: - external.metrics.k8s.io resources: diff --git a/charts/datadog/datadog-operator/templates/deployment.yaml b/charts/datadog/datadog-operator/templates/deployment.yaml index a3398d4d9..a8de14218 100644 --- a/charts/datadog/datadog-operator/templates/deployment.yaml +++ b/charts/datadog/datadog-operator/templates/deployment.yaml @@ -112,6 +112,9 @@ spec: {{- if (semverCompare ">=1.0.0-rc.13" .Values.image.tag) }} - "-datadogAgentEnabled={{ .Values.datadogAgent.enabled }}" {{- end }} + {{- if (semverCompare ">=1.3.0" .Values.image.tag) }} + - "-datadogSLOEnabled={{ .Values.datadogSLO.enabled }}" + {{- end }} ports: - name: metrics containerPort: {{ .Values.metricsPort }} diff --git a/charts/datadog/datadog-operator/values.yaml b/charts/datadog/datadog-operator/values.yaml index c49ac6f69..59101aff9 100644 --- a/charts/datadog/datadog-operator/values.yaml +++ b/charts/datadog/datadog-operator/values.yaml @@ -43,7 +43,7 @@ image: # image.repository -- Repository to use for Datadog Operator image repository: gcr.io/datadoghq/operator # image.tag -- Define the Datadog Operator version to use - tag: 1.2.0 + tag: 1.3.0 # image.pullPolicy -- Define the pullPolicy for Datadog Operator image pullPolicy: IfNotPresent # imagePullSecrets -- Datadog Operator repository pullSecret (ex: specify docker registry credentials) @@ -73,6 +73,9 @@ datadogAgent: datadogMonitor: # datadogMonitor.enabled -- Enables the Datadog Monitor controller enabled: false +datadogSLO: + # datadogSLO.enabled -- Enables the Datadog SLO controller + enabled: false rbac: # rbac.create -- Specifies whether the RBAC resources should be created create: true @@ -108,12 +111,14 @@ installCRDs: true datadogCRDs: crds: - # datadog-crds.crds.datadogAgents -- Set to true to deploy the DatadogAgents CRD + # datadogCRDs.crds.datadogAgents -- Set to true to deploy the DatadogAgents CRD datadogAgents: true - # datadog-crds.crds.datadogMetrics -- Set to true to deploy the DatadogMetrics CRD + # datadogCRDs.crds.datadogMetrics -- Set to true to deploy the DatadogMetrics CRD datadogMetrics: true - # datadog-crds.crds.datadogMonitors -- Set to true to deploy the DatadogMonitors CRD + # datadogCRDs.crds.datadogMonitors -- Set to true to deploy the DatadogMonitors CRD datadogMonitors: true + # datadogCRDs.crds.datadogSLOs -- Set to true to deploy the DatadogSLO CRD + datadogSLOs: false migration: datadogAgents: conversionWebhook: diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index a3d9bf744..720bab9a5 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,8 +1,48 @@ # Datadog changelog +## 3.50.5 + +* Add option to use containerd snapshotter to generate SBOMs. + +## 3.50.4 + +* Mount host files for proper OS detection in SBOMs. + +## 3.50.3 + +* Set default `Agent` and `Cluster-Agent` version to `7.50.3`. + +## 3.50.2 + +* Support automatic registry selection based on `datadog.site` on GKE Autopilot. + +## 3.50.1 + +* Set default `Agent` and `Cluster-Agent` version to `7.50.2`. + +## 3.50.0 + +* Set default `Agent` and `Cluster-Agent` version to `7.50.1`. + +## 3.49.9 + +* Update `fips.image.tag` to `1.0.1` + +## 3.49.8 + +* Mount host package manager database when host SBOM is enabled. + +## 3.49.7 + +Fix NOTES warning for APM Instrumentation + +## 3.49.6 + +Get rid of the old GODEBUG=x509ignoreCN=0 hack that is not effective anymore in lastest versions of the agent. + ## 3.49.5 -Fix registry selection with GKE Autopilot until new registries are allowed. +* Fix registry selection with GKE Autopilot until new registries are allowed. ## 3.49.4 diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index 2d141df7e..723b82b3d 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.49.5 +version: 3.50.5 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index aeba43e37..0dee0b41d 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.49.5](https://img.shields.io/badge/Version-3.49.5-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.50.5](https://img.shields.io/badge/Version-3.50.5-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -508,7 +508,7 @@ helm install \ | agents.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy | | agents.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) | | agents.image.repository | string | `nil` | Override default registry + image.name for Agent | -| agents.image.tag | string | `"7.49.1"` | Define the Agent version to use | +| agents.image.tag | string | `"7.50.3"` | Define the Agent version to use | | agents.image.tagSuffix | string | `""` | Suffix to append to Agent tag | | agents.localService.forceLocalServiceEnabled | bool | `false` | Force the creation of the internal traffic policy service to target the agent running on the local node. By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default. This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled. | | agents.localService.overrideName | string | `""` | Name of the internal traffic service to target the agent running on the local node | @@ -574,7 +574,7 @@ helm install \ | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Cluster Agent image pullPolicy | | clusterAgent.image.pullSecrets | list | `[]` | Cluster Agent repository pullSecret (ex: specify docker registry credentials) | | clusterAgent.image.repository | string | `nil` | Override default registry + image.name for Cluster Agent | -| clusterAgent.image.tag | string | `"7.49.1"` | Cluster Agent image tag to use | +| clusterAgent.image.tag | string | `"7.50.3"` | Cluster Agent image tag to use | | clusterAgent.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent liveness probe settings | | clusterAgent.metricsProvider.aggregator | string | `"avg"` | Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum) | | clusterAgent.metricsProvider.createReaderRbac | bool | `true` | Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) | @@ -625,7 +625,7 @@ helm install \ | clusterChecksRunner.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy | | clusterChecksRunner.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) | | clusterChecksRunner.image.repository | string | `nil` | Override default registry + image.name for Cluster Check Runners | -| clusterChecksRunner.image.tag | string | `"7.49.1"` | Define the Agent version to use | +| clusterChecksRunner.image.tag | string | `"7.50.3"` | Define the Agent version to use | | clusterChecksRunner.image.tagSuffix | string | `""` | Suffix to append to Agent tag | | clusterChecksRunner.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent liveness probe settings | | clusterChecksRunner.networkPolicy.create | bool | `false` | If true, create a NetworkPolicy for the cluster checks runners. DEPRECATED. Use datadog.networkPolicy.create instead | @@ -761,6 +761,7 @@ helm install \ | datadog.prometheusScrape.version | int | `2` | Version of the openmetrics check to schedule by default. | | datadog.remoteConfiguration.enabled | bool | `true` | Set to true to enable remote configuration. Consider using remoteConfiguration.enabled instead | | datadog.sbom.containerImage.enabled | bool | `false` | Enable SBOM collection for container images | +| datadog.sbom.containerImage.uncompressedLayersSupport | bool | `false` | Use container runtime snapshotter This should be set to true when using EKS, GKE or if containerd is configured to discard uncompressed layers. This feature will cause the SYS_ADMIN capability to be added to the Agent container. | | datadog.sbom.host.enabled | bool | `false` | Enable SBOM collection for host filesystems | | datadog.secretAnnotations | object | `{}` | | | datadog.secretBackend.arguments | string | `nil` | Configure the secret backend command arguments (space-separated strings). | @@ -816,7 +817,7 @@ helm install \ | fips.image.name | string | `"fips-proxy"` | | | fips.image.pullPolicy | string | `"IfNotPresent"` | Datadog the FIPS sidecar image pull policy | | fips.image.repository | string | `nil` | Override default registry + image.name for the FIPS sidecar container. | -| fips.image.tag | string | `"1.0.0"` | Define the FIPS sidecar container version to use. | +| fips.image.tag | string | `"1.0.1"` | Define the FIPS sidecar container version to use. | | fips.local_address | string | `"127.0.0.1"` | Set local IP address | | fips.port | int | `9803` | Specifies which port is used by the containers to communicate to the FIPS sidecar. | | fips.portRange | int | `15` | Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577 | diff --git a/charts/datadog/datadog/ci/agent-sbom-snapshotter.yaml b/charts/datadog/datadog/ci/agent-sbom-snapshotter.yaml new file mode 100644 index 000000000..8986d417f --- /dev/null +++ b/charts/datadog/datadog/ci/agent-sbom-snapshotter.yaml @@ -0,0 +1,8 @@ +datadog: + apiKey: "00000000000000000000000000000000" + appKey: "0000000000000000000000000000000000000000" + site: datadoghq.eu + sbom: + containerImage: + enabled: true + uncompressedLayersSupport: true diff --git a/charts/datadog/datadog/templates/NOTES.txt b/charts/datadog/datadog/templates/NOTES.txt index 5a6041e24..c91017e0a 100644 --- a/charts/datadog/datadog/templates/NOTES.txt +++ b/charts/datadog/datadog/templates/NOTES.txt @@ -125,13 +125,13 @@ Trace Agent liveness probe port ({{ $liveness.port }}) is different from the con The Datadog Agent is listening on port {{ $apmPort }} for APM service. {{- end }} -{{- if and .Values.datadog.apm.instrumentation.enabled_namespaces .Values.datadog.apm.instrumentation.disabled_namespaces }} +{{- if and .Values.datadog.apm.instrumentation.enabledNamespaces .Values.datadog.apm.instrumentation.disabledNamespaces }} ################################################################################### #### ERROR: APM Single Step Instrumentation misconfiguration #### ################################################################################### -{{- fail "The options `datadog.apm.instrumentation.enabled_namespaces` and `datadog.apm.instrumentation.disabled_namespaces` cannot be set together." }} +{{- fail "The options `datadog.apm.instrumentation.enabledNamespaces` and `datadog.apm.instrumentation.disabledNamespaces` cannot be set together." }} {{- end }} @@ -161,28 +161,28 @@ The Datadog Agent is listening on port {{ $apmPort }} for APM service. #### WARNING: Configuration notice #### ################################################################# -You are using datadog.apm.instrumentation.enabled_namespaces but you disabled the cluster agent. This configuration is unsupported and Kubernetes resource monitoring has been turned off. +You are using datadog.apm.instrumentation.enabledNamespaces but you disabled the cluster agent. This configuration is unsupported and Kubernetes resource monitoring has been turned off. To enable it please set clusterAgent.enabled to 'true'. {{- end }} -{{- if and .Values.datadog.apm.instrumentation.enabled .Values.datadog.apm.instrumentation.enabled_namespaces }} +{{- if and .Values.datadog.apm.instrumentation.enabled .Values.datadog.apm.instrumentation.enabledNamespaces }} ################################################################# #### WARNING: Configuration notice #### ################################################################# -The options `datadog.apm.instrumentation.enabled` and `datadog.apm.instrumentation.enabled_namespaces` are set together. +The options `datadog.apm.instrumentation.enabled` and `datadog.apm.instrumentation.enabledNamespaces` are set together. APM Single Step Instrumentation will be enabled in the whole cluster. {{- end }} -{{- if and .Values.datadog.apm.instrumentation.disabled_namespaces (not .Values.datadog.apm.instrumentation.enabled) }} +{{- if and .Values.datadog.apm.instrumentation.disabledNamespaces (not .Values.datadog.apm.instrumentation.enabled) }} ################################################################# #### WARNING: Configuration notice #### ################################################################# -The option `datadog.apm.instrumentation.disabled_namespaces` is set while `datadog.apm.instrumentation.enabled` is disabled. +The option `datadog.apm.instrumentation.disabledNamespaces` is set while `datadog.apm.instrumentation.enabled` is disabled. APM Single Step Instrumentation will be disabled in the whole cluster. {{- end }} diff --git a/charts/datadog/datadog/templates/_container-agent.yaml b/charts/datadog/datadog/templates/_container-agent.yaml index 4786b1516..cc71feddd 100644 --- a/charts/datadog/datadog/templates/_container-agent.yaml +++ b/charts/datadog/datadog/templates/_container-agent.yaml @@ -3,7 +3,7 @@ image: "{{ include "image-path" (dict "root" .Values "image" .Values.agents.image) }}" imagePullPolicy: {{ .Values.agents.image.pullPolicy }} command: ["agent", "run"] -{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.agent.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | indent 2 }} +{{ include "generate-security-context" (dict "securityContext" .Values.agents.containers.agent.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version "sysAdmin" .Values.datadog.sbom.containerImage.uncompressedLayersSupport) | indent 2 }} resources: {{ toYaml .Values.agents.containers.agent.resources | indent 4 }} ports: @@ -171,9 +171,15 @@ - name: DD_SBOM_CONTAINER_IMAGE_ENABLED value: "true" {{- end }} + {{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT + value: "true" + {{- end }} {{- if .Values.datadog.sbom.host.enabled }} - name: DD_SBOM_HOST_ENABLED value: "true" + - name: HOST_ROOT + value: /host {{- end }} {{- end }} {{- include "additional-env-entries" .Values.agents.containers.agent.env | indent 4 }} @@ -252,6 +258,42 @@ readOnly: true {{- end }} {{- end }} + {{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + - name: host-containerd-dir + mountPath: /host/var/lib/containerd + readOnly: true + {{- end }} + {{- if .Values.datadog.sbom.host.enabled }} + - name: host-apk-dir + mountPath: /host/var/lib/apk + readOnly: true + - name: host-dpkg-dir + mountPath: /host/var/lib/dpkg + readOnly: true + - name: host-rpm-dir + mountPath: /host/var/lib/rpm + readOnly: true + {{- if ne .Values.datadog.osReleasePath "/etc/redhat-release" }} + - name: etc-redhat-release + mountPath: /host/etc/redhat-release + readOnly: true + {{- end }} + {{- if ne .Values.datadog.osReleasePath "/etc/fedora-release" }} + - name: etc-fedora-release + mountPath: /host/etc/fedora-release + readOnly: true + {{- end }} + {{- if ne .Values.datadog.osReleasePath "/etc/lsb-release" }} + - name: etc-lsb-release + mountPath: /host/etc/lsb-release + readOnly: true + {{- end }} + {{- if ne .Values.datadog.osReleasePath "/etc/system-release" }} + - name: etc-system-release + mountPath: /host/etc/system-release + readOnly: true + {{- end }} + {{- end }} {{- end }} {{- if eq .Values.targetSystem "windows" }} {{- if or .Values.datadog.logs.enabled .Values.datadog.logsEnabled }} diff --git a/charts/datadog/datadog/templates/_containers-common-env.yaml b/charts/datadog/datadog/templates/_containers-common-env.yaml index 7307f1e45..50f70e8a8 100644 --- a/charts/datadog/datadog/templates/_containers-common-env.yaml +++ b/charts/datadog/datadog/templates/_containers-common-env.yaml @@ -1,9 +1,6 @@ # The purpose of this template is to define a minimal set of environment # variables required to operate dedicated containers in the daemonset {{- define "containers-common-env" -}} -# Needs to be removed when Agent N-2 is built with Golang 1.17 -- name: GODEBUG - value: x509ignoreCN=0 - name: DD_API_KEY valueFrom: secretKeyRef: diff --git a/charts/datadog/datadog/templates/_daemonset-volumes-linux.yaml b/charts/datadog/datadog/templates/_daemonset-volumes-linux.yaml index 8ddb9ee95..636503362 100644 --- a/charts/datadog/datadog/templates/_daemonset-volumes-linux.yaml +++ b/charts/datadog/datadog/templates/_daemonset-volumes-linux.yaml @@ -9,13 +9,12 @@ - hostPath: path: /sys/fs/cgroup name: cgroups -{{- if and (not .Values.providers.gke.autopilot) (or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath) }} +{{- if and (not .Values.providers.gke.autopilot) (or .Values.datadog.systemProbe.osReleasePath .Values.datadog.osReleasePath .Values.datadog.sbom.host.enabled) }} - hostPath: path: {{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }} name: os-release-file {{- end }} -{{- if eq (include "should-enable-system-probe" .) "true" }} -{{- if .Values.datadog.systemProbe.enableDefaultOsReleasePaths }} +{{- if or (and (eq (include "should-enable-system-probe" .) "true") .Values.datadog.systemProbe.enableDefaultOsReleasePaths) .Values.datadog.sbom.host.enabled }} - hostPath: path: /etc/redhat-release name: etc-redhat-release @@ -25,7 +24,9 @@ - hostPath: path: /etc/lsb-release name: etc-lsb-release -{{- end }} +- hostPath: + path: /etc/system-release + name: etc-system-release {{- end -}} {{- if eq (include "should-enable-fips" . ) "true" }} {{ include "linux-container-fips-proxy-cfg-volume" . }} @@ -146,6 +147,22 @@ path: / name: hostroot {{- end }} +{{- if .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} +- hostPath: + path: /var/lib/containerd + name: host-containerd-dir +{{- end }} +{{- if .Values.datadog.sbom.host.enabled }} +- hostPath: + path: /var/lib/apk + name: host-apk-dir +- hostPath: + path: /var/lib/dpkg + name: host-dpkg-dir +- hostPath: + path: /var/lib/rpm + name: host-rpm-dir +{{- end }} {{- if eq (include "should-enable-security-agent" .) "true" }} {{- if .Values.datadog.securityAgent.compliance.enabled }} - hostPath: diff --git a/charts/datadog/datadog/templates/_helpers.tpl b/charts/datadog/datadog/templates/_helpers.tpl index feac94143..a66fc4e10 100644 --- a/charts/datadog/datadog/templates/_helpers.tpl +++ b/charts/datadog/datadog/templates/_helpers.tpl @@ -267,8 +267,6 @@ Return the proper registry based on datadog.site (requires .Values to be passed {{- define "registry" -}} {{- if .registry -}} {{- .registry -}} -{{- else if .providers.gke.autopilot -}} -gcr.io/datadoghq {{- else if eq .datadog.site "datadoghq.eu" -}} eu.gcr.io/datadoghq {{- else if eq .datadog.site "ddog-gov.com" -}} @@ -757,7 +755,12 @@ securityContext: {{- end -}} {{- else }} securityContext: +{{- if .sysAdmin }} +{{- $capabilities := dict "capabilities" (dict "add" (list "SYS_ADMIN")) }} +{{ toYaml (merge $capabilities .securityContext) | indent 2 }} +{{- else }} {{ toYaml .securityContext | indent 2 }} +{{- end -}} {{- if and .seccomp .kubeversion (semverCompare ">=1.19.0" .kubeversion) }} seccompProfile: {{- if hasPrefix "localhost/" .seccomp }} @@ -772,6 +775,9 @@ securityContext: {{- end }} {{- end -}} {{- end -}} +{{- else if .sysAdmin }} +securityContext: +{{ toYaml (dict "capabilities" (dict "add" (list "SYS_ADMIN"))) | indent 2 }} {{- end -}} {{- end -}} diff --git a/charts/datadog/datadog/templates/daemonset.yaml b/charts/datadog/datadog/templates/daemonset.yaml index 500f87fc0..4eced384e 100644 --- a/charts/datadog/datadog/templates/daemonset.yaml +++ b/charts/datadog/datadog/templates/daemonset.yaml @@ -58,6 +58,9 @@ spec: container.seccomp.security.alpha.kubernetes.io/system-probe: {{ .Values.datadog.systemProbe.seccomp }} {{- end }} {{- end }} + {{- if and .Values.agents.podSecurity.apparmor.enabled .Values.datadog.sbom.containerImage.uncompressedLayersSupport }} + container.apparmor.security.beta.kubernetes.io/agent: unconfined + {{- end }} {{- if .Values.agents.podAnnotations }} {{ tpl (toYaml .Values.agents.podAnnotations) . | indent 8 }} {{- end }} @@ -66,7 +69,7 @@ spec: shareProcessNamespace: {{ .Values.agents.shareProcessNamespace }} {{- end }} {{- if .Values.datadog.securityContext -}} - {{ include "generate-security-context" (dict "securityContext" .Values.datadog.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version) | nindent 6 }} + {{ include "generate-security-context" (dict "securityContext" .Values.datadog.securityContext "targetSystem" .Values.targetSystem "seccomp" "" "kubeversion" .Capabilities.KubeVersion.Version ) | nindent 6 }} {{- else if or .Values.agents.podSecurity.podSecurityPolicy.create .Values.agents.podSecurity.securityContextConstraints.create -}} {{- if .Values.agents.podSecurity.securityContext }} {{- if .Values.agents.podSecurity.securityContext.seLinuxOptions }} diff --git a/charts/datadog/datadog/values.yaml b/charts/datadog/datadog/values.yaml index ace54fbde..b6b636f57 100644 --- a/charts/datadog/datadog/values.yaml +++ b/charts/datadog/datadog/values.yaml @@ -706,6 +706,12 @@ datadog: # datadog.sbom.containerImage.enabled -- Enable SBOM collection for container images enabled: false + # datadog.sbom.containerImage.uncompressedLayersSupport -- Use container runtime snapshotter + # This should be set to true when using EKS, GKE or if containerd is configured to + # discard uncompressed layers. + # This feature will cause the SYS_ADMIN capability to be added to the Agent container. + uncompressedLayersSupport: false + host: # datadog.sbom.host.enabled -- Enable SBOM collection for host filesystems enabled: false @@ -874,7 +880,7 @@ clusterAgent: name: cluster-agent # clusterAgent.image.tag -- Cluster Agent image tag to use - tag: 7.49.1 + tag: 7.50.3 # clusterAgent.image.digest -- Cluster Agent image digest to use, takes precedence over tag if specified digest: "" @@ -1259,7 +1265,7 @@ fips: name: fips-proxy # fips.image.tag -- Define the FIPS sidecar container version to use. - tag: 1.0.0 + tag: 1.0.1 # fips.image.pullPolicy -- Datadog the FIPS sidecar image pull policy pullPolicy: IfNotPresent @@ -1302,7 +1308,7 @@ agents: name: agent # agents.image.tag -- Define the Agent version to use - tag: 7.49.1 + tag: 7.50.3 # agents.image.digest -- Define Agent image digest to use, takes precedence over tag if specified digest: "" @@ -1770,7 +1776,7 @@ clusterChecksRunner: name: agent # clusterChecksRunner.image.tag -- Define the Agent version to use - tag: 7.49.1 + tag: 7.50.3 # clusterChecksRunner.image.digest -- Define Agent image digest to use, takes precedence over tag if specified digest: "" diff --git a/charts/dell/csi-isilon/Chart.yaml b/charts/dell/csi-isilon/Chart.yaml index 0f94edb39..7e846b8a1 100644 --- a/charts/dell/csi-isilon/Chart.yaml +++ b/charts/dell/csi-isilon/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerScale - catalog.cattle.io/kube-version: '>= 1.21.0 < 1.28.0' + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' catalog.cattle.io/release-name: isilon apiVersion: v2 -appVersion: 2.7.0 +appVersion: 2.9.0 description: 'PowerScale CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as an Isilon StorageClass. ' @@ -12,10 +12,11 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.21.0 < 1.28.0' +kubeVersion: '>= 1.21.0 < 1.29.0' maintainers: - name: DellEMC name: csi-isilon sources: - https://github.com/dell/csi-isilon -version: 2.7.0 +type: application +version: 2.9.0 diff --git a/charts/dell/csi-isilon/templates/_helpers.tpl b/charts/dell/csi-isilon/templates/_helpers.tpl index 02b2867e1..ecfe630d7 100644 --- a/charts/dell/csi-isilon/templates/_helpers.tpl +++ b/charts/dell/csi-isilon/templates/_helpers.tpl @@ -1,54 +1,3 @@ -{{/* -Return the appropriate sidecar images based on k8s version -*/}} -{{- define "csi-isilon.attacherImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-isilon.provisionerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-isilon.snapshotterImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-isilon.resizerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-isilon.registrarImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-isilon.healthmonitorImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - {{/* Return true if storage capacity tracking is enabled and is supported based on k8s version */}} diff --git a/charts/dell/csi-isilon/templates/controller.yaml b/charts/dell/csi-isilon/templates/controller.yaml index 9a0dbc9cf..3c279baaf 100644 --- a/charts/dell/csi-isilon/templates/controller.yaml +++ b/charts/dell/csi-isilon/templates/controller.yaml @@ -1,604 +1,604 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Release.Name }}-controller - namespace: {{ .Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Release.Name }}-controller -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["nodes"] - {{- if hasKey .Values "podmon" }} - {{- if eq .Values.podmon.enabled true }} - verbs: ["get", "list", "watch", "patch"] - {{- else }} - verbs: ["get", "list", "watch"] - {{- end }} - {{- end }} - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete", "update"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["pods"] - {{- if hasKey .Values "podmon" }} - {{- if eq .Values.podmon.enabled true }} - verbs: ["get", "list", "watch", "update", "delete"] - {{- else }} - verbs: ["get", "list", "watch"] - {{- end }} - {{- end }} - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - {{- if hasKey .Values "podmon" }} - {{- if eq .Values.podmon.enabled true }} - verbs: ["get", "list", "watch", "update", "patch", "delete"] - {{- else }} - verbs: ["get", "list", "watch", "update", "patch"] - {{- end }} - {{- end }} - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch", "update"] -# below for snapshotter - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create", "list", "watch", "delete"] - # below for resizer - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - # below for dell-csi-replicator - {{- if hasKey .Values.controller "replication" }} - {{- if eq .Values.controller.replication.enabled true}} - - apiGroups: ["replication.storage.dell.com"] - resources: ["dellcsireplicationgroups"] - verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - - apiGroups: ["replication.storage.dell.com"] - resources: ["dellcsireplicationgroups/status"] - verbs: ["get", "patch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] - {{- end}} - {{- end}} - {{- if eq (include "csi-isilon.isStorageCapacitySupported" .) "true" }} - - apiGroups: ["storage.k8s.io"] - resources: ["csistoragecapacities"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get"] - {{- end }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Release.Name }}-controller -subjects: - - kind: ServiceAccount - name: {{ .Release.Name }}-controller - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ .Release.Name }}-controller - apiGroup: rbac.authorization.k8s.io ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - name: {{ .Release.Name }}-controller - namespace: {{ .Release.Namespace }} - {{- if hasKey .Values "authorization" }} - {{- if eq .Values.authorization.enabled true }} - annotations: - com.dell.karavi-authorization-proxy: "true" - {{ end }} - {{ end }} -spec: - selector: - matchLabels: - app: {{ .Release.Name }}-controller - {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}} - {{- fail "value for .Values.controller.controllerCount should be atleast 1" }} - {{- else }} - replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} - {{- end }} - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - app: {{ .Release.Name }}-controller - spec: - serviceAccount: {{ .Release.Name }}-controller - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - {{ .Release.Name }}-controller - topologyKey: kubernetes.io/hostname - {{ if .Values.controller.nodeSelector }} - nodeSelector: - {{- toYaml .Values.controller.nodeSelector | nindent 8 }} - {{ end }} - {{ if .Values.controller.tolerations }} - tolerations: - {{- toYaml .Values.controller.tolerations | nindent 8 }} - {{ end }} - containers: - {{- $encModes := list false }} - {{- if eq .Values.encryption.enabled true }} - {{- $encModes = list false true }} - {{- end }} -{{- range $encrypted := $encModes }} -{{- with $ }} - {{- $driverSock := "csi.sock" }} - {{- $csiSidecarSuffix := "" }} - {{- if $encrypted }} - {{- $driverSock = "csi-sec.sock" }} - {{- $csiSidecarSuffix = "-sec" }} - {{- end }} - {{- $driverSockPath := printf "/var/run/csi/%s" $driverSock }} - {{- if not $encrypted }} - {{- if hasKey .Values "podmon" }} - {{- if eq .Values.podmon.enabled true }} - - name: podmon - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - {{- toYaml .Values.podmon.controller.args | nindent 12 }} - env: - - name: MY_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - - name: csi-isilon-config-params - mountPath: /csi-isilon-config-params - {{- end }} - {{- end }} - {{- if hasKey .Values.controller "replication" }} - {{- if eq .Values.controller.replication.enabled true}} - - name: dell-csi-replicator - image: {{ required "Must provide the Dell CSI Replicator image." .Values.controller.replication.image}} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--leader-election=true" - - "--worker-threads=2" - - "--retry-interval-start=1s" - - "--retry-interval-max=300s" - - "--timeout=300s" - - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}" - - "--prefix={{ .Values.controller.replication.replicationPrefix}}" - env: - - name: X_CSI_REPLICATION_CONFIG_DIR - value: /csi-isilon-config-params - - name: X_CSI_REPLICATION_CONFIG_FILE_NAME - value: driver-config-params.yaml - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - - name: csi-isilon-config-params - mountPath: /csi-isilon-config-params - {{- end }} - {{- end }} - {{- end }} - {{- if hasKey .Values.controller "resizer" }} - {{- if eq .Values.controller.resizer.enabled true }} - - name: resizer{{ $csiSidecarSuffix }} - image: {{ required "Must provide the CSI resizer container image." ( include "csi-isilon.resizerImage" . ) }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--leader-election" - - "--timeout=120s" - - "--v=5" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - {{ end }} - {{ end }} - - name: csi-metadata-retriever {{ $csiSidecarSuffix }} - image: {{ required "Must provide the CSI metadata retriever container image." .Values.controller.metadataretriever.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--leader-election" - - "--timeout=120s" - - "--v=5" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - command: [ "/csi-metadata-retriever" ] - env: - - name: CSI_RETRIEVER_ENDPOINT - value: /var/run/csi/csi_retriever.sock - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - - name: attacher{{ $csiSidecarSuffix }} - image: {{ required "Must provide the CSI attacher container image." ( include "csi-isilon.attacherImage" . ) }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--v=5" - - "--leader-election" - - "--timeout=180s" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - {{- if not $encrypted }} - {{- if hasKey .Values.controller "healthMonitor" }} - {{- if eq .Values.controller.healthMonitor.enabled true }} - - name: external-health-monitor-controller - image: {{ required "Must provide the CSI external-health-monitor-controller container image." ( include "csi-isilon.healthmonitorImage" . ) }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--v=5" - - "--leader-election" - - "--enable-node-watcher=true" - - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" - - "--timeout=180s" - - "--http-endpoint=:8080" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - {{end}} - {{end}} - {{- end }} - - name: provisioner{{ $csiSidecarSuffix }} - image: {{ required "Must provide the CSI provisioner container image." ( include "csi-isilon.provisionerImage" . ) }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}" - - "--volume-name-uuid-length=10" - - "--worker-threads=5" - - "--timeout=120s" - - "--v=5" - - "--feature-gates=Topology=true" - - "--leader-election" - - "--extra-create-metadata" - - "--enable-capacity={{ (include "csi-isilon.isStorageCapacitySupported" .) | default false }}" - - "--capacity-ownerref-level=2" - - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - {{- if hasKey .Values.controller "snapshot" }} - {{- if eq .Values.controller.snapshot.enabled true }} - - name: snapshotter{{ $csiSidecarSuffix }} - #image: quay.io/k8scsi/csi-snapshotter:v1.0.0 - image: {{ required "Must provide the CSI snapshotter container image." ( include "csi-isilon.snapshotterImage" . ) }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - "--csi-address={{ $driverSockPath }}" - - "--timeout=120s" - - "--v=5" - - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" - - "--leader-election" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - {{end}} - {{end}} - {{- if not $encrypted }} - - name: driver - image: {{ required "Must provide the Isilon driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - command: [ "/csi-isilon" ] - args: - - "--leader-election" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" - env: - - name: CSI_ENDPOINT - value: "{{ $driverSockPath }}" - - name: CSI_RETRIEVER_ENDPOINT - value: /var/run/csi/csi_retriever.sock - - name: X_CSI_MODE - value: controller - - name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION - value: "{{ .Values.skipCertificateValidation }}" - - name: X_CSI_ISI_AUTH_TYPE - value: "{{ .Values.isiAuthType }}" - - name: X_CSI_VERBOSE - value: "{{ .Values.verbose }}" - - name: X_CSI_ISI_PORT - value: "{{ .Values.endpointPort }}" - - name: X_CSI_ISI_AUTOPROBE - value: "{{ .Values.autoProbe }}" - - name: X_CSI_ISI_QUOTA_ENABLED - value: "{{ .Values.enableQuota }}" - - name: X_CSI_ISI_ACCESS_ZONE - value: {{ .Values.isiAccessZone }} - - name: X_CSI_CUSTOM_TOPOLOGY_ENABLED - value: "{{ .Values.enableCustomTopology }}" - - name: X_CSI_ISI_PATH - value: {{ .Values.isiPath }} - - name: X_CSI_ISI_VOLUME_PATH_PERMISSIONS - value: "{{ .Values.isiVolumePathPermissions }}" - - name: X_CSI_ISI_IGNORE_UNRESOLVABLE_HOSTS - value: "{{ .Values.ignoreUnresolvableHosts }}" - - name: X_CSI_ISI_NO_PROBE_ON_START - value: "{{ .Values.noProbeOnStart }}" - - name: X_CSI_PODMON_ENABLED - value: "{{ .Values.podmon.enabled }}" - - name: X_CSI_PODMON_API_PORT - value: "{{ .Values.podmonAPIPort }}" - {{- if eq .Values.podmon.enabled true }} - {{- range $key, $value := .Values.podmon.controller.args }} - {{- if contains "--arrayConnectivityPollRate" $value }} - - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE - value: "{{ (split "=" $value)._1 }}" - {{ end }} - {{ end }} - {{ end }} - {{- if hasKey .Values.controller "replication" }} - {{- if eq .Values.controller.replication.enabled true}} - - name: X_CSI_REPLICATION_CONTEXT_PREFIX - value: {{ .Values.controller.replication.replicationContextPrefix | default "powerscale"}} - - name: X_CSI_REPLICATION_PREFIX - value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}} - {{- end }} - {{- end }} - {{- if hasKey .Values.controller "healthMonitor" }} - {{- if eq .Values.controller.healthMonitor.enabled true }} - - name: X_CSI_HEALTH_MONITOR_ENABLED - value: "{{ .Values.controller.healthMonitor.enabled }}" - {{end}} - {{end}} - - name: X_CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: SSL_CERT_DIR - value: /certs - - name: X_CSI_ISI_CONFIG_PATH - value: /isilon-configs/config - - name: X_CSI_MAX_PATH_LIMIT - value: "{{ .Values.maxPathLen }}" - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - - name: certs - mountPath: /certs - readOnly: true - - name: isilon-configs - mountPath: /isilon-configs - - name: csi-isilon-config-params - mountPath: /csi-isilon-config-params - {{- end }} - {{- if not $encrypted }} - {{- if hasKey .Values "authorization" }} - {{- if eq .Values.authorization.enabled true }} - - name: karavi-authorization-proxy - imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} - env: - - name: PROXY_HOST - value: "{{ .Values.authorization.proxyHost }}" - - name: SKIP_CERTIFICATE_VALIDATION - value: "{{ .Values.authorization.skipCertificateValidation }}" - - name: PLUGIN_IDENTIFIER - value: powerscale - - name: ACCESS_TOKEN - valueFrom: - secretKeyRef: - name: proxy-authz-tokens - key: access - - name: REFRESH_TOKEN - valueFrom: - secretKeyRef: - name: proxy-authz-tokens - key: refresh - volumeMounts: - - name: karavi-authorization-config - mountPath: /etc/karavi-authorization/config - - name: proxy-server-root-certificate - mountPath: /etc/karavi-authorization/root-certificates - - name: csi-isilon-config-params - mountPath: /etc/karavi-authorization - {{ end }} - {{ end }} - {{- end }} - {{- if $encrypted }} - - name: driver-sec - image: {{ .Values.encryption.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - --name={{ .Values.encryption.pluginName }} - - --nodeId=$(NODE_ID) - - "--endpoint=unix://var/run/csi/csi-sec.sock" - - "--targetEndpoint=unix://var/run/csi/csi.sock" - - --targetType=Isilon - - --controller - - --logLevel={{ .Values.encryption.logLevel }} - {{- range index .Values.encryption.extraArgs }} - - {{ . | quote }} - {{- end }} - env: - - name: NODE_ID - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: socket-dir - mountPath: /var/run/csi - {{- end }} -{{- end }} -{{- end }} - volumes: - - name: socket-dir - emptyDir: - - name: certs - projected: - sources: -{{- range $i, $e := until (int .Values.certSecretCount ) }} - - secret: - name: {{ print $.Release.Name "-certs-" $e }} - items: - - key: cert-{{ $e }} - path: cert-{{ $e }} -{{- end }} - - name: isilon-configs - secret: - secretName: {{ .Release.Name }}-creds - - name: csi-isilon-config-params - configMap: - name: {{ .Release.Name }}-config-params - {{- if hasKey .Values "authorization" }} - {{- if eq .Values.authorization.enabled true }} - - name: karavi-authorization-config - secret: - secretName: karavi-authorization-config - - name: proxy-server-root-certificate - secret: - secretName: proxy-server-root-certificate - {{ end }} - {{ end }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "patch"] + {{- else }} + verbs: ["get", "list", "watch"] + {{- end }} + {{- end }} + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["pods"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "delete"] + {{- else }} + verbs: ["get", "list", "watch"] + {{- end }} + {{- end }} + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "patch", "delete"] + {{- else }} + verbs: ["get", "list", "watch", "update", "patch"] + {{- end }} + {{- end }} + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch", "update"] +# below for snapshotter + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] + # below for resizer + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + # below for dell-csi-replicator + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups/status"] + verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + {{- end}} + {{- end}} + {{- if eq (include "csi-isilon.isStorageCapacitySupported" .) "true" }} + - apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] + {{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-controller + apiGroup: rbac.authorization.k8s.io +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-controller + {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}} + {{- fail "value for .Values.controller.controllerCount should be atleast 1" }} + {{- else }} + replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} + {{- end }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app: {{ .Release.Name }}-controller + spec: + serviceAccount: {{ .Release.Name }}-controller + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }}-controller + topologyKey: kubernetes.io/hostname + {{ if .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml .Values.controller.nodeSelector | nindent 8 }} + {{ end }} + {{ if .Values.controller.tolerations }} + tolerations: + {{- toYaml .Values.controller.tolerations | nindent 8 }} + {{ end }} + containers: + {{- $encModes := list false }} + {{- if eq .Values.encryption.enabled true }} + {{- $encModes = list false true }} + {{- end }} +{{- range $encrypted := $encModes }} +{{- with $ }} + {{- $driverSock := "csi.sock" }} + {{- $csiSidecarSuffix := "" }} + {{- if $encrypted }} + {{- $driverSock = "csi-sec.sock" }} + {{- $csiSidecarSuffix = "-sec" }} + {{- end }} + {{- $driverSockPath := printf "/var/run/csi/%s" $driverSock }} + {{- if not $encrypted }} + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: podmon + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.controller.args | nindent 12 }} + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: dell-csi-replicator + image: {{ required "Must provide the Dell CSI Replicator image." .Values.images.replication }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--leader-election=true" + - "--worker-threads=2" + - "--retry-interval-start=1s" + - "--retry-interval-max=300s" + - "--timeout=300s" + - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}" + - "--prefix={{ .Values.controller.replication.replicationPrefix}}" + env: + - name: X_CSI_REPLICATION_CONFIG_DIR + value: /csi-isilon-config-params + - name: X_CSI_REPLICATION_CONFIG_FILE_NAME + value: driver-config-params.yaml + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "resizer" }} + {{- if eq .Values.controller.resizer.enabled true }} + - name: resizer{{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--leader-election" + - "--timeout=120s" + - "--v=5" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{ end }} + {{ end }} + - name: csi-metadata-retriever {{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI metadata retriever container image." .Values.images.metadataretriever }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--leader-election" + - "--timeout=120s" + - "--v=5" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + command: [ "/csi-metadata-retriever" ] + env: + - name: CSI_RETRIEVER_ENDPOINT + value: /var/run/csi/csi_retriever.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: attacher{{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--v=5" + - "--leader-election" + - "--timeout=180s" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if not $encrypted }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: external-health-monitor-controller + image: {{ required "Must provide the CSI external-health-monitor-controller container image." .Values.images.healthmonitor }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--v=5" + - "--leader-election" + - "--enable-node-watcher=true" + - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" + - "--timeout=180s" + - "--http-endpoint=:8080" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{end}} + {{end}} + {{- end }} + - name: provisioner{{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}" + - "--volume-name-uuid-length=10" + - "--worker-threads=5" + - "--timeout=120s" + - "--v=5" + - "--feature-gates=Topology=true" + - "--leader-election" + - "--extra-create-metadata" + - "--enable-capacity={{ (include "csi-isilon.isStorageCapacitySupported" .) | default false }}" + - "--capacity-ownerref-level=2" + - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "snapshot" }} + {{- if eq .Values.controller.snapshot.enabled true }} + - name: snapshotter{{ $csiSidecarSuffix }} + #image: quay.io/k8scsi/csi-snapshotter:v1.0.0 + image: {{ required "Must provide the CSI snapshotter container image." .Values.images.snapshotter }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--timeout=120s" + - "--v=5" + - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" + - "--leader-election" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{end}} + {{end}} + {{- if not $encrypted }} + - name: driver + image: {{ required "Must provide the Isilon driver image repository." .Values.images.driver }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-isilon" ] + args: + - "--leader-election" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + env: + - name: CSI_ENDPOINT + value: "{{ $driverSockPath }}" + - name: CSI_RETRIEVER_ENDPOINT + value: /var/run/csi/csi_retriever.sock + - name: X_CSI_MODE + value: controller + - name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.skipCertificateValidation }}" + - name: X_CSI_ISI_AUTH_TYPE + value: "{{ .Values.isiAuthType }}" + - name: X_CSI_VERBOSE + value: "{{ .Values.verbose }}" + - name: X_CSI_ISI_PORT + value: "{{ .Values.endpointPort }}" + - name: X_CSI_ISI_AUTOPROBE + value: "{{ .Values.autoProbe }}" + - name: X_CSI_ISI_QUOTA_ENABLED + value: "{{ .Values.enableQuota }}" + - name: X_CSI_ISI_ACCESS_ZONE + value: {{ .Values.isiAccessZone }} + - name: X_CSI_CUSTOM_TOPOLOGY_ENABLED + value: "{{ .Values.enableCustomTopology }}" + - name: X_CSI_ISI_PATH + value: {{ .Values.isiPath }} + - name: X_CSI_ISI_VOLUME_PATH_PERMISSIONS + value: "{{ .Values.isiVolumePathPermissions }}" + - name: X_CSI_ISI_IGNORE_UNRESOLVABLE_HOSTS + value: "{{ .Values.ignoreUnresolvableHosts }}" + - name: X_CSI_ISI_NO_PROBE_ON_START + value: "{{ .Values.noProbeOnStart }}" + - name: X_CSI_PODMON_ENABLED + value: "{{ .Values.podmon.enabled }}" + - name: X_CSI_PODMON_API_PORT + value: "{{ .Values.podmonAPIPort }}" + {{- if eq .Values.podmon.enabled true }} + {{- range $key, $value := .Values.podmon.controller.args }} + {{- if contains "--arrayConnectivityPollRate" $value }} + - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE + value: "{{ (split "=" $value)._1 }}" + {{ end }} + {{ end }} + {{ end }} + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: X_CSI_REPLICATION_CONTEXT_PREFIX + value: {{ .Values.controller.replication.replicationContextPrefix | default "powerscale"}} + - name: X_CSI_REPLICATION_PREFIX + value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}} + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.controller.healthMonitor.enabled }}" + {{end}} + {{end}} + - name: X_CSI_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SSL_CERT_DIR + value: /certs + - name: X_CSI_ISI_CONFIG_PATH + value: /isilon-configs/config + - name: X_CSI_MAX_PATH_LIMIT + value: "{{ .Values.maxPathLen }}" + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: certs + mountPath: /certs + readOnly: true + - name: isilon-configs + mountPath: /isilon-configs + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + {{- if not $encrypted }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-proxy + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }} + env: + - name: PROXY_HOST + value: "{{ .Values.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powerscale + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: csi-isilon-config-params + mountPath: /etc/karavi-authorization + {{ end }} + {{ end }} + {{- end }} + {{- if $encrypted }} + - name: driver-sec + image: {{ .Values.images.encryption }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - --name={{ .Values.encryption.pluginName }} + - --nodeId=$(NODE_ID) + - "--endpoint=unix://var/run/csi/csi-sec.sock" + - "--targetEndpoint=unix://var/run/csi/csi.sock" + - --targetType=Isilon + - --controller + - --logLevel={{ .Values.encryption.logLevel }} + {{- range index .Values.encryption.extraArgs }} + - {{ . | quote }} + {{- end }} + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} +{{- end }} +{{- end }} + volumes: + - name: socket-dir + emptyDir: + - name: certs + projected: + sources: +{{- range $i, $e := until (int .Values.certSecretCount ) }} + - secret: + name: {{ print $.Release.Name "-certs-" $e }} + items: + - key: cert-{{ $e }} + path: cert-{{ $e }} +{{- end }} + - name: isilon-configs + secret: + secretName: {{ .Release.Name }}-creds + - name: csi-isilon-config-params + configMap: + name: {{ .Release.Name }}-config-params + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate + {{ end }} + {{ end }} diff --git a/charts/dell/csi-isilon/templates/node.yaml b/charts/dell/csi-isilon/templates/node.yaml index c08c2f92b..d84a505a7 100644 --- a/charts/dell/csi-isilon/templates/node.yaml +++ b/charts/dell/csi-isilon/templates/node.yaml @@ -113,7 +113,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.node.args | nindent 12 }} @@ -167,7 +167,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: {{ required "Must provide the Isilon driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + image: {{ required "Must provide the Isilon driver image repository." .Values.images.driver }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: CSI_ENDPOINT @@ -251,7 +251,7 @@ spec: mountPath: /csi-isilon-config-params {{- end }} - name: registrar{{ $csiSidecarSuffix }} - image: {{ required "Must provide the CSI node registrar container image." ( include "csi-isilon.registrarImage" . ) }} + image: {{ required "Must provide the CSI node registrar container image." .Values.images.registrar }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--v=5" @@ -273,7 +273,7 @@ spec: {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }} env: - name: PROXY_HOST value: "{{ .Values.authorization.proxyHost }}" @@ -303,7 +303,7 @@ spec: {{- end }} {{- if $encrypted }} - name: driver-sec - image: {{ .Values.encryption.image }} + image: {{ .Values.images.encryption }} imagePullPolicy: {{ .Values.imagePullPolicy }} securityContext: privileged: true diff --git a/charts/dell/csi-isilon/values.yaml b/charts/dell/csi-isilon/values.yaml index 4245696cd..15b204765 100644 --- a/charts/dell/csi-isilon/values.yaml +++ b/charts/dell/csi-isilon/values.yaml @@ -2,7 +2,25 @@ ######################## # version: version of this values file # Note: Do not change this value -version: "v2.7.0" +version: "v2.9.0" + +images: + # "driver" defines the container image, used for the driver container. + driver: dellemc/csi-isilon:v2.9.0 + # CSI sidecars + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + + # CSM sidecars + replication: dellemc/dell-csi-replicator:v1.7.0 + podmon: dellemc/podmon:v1.8.0 + authorization: dellemc/csm-authorization-sidecar:v1.9.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.4.0 + encryption: dellemc/csm-encryption:v0.3.0 # CSI driver log level # Allowed values: "error", "warn"/"warning", "info", "debug" @@ -110,10 +128,6 @@ controller: # Default value: 5s leaderElectionRetryPeriod: 5s - # Image for csi-metadata-retriever - metadataretriever: - image: dellemc/csi-metadata-retriever:v1.4.0 - # replication: allows to configure replication # Replication CRDs must be installed before installing driver replication: @@ -124,11 +138,6 @@ controller: # Default value: false enabled: false - # image: Image to use for dell-csi-replicator. This shouldn't be changed - # Allowed values: string - # Default value: None - image: dellemc/dell-csi-replicator:v1.5.0 - # replicationContextPrefix: prefix to use for naming of resources created by replication feature # Allowed values: string # Default value: powerscale @@ -359,9 +368,6 @@ autoProbe: true authorization: enabled: false - # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.7.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -389,30 +395,29 @@ storageCapacity: # Enable this feature only after contact support for additional information podmon: enabled: false - image: dellemc/podmon:v1.6.0 - #controller: - # args: - # - "--csisock=unix:/var/run/csi/csi.sock" - # - "--labelvalue=csi-isilon" - # - "--arrayConnectivityPollRate=60" - # - "--driverPath=csi-isilon.dellemc.com" - # - "--mode=controller" - # - "--skipArrayConnectionValidation=false" - # - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" - # - "--driverPodLabelValue=dell-storage" - # - "--ignoreVolumelessPods=false" + controller: + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-isilon" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-isilon.dellemc.com" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" - #node: - # args: - # - "--csisock=unix:/var/lib/kubelet/plugins/csi-isilon/csi_sock" - # - "--labelvalue=csi-isilon" - # - "--arrayConnectivityPollRate=60" - # - "--driverPath=csi-isilon.dellemc.com" - # - "--mode=node" - # - "--leaderelection=false" - # - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" - # - "--driverPodLabelValue=dell-storage" - # - "--ignoreVolumelessPods=false" + node: + args: + - "--csisock=unix:/var/lib/kubelet/plugins/csi-isilon/csi_sock" + - "--labelvalue=csi-isilon" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-isilon.dellemc.com" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" encryption: # enabled: Enable/disable volume encryption feature. @@ -421,9 +426,6 @@ encryption: # pluginName: The name of the provisioner to use for encrypted volumes. pluginName: "sec-isilon.dellemc.com" - # image: Encryption driver image name. - image: "dellemc/csm-encryption:v0.3.0" - # apiPort: TCP port number used by the REST API server. apiPort: 3838 @@ -450,6 +452,3 @@ encryption: # See the gocryptfs documentation for more details. extraArgs: [] -images: - # "driver" defines the container image, used for the driver container. - driverRepository: dellemc diff --git a/charts/dell/csi-powermax/Chart.yaml b/charts/dell/csi-powermax/Chart.yaml index d60800f31..ee71890f3 100644 --- a/charts/dell/csi-powermax/Chart.yaml +++ b/charts/dell/csi-powermax/Chart.yaml @@ -4,12 +4,12 @@ annotations: catalog.cattle.io/kube-version: '>= 1.23.0 < 1.29.0' catalog.cattle.io/release-name: csi-powermax apiVersion: v2 -appVersion: 2.8.0 +appVersion: 2.9.0 dependencies: - condition: required name: csireverseproxy repository: file://./charts/csireverseproxy - version: 2.7.0 + version: 2.8.0 description: 'PowerMax CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerMax StorageClass. ' @@ -25,4 +25,4 @@ name: csi-powermax sources: - https://github.com/dell/csi-powermax type: application -version: 2.8.0 +version: 2.9.0 diff --git a/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml b/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml index 8604c0afb..ce730d887 100644 --- a/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml +++ b/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: 2.7.0 +appVersion: 2.8.0 description: A Helm chart for CSI PowerMax ReverseProxy name: csireverseproxy type: application -version: 2.7.0 +version: 2.8.0 diff --git a/charts/dell/csi-powermax/charts/csireverseproxy/conf/config.yaml b/charts/dell/csi-powermax/charts/csireverseproxy/conf/config.yaml index 3f6419f1f..51ed5390e 100644 --- a/charts/dell/csi-powermax/charts/csireverseproxy/conf/config.yaml +++ b/charts/dell/csi-powermax/charts/csireverseproxy/conf/config.yaml @@ -1,49 +1,7 @@ -mode: {{ .Values.mode }} +mode: "StandAlone" port: {{ .Values.port }} logLevel: {{ .Values.global.logLevel | default "debug" }} logFormat: {{ .Values.global.logFormat | default "TEXT" }} - {{- if eq .Values.mode "Linked" }} -linkConfig: - primary: - {{- $primary := first .Values.global.managementServers }} - url: {{ required "Must provide a primary Unisphere HTTPS endpoint." $primary.endpoint }} - {{- if $primary.certSecret }} - {{- $check := toString $primary.skipCertificateValidation }} - skipCertificateValidation: {{ ternary $primary.skipCertificateValidation true (or (eq $check "true") (eq $check "false")) }} - {{- else }} - skipCertificateValidation: true - {{- end }} - certSecret: {{ $primary.certSecret | default "" }} - {{- if $primary.limits }} - {{- $limits := $primary.limits }} - limits: - maxActiveRead: {{ $limits.maxActiveRead | default 0 }} - maxActiveWrite: {{ $limits.maxActiveWrite | default 0 }} - maxOutStandingRead: {{ $limits.maxOutStandingRead | default 0 }} - maxOutStandingWrite: {{ $limits.maxOutStandingWrite | default 0 }} - {{- end }} - {{- if first (rest .Values.global.managementServers) }} - {{- $backup := first (rest .Values.global.managementServers) }} - backup: - url: {{ required "Must provide a primary Unisphere HTTPS endpoint." $backup.endpoint }} - {{- if $backup.certSecret }} - {{- $check := toString $backup.skipCertificateValidation }} - skipCertificateValidation: {{ ternary $backup.skipCertificateValidation true (or (eq $check "true") (eq $check "false")) }} - {{- else }} - skipCertificateValidation: true - {{- end }} - certSecret: {{ $backup.certSecret | default "" }} - {{- if $backup.limits }} - {{- $limits := $backup.limits }} - limits: - maxActiveRead: {{ $limits.maxActiveRead | default 0 }} - maxActiveWrite: {{ $limits.maxActiveWrite | default 0 }} - maxOutStandingRead: {{ $limits.maxOutStandingRead | default 0 }} - maxOutStandingWrite: {{ $limits.maxOutStandingWrite | default 0 }} - {{- end }} - {{- end }} - {{- end }} -{{- if eq .Values.mode "StandAlone" }} standAloneConfig: {{- $defaultProxyCreds := .Values.global.defaultCredentialsSecret }} storageArrays: @@ -79,4 +37,3 @@ standAloneConfig: maxOutStandingWrite: {{ $value.limits.maxOutStandingWrite | default 0 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml b/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml index fcd87e307..bdfc36fae 100644 --- a/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml +++ b/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml @@ -1,4 +1,4 @@ -image: dellemc/csipowermax-reverseproxy:v2.7.0 +image: dellemc/csipowermax-reverseproxy:v2.8.0 port: 2222 # TLS secret which is used for setting up the proxy HTTPS server diff --git a/charts/dell/csi-powermax/templates/_helpers.tpl b/charts/dell/csi-powermax/templates/_helpers.tpl index 4cb67bdd4..80bf5d708 100644 --- a/charts/dell/csi-powermax/templates/_helpers.tpl +++ b/charts/dell/csi-powermax/templates/_helpers.tpl @@ -1,53 +1,3 @@ -{{/* -Return the appropriate sidecar images based on k8s version -*/}} -{{- define "csi-powermax.attacherImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "28") -}} - {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powermax.provisionerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "28") -}} - {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powermax.snapshotterImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "28") -}} - {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powermax.resizerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "28") -}} - {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powermax.registrarImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "28") -}} - {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powermax.healthmonitorImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "28") -}} - {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} {{- define "csi-powermax.isStorageCapacitySupported" -}} {{- if eq .Values.storageCapacity.enabled true -}} diff --git a/charts/dell/csi-powermax/templates/controller.yaml b/charts/dell/csi-powermax/templates/controller.yaml index 7785fbf04..12d6b2da6 100644 --- a/charts/dell/csi-powermax/templates/controller.yaml +++ b/charts/dell/csi-powermax/templates/controller.yaml @@ -168,7 +168,7 @@ spec: topologyKey: kubernetes.io/hostname containers: - name: attacher - image: {{ required "Must provide the CSI attacher container image." ( include "csi-powermax.attacherImage" . ) }} + image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -183,7 +183,7 @@ spec: - name: socket-dir mountPath: /var/run/csi - name: provisioner - image: {{ required "Must provide the CSI provisioner container image." ( include "csi-powermax.provisionerImage" . ) }} + image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -216,7 +216,7 @@ spec: {{- if hasKey .Values.controller "snapshot" }} {{- if eq .Values.controller.snapshot.enabled true }} - name: snapshotter - image: {{ required "Must provide the CSI snapshotter container image." ( include "csi-powermax.snapshotterImage" . ) }} + image: {{ required "Must provide the CSI snapshotter container image." .Values.images.snapshotter }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -235,7 +235,7 @@ spec: {{- end }} {{- if eq .Values.replication.enabled true}} - name: dell-csi-replicator - image: {{ required "Must provide the Dell CSI Replicator Resizer image." .Values.replication.image}} + image: {{ required "Must provide the Dell CSI Replicator Resizer image." .Values.images.replication }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -261,7 +261,7 @@ spec: {{- end }} {{- if eq .Values.migration.enabled true}} - name: dell-csi-migrator - image: {{ required "Must provide the Dell CSI Migrator Resizer image." .Values.migration.image}} + image: {{ required "Must provide the Dell CSI Migrator Resizer image." .Values.images.migration }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -287,7 +287,7 @@ spec: {{- if hasKey .Values.controller "resizer" }} {{- if eq .Values.controller.resizer.enabled true }} - name: resizer - image: {{ required "Must provide the CSI resizer container image." ( include "csi-powermax.resizerImage" . ) }} + image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -306,7 +306,7 @@ spec: {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }} env: - name: PROXY_HOST value: "{{ .Values.authorization.proxyHost }}" @@ -337,7 +337,7 @@ spec: {{- if eq .Values.controller.healthMonitor.enabled true }} - name: csi-external-health-monitor-controller imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the CSI external health monitor controller image." ( include "csi-powermax.healthmonitorImage" . ) }} + image: {{ required "Must provide the CSI external health monitor controller image." .Values.images.healthmonitor }} args: - "--v=5" - "--csi-address=$(ADDRESS)" @@ -355,7 +355,7 @@ spec: {{- end }} {{- end }} - name: driver - image: {{ required "Must provide the PowerMax driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + image: {{ required "Must provide the PowerMax driver image repository." .Values.images.driver }} imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-powermax.sh" ] args: @@ -459,7 +459,7 @@ spec: mountPath: /powermax-config-params {{- if eq .Values.csireverseproxy.deployAsSidecar true }} - name: reverseproxy - image: {{ required "Must provided an image for reverseproxy container." .Values.csireverseproxy.image }} + image: {{ required "Must provided an image for reverseproxy container." .Values.images.csireverseproxy }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: X_CSI_REVPROXY_CONFIG_DIR diff --git a/charts/dell/csi-powermax/templates/csidriver.yaml b/charts/dell/csi-powermax/templates/csidriver.yaml index 2717b327b..88b7c7c7b 100644 --- a/charts/dell/csi-powermax/templates/csidriver.yaml +++ b/charts/dell/csi-powermax/templates/csidriver.yaml @@ -4,7 +4,7 @@ metadata: {{- if eq .Values.customDriverName.enabled true}} name: {{ printf "%s-%s" .Release.Namespace .Values.customDriverName.value }} {{- else }} - name: csi-powermax + name: csi-powermax.dellemc.com {{- end }} spec: podInfoOnMount: true diff --git a/charts/dell/csi-powermax/templates/node.yaml b/charts/dell/csi-powermax/templates/node.yaml index 2d91c9b1f..8b05dd824 100644 --- a/charts/dell/csi-powermax/templates/node.yaml +++ b/charts/dell/csi-powermax/templates/node.yaml @@ -106,7 +106,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: {{ required "Must provide the PowerMax driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + image: {{ required "Must provide the PowerMax driver image repository." .Values.images.driver }} imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-powermax.sh" ] env: @@ -245,7 +245,7 @@ spec: {{- end }} {{- end }} - name: registrar - image: {{ required "Must provide the CSI node registrar container image." ( include "csi-powermax.registrarImage" . ) }} + image: {{ required "Must provide the CSI node registrar container image." .Values.images.registrar }} args: - "--v=5" - "--csi-address=$(ADDRESS)" @@ -275,7 +275,7 @@ spec: add: [ "SYS_ADMIN" ] allowPrivilegeEscalation: true imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the node rescanner sidecar container image." .Values.migration.nodeRescanSidecarImage }} + image: {{ required "Must provide the node rescanner sidecar container image." .Values.images.noderescan }} args: - "--csi-address=$(ADDRESS)" - "--retry-interval-start=1s" @@ -313,7 +313,7 @@ spec: {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }} env: - name: PROXY_HOST value: "{{ .Values.authorization.proxyHost }}" diff --git a/charts/dell/csi-powermax/values.yaml b/charts/dell/csi-powermax/values.yaml index 885a8ba97..f2a3de106 100644 --- a/charts/dell/csi-powermax/values.yaml +++ b/charts/dell/csi-powermax/values.yaml @@ -16,7 +16,6 @@ global: # The CSI PowerMax ReverseProxy section to fill out the required configuration # Please refer to the doc website about a # detailed explanation of each configuration parameter - # and the various ReverseProxy modes defaultCredentialsSecret: powermax-creds storageArrays: @@ -49,11 +48,28 @@ global: # Current version of the driver # Don't modify this value as this value will be used by the install script -version: "v2.8.0" +version: "v2.9.0" +# "images" defines every container images used for the driver and its sidecars. +# To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driverRepository: dellemc + driver: dellemc/csi-powermax:v2.9.0 + csireverseproxy: dellemc/csipowermax-reverseproxy:v2.8.0 + # CSI sidecars + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + # CSM sidecars + replication: dellemc/dell-csi-replicator:v1.7.0 + authorization: dellemc/csm-authorization-sidecar:v1.9.0 + migration: dellemc/dell-csi-migrator:v1.3.0 + # Node rescan sidecar does a rescan on nodes for identifying new paths + # Default value: dellemc/dell-csi-node-rescanner:v1.0.1 + noderescan: dellemc/dell-csi-node-rescanner:v1.2.0 ## K8S/DRIVER ATTRIBUTES ######################## # customDriverName: If enabled, sets the driver name to the @@ -260,10 +276,6 @@ enableCHAP: false # csireverseproxy: Refers to the subchart csireverseproxy csireverseproxy: - # image: Define the container images used for the reverse proxy - # Default value: None - # Example: "csipowermax-reverseproxy:v2.7.0" - image: dellemc/csipowermax-reverseproxy:v2.7.0 # "tlsSecret" defines the TLS secret that is created with certificate # and its associated key # Default value: None @@ -279,11 +291,6 @@ csireverseproxy: # Default value: None # Examples: "1111", "8080" port: 2222 - # Mode of CSI reverse proxy - this is a standalone API - # it doesn't belong to kubernetes cluster API - # Default value: None - # Example: "StandAlone" - mode: StandAlone # Auto-create TLS certificate for csi-reverseproxy certManager: # Set selfSignedCert to use a self-signed certificate @@ -380,9 +387,6 @@ openshift: false # Default value: "false" replication: enabled: false - # Change this to use any specific version of the dell-csi-replicator sidecar - # Default value: None - image: dellemc/dell-csi-replicator:v1.6.0 # replicationContextPrefix enables side cars to read # required information from the volume context # Default value: "powermax" @@ -401,12 +405,6 @@ replication: # Default value: "false" migration: enabled: false - # Change this to use any specific version of the dell-csi-migrator sidecar - # Default value: None - image: dellemc/dell-csi-migrator:v1.2.0 - # Node rescan sidecar does a rescan on nodes for identifying new paths - # Default value: None - nodeRescanSidecarImage: dellemc/dell-csi-node-rescanner:v1.1.0 # migrationPrefix: Determine if migration is enabled # Default value: "migration.storage.dell.com" # Examples: "migration.storage.dell.com" @@ -421,9 +419,6 @@ migration: # Default value: "false" authorization: enabled: false - # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.8.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.8.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: diff --git a/charts/dell/csi-powerstore/Chart.yaml b/charts/dell/csi-powerstore/Chart.yaml index 7b55650bf..b67ebc688 100644 --- a/charts/dell/csi-powerstore/Chart.yaml +++ b/charts/dell/csi-powerstore/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerStore - catalog.cattle.io/kube-version: '>= 1.22.0 < 1.28.0' + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' catalog.cattle.io/release-name: powerstore apiVersion: v2 -appVersion: 2.7.0 +appVersion: 2.9.0 description: 'PowerStore CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerStore StorageClass. ' @@ -13,10 +13,11 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.22.0 < 1.28.0' +kubeVersion: '>= 1.24.0 < 1.29.0' maintainers: - name: DellEMC name: csi-powerstore sources: - https://github.com/dell/csi-powerstore -version: 2.7.0 +type: application +version: 2.9.0 diff --git a/charts/dell/csi-powerstore/templates/_helpers.tpl b/charts/dell/csi-powerstore/templates/_helpers.tpl index 8da93b35e..cdbe7adac 100644 --- a/charts/dell/csi-powerstore/templates/_helpers.tpl +++ b/charts/dell/csi-powerstore/templates/_helpers.tpl @@ -1,54 +1,3 @@ -{{/* -Return the appropriate sidecar images based on k8s version -*/}} -{{- define "csi-powerstore.attacherImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powerstore.provisionerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powerstore.snapshotterImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powerstore.resizerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powerstore.registrarImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-powerstore.healthmonitorImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - {{/* Return true if storage capacity tracking is enabled and is supported based on k8s version */}} diff --git a/charts/dell/csi-powerstore/templates/controller.yaml b/charts/dell/csi-powerstore/templates/controller.yaml index 8770c6a2d..968ccf612 100644 --- a/charts/dell/csi-powerstore/templates/controller.yaml +++ b/charts/dell/csi-powerstore/templates/controller.yaml @@ -171,6 +171,8 @@ spec: metadata: labels: name: {{ .Release.Name }}-controller + annotations: + kubectl.kubernetes.io/default-container: driver spec: {{ if .Values.controller.nodeSelector }} nodeSelector: @@ -195,7 +197,7 @@ spec: {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: podmon - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.controller.args | nindent 12 }} @@ -223,7 +225,7 @@ spec: {{ if .Values.dev.enableTracing }}{{- include "pstore.tracing" . | nindent 8 }}{{ end }} {{- end }} - name: attacher - image: {{ required "Must provide the CSI attacher container image." ( include "csi-powerstore.attacherImage" . ) }} + image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -241,7 +243,7 @@ spec: {{- if hasKey .Values.controller "resizer" }} {{- if eq .Values.controller.resizer.enabled true }} - name: resizer - image: {{ required "Must provide the CSI resizer container image." ( include "csi-powerstore.resizerImage" . ) }} + image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -256,7 +258,7 @@ spec: {{end}} {{end}} - name: provisioner - image: {{ required "Must provide the CSI provisioner container image." ( include "csi-powerstore.provisionerImage" . ) }} + image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -287,7 +289,7 @@ spec: {{- if hasKey .Values.controller "snapshot" }} {{- if eq .Values.controller.snapshot.enabled true }} - name: snapshotter - image: {{ required "Must provide the CSI snapshotter container image." ( include "csi-powerstore.snapshotterImage" . ) }} + image: {{ required "Must provide the CSI snapshotter container image." .Values.images.snapshotter }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -305,7 +307,7 @@ spec: {{- if hasKey .Values.controller "vgsnapshot" }} {{- if eq .Values.controller.vgsnapshot.enabled true }} - name: vg-snapshotter - image: {{ required "Must provide the vgsnapshotter container image." .Values.controller.vgsnapshot.image }} + image: {{ required "Must provide the vgsnapshotter container image." .Values.images.vgsnapshotter }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: ADDRESS @@ -318,7 +320,7 @@ spec: {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - name: dell-csi-replicator - image: {{ required "Must provide the Dell CSI Replicator image." .Values.controller.replication.image}} + image: {{ required "Must provide the Dell CSI Replicator image." .Values.images.replication }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -346,7 +348,7 @@ spec: {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true}} - name: csi-external-health-monitor-controller - image: {{ required "Must provide the CSI external health monitor controller image." ( include "csi-powerstore.healthmonitorImage" . ) }} + image: {{ required "Must provide the CSI external health monitor controller image." .Values.images.healthmonitor }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--v=5" @@ -365,7 +367,7 @@ spec: {{- end }} {{- end }} - name: csi-metadata-retriever - image: {{ required "Must provide the CSI Metadata retriever container image." .Values.controller.metadataretriever }} + image: {{ required "Must provide the CSI Metadata retriever container image." .Values.images.metadataretriever }} imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-metadata-retriever" ] env: @@ -380,7 +382,7 @@ spec: - name: socket-dir mountPath: /var/run/csi - name: driver - image: {{ required "Must provide the PowerStore driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + image: {{ required "Must provide the PowerStore driver image repository." .Values.images.driver }} imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-powerstore" ] env: diff --git a/charts/dell/csi-powerstore/templates/csidriver.yaml b/charts/dell/csi-powerstore/templates/csidriver.yaml index 2cca097a6..9f5ad9be4 100644 --- a/charts/dell/csi-powerstore/templates/csidriver.yaml +++ b/charts/dell/csi-powerstore/templates/csidriver.yaml @@ -1,6 +1,6 @@ # # -# Copyright © 2020-2022 Dell Inc. or its subsidiaries. All Rights Reserved. +# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/charts/dell/csi-powerstore/templates/driver-config-params.yaml b/charts/dell/csi-powerstore/templates/driver-config-params.yaml index 0c8f07c77..ce5349de2 100644 --- a/charts/dell/csi-powerstore/templates/driver-config-params.yaml +++ b/charts/dell/csi-powerstore/templates/driver-config-params.yaml @@ -1,6 +1,6 @@ # # -# Copyright © 2021-2022 Dell Inc. or its subsidiaries. All Rights Reserved. +# Copyright © 2021-2023 Dell Inc. or its subsidiaries. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/charts/dell/csi-powerstore/templates/node.yaml b/charts/dell/csi-powerstore/templates/node.yaml index eb0ce7f09..1ee796961 100644 --- a/charts/dell/csi-powerstore/templates/node.yaml +++ b/charts/dell/csi-powerstore/templates/node.yaml @@ -96,6 +96,8 @@ spec: {{- if .Values.podmon.enabled }} driver.dellemc.com: dell-storage {{- end }} + annotations: + kubectl.kubernetes.io/default-container: driver spec: {{ if .Values.node.nodeSelector }} nodeSelector: @@ -105,7 +107,7 @@ spec: tolerations: {{- toYaml .Values.node.tolerations | nindent 6 }} {{ end }} - serviceAccountName: {{ .Release.Name }}-node + serviceAccount: {{ .Release.Name }}-node dnsPolicy: ClusterFirstWithHostNet hostNetwork: true hostIPC: true @@ -118,7 +120,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.node.args | nindent 12 }} @@ -171,7 +173,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: {{ required "Must provide the Powerstore driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + image: {{ required "Must provide the Powerstore driver image repository." .Values.images.driver }} imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-powerstore" ] env: @@ -193,6 +195,8 @@ spec: value: {{ .Values.node.nodeNamePrefix }} - name: X_CSI_POWERSTORE_NODE_ID_PATH value: /node-id + - name: X_CSI_POWERSTORE_MAX_VOLUMES_PER_NODE + value: "{{ .Values.maxPowerstoreVolumesPerNode }}" - name: X_CSI_POWERSTORE_NODE_CHROOT_PATH value: /noderoot - name: X_CSI_POWERSTORE_TMP_DIR @@ -201,8 +205,6 @@ spec: value: {{ .Values.driverName }} - name: X_CSI_FC_PORTS_FILTER_FILE_PATH value: {{ .Values.nodeFCPortsFilterFile }} - - name: X_CSI_DRIVER_NAME - value: {{ .Values.driverName }} {{- if eq .Values.connection.enableCHAP true }} - name: X_CSI_POWERSTORE_ENABLE_CHAP value: "true" @@ -264,7 +266,7 @@ spec: - name: powerstore-config-params mountPath: /powerstore-config-params - name: registrar - image: {{ required "Must provide the CSI node registrar container image." ( include "csi-powerstore.registrarImage" . ) }} + image: {{ required "Must provide the CSI node registrar container image." .Values.images.registrar }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--v=5" diff --git a/charts/dell/csi-powerstore/values.yaml b/charts/dell/csi-powerstore/values.yaml index 0d4686b18..4843fe5ee 100644 --- a/charts/dell/csi-powerstore/values.yaml +++ b/charts/dell/csi-powerstore/values.yaml @@ -21,9 +21,28 @@ # Allowed values: string # Default value: None driverName: "csi-powerstore.dellemc.com" +# "version" is used to verify the values file matches driver version +# Not recommend to change +version: v2.9.0 -# Driver version required to pull the latest driver image -version: "v2.7.0" +# "images" defines every container images used for the driver and its sidecars. +# To use your own images, or a private registry, change the values here. +images: + # "driver" defines the container image, used for the driver container. + driver: dellemc/csi-powerstore:v2.9.0 + # CSI sidecars + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + + # CSM sidecars + replication: dellemc/dell-csi-replicator:v1.7.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.4.0 + podmon: dellemc/podmon:v1.8.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.6.0 # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. @@ -53,6 +72,13 @@ externalAccess: # Default value: None imagePullPolicy: IfNotPresent +# maxPowerstoreVolumesPerNode: Specify default value for maximum number of volumes that controller can publish to the node. +# If value is zero CO SHALL decide how many volumes of this type can be published by the controller to the node. +# This limit is applicable to all the nodes in the cluster for which node label 'max-powerstore-volumes-per-node' is not set. +# Allowed values: n, where n >= 0 +# Default value: 0 +maxPowerstoreVolumesPerNode: 0 + # nfsAcls: enables setting permissions on NFS mount directory # This value acts as default value for NFS ACL (nfsAcls), if not specified for an array config in secret # Permissions can be specified in two formats: @@ -96,10 +122,6 @@ controller: # false: disable volume-group-snapshot feature(do not install vg-snapshotter sidecar) # Default value: false enabled: false - # image: Image to use for volume-group-snapshotter. This shouldn't be changed - # Allowed values: string - # Default value: dellemc/csi-volumegroup-snapshotter:v1.2.0 - image: dellemc/csi-volumegroup-snapshotter:v1.2.0 # snapshot: allows to enable/disable snapshot feature # snapshot CRDs needs to be installed before enabling this feature @@ -148,11 +170,6 @@ controller: # Default value: false enabled: false - # image: Image to use for dell-csi-replicator. This shouldn't be changed - # Allowed values: string - # Default value: None - image: dellemc/dell-csi-replicator:v1.5.0 - # replicationContextPrefix: prefix to use for naming of resources created by replication feature # Allowed values: string # Default value: powerstore @@ -163,9 +180,6 @@ controller: # Default value: replication.storage.dell.com replicationPrefix: "replication.storage.dell.com" - # Image for csi-metadata-retriever - metadataretriever: dellemc/csi-metadata-retriever:v1.4.0 - # nodeSelector: Define node selection constraints for controller pods. # For the pod to be eligible to run on a node, the node must have each # of the indicated key-value pairs as labels. @@ -239,7 +253,7 @@ node: # effect: "NoSchedule" # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled - #tolerations: + # tolerations: # - key: "offline.vxflexos.storage.dell.com" # operator: "Exists" # effect: "NoSchedule" @@ -311,31 +325,26 @@ storageCapacity: # Enable this feature only after contact support for additional information podmon: enabled: false - image: dellemc/podmon:v1.6.0 - #controller: - # args: - # - "--csisock=unix:/var/run/csi/csi.sock" - # - "--labelvalue=csi-powerstore" - # - "--arrayConnectivityPollRate=60" - # - "--driverPath=csi-powerstore.dellemc.com" - # - "--mode=controller" - # - "--skipArrayConnectionValidation=false" - # - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" - # - "--driverPodLabelValue=dell-storage" - # - "--ignoreVolumelessPods=false" + controller: + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-powerstore" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powerstore.dellemc.com" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" - #node: - # args: - # - "--csisock=unix:/var/lib/kubelet/plugins/csi-powerstore.dellemc.com/csi_sock" - # - "--labelvalue=csi-powerstore" - # - "--arrayConnectivityPollRate=60" - # - "--driverPath=csi-powerstore.dellemc.com" - # - "--mode=node" - # - "--leaderelection=false" - # - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" - # - "--driverPodLabelValue=dell-storage" - # - "--ignoreVolumelessPods=false" - -images: - # "driver" defines the container image, used for the driver container. - driverRepository: dellemc + node: + args: + - "--csisock=unix:/var/lib/kubelet/plugins/csi-powerstore.dellemc.com/csi_sock" + - "--labelvalue=csi-powerstore" + - "--arrayConnectivityPollRate=60" + - "--driverPath=csi-powerstore.dellemc.com" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" diff --git a/charts/dell/csi-unity/Chart.yaml b/charts/dell/csi-unity/Chart.yaml index 0a3070d26..9c393792e 100644 --- a/charts/dell/csi-unity/Chart.yaml +++ b/charts/dell/csi-unity/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI Unity - catalog.cattle.io/kube-version: '>= 1.24.0 < 1.28.0' + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' catalog.cattle.io/release-name: unity -apiVersion: v1 -appVersion: 2.7.0 +apiVersion: v2 +appVersion: 2.9.0 description: 'Unity XT CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a Unity XT StorageClass. ' @@ -12,10 +12,11 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.24.0 < 1.28.0' +kubeVersion: '>= 1.24.0 < 1.29.0' maintainers: - name: DellEMC name: csi-unity sources: - https://github.com/dell/csi-unity -version: 2.7.0 +type: application +version: 2.9.0 diff --git a/charts/dell/csi-unity/templates/_helpers.tpl b/charts/dell/csi-unity/templates/_helpers.tpl index e5bc0130f..4031377c2 100644 --- a/charts/dell/csi-unity/templates/_helpers.tpl +++ b/charts/dell/csi-unity/templates/_helpers.tpl @@ -1,50 +1,10 @@ {{/* -Return the appropriate sidecar images based on k8s version +Return true if storage capacity tracking is enabled and is supported based on k8s version */}} -{{- define "csi-unity.attacherImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} - {{- end -}} +{{- define "csi-unity.isStorageCapacitySupported" -}} +{{- if eq .Values.storageCapacity.enabled true -}} + {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} + {{- true -}} {{- end -}} {{- end -}} - -{{- define "csi-unity.provisionerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-unity.snapshotterImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-unity.resizerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-unity.registrarImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-unity.healthmonitorImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} - {{- end -}} - {{- end -}} {{- end -}} diff --git a/charts/dell/csi-unity/templates/controller.yaml b/charts/dell/csi-unity/templates/controller.yaml index 2cf817283..1f3e2220c 100644 --- a/charts/dell/csi-unity/templates/controller.yaml +++ b/charts/dell/csi-unity/templates/controller.yaml @@ -83,6 +83,18 @@ rules: - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] + # Permissions for CSIStorageCapacity + {{- if eq (include "csi-unity.isStorageCapacitySupported" .) "true" }} + - apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] + {{- end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -140,7 +152,7 @@ spec: {{- if .Values.podmon.enabled }} - name: podmon imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} args: {{- toYaml .Values.podmon.controller.args | nindent 12 }} env: @@ -163,7 +175,7 @@ spec: mountPath: /unity-config {{- end }} - name: attacher - image: {{ required "Must provide the CSI attacher container image." ( include "csi-unity.attacherImage" . ) }} + image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} args: - "--csi-address=$(ADDRESS)" - "--v=5" @@ -175,7 +187,7 @@ spec: - name: socket-dir mountPath: /var/run/csi - name: provisioner - image: {{ required "Must provide the CSI provisioner container image." ( include "csi-unity.provisionerImage" . ) }} + image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} args: - "--csi-address=$(ADDRESS)" - "--volume-name-prefix={{ required "Must provide a Volume Name Prefix." .Values.controller.volumeNamePrefix }}" @@ -188,16 +200,27 @@ spec: - "--leader-election" - "--leader-election-namespace={{ .Release.Namespace }}" - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}" + - "--enable-capacity={{ (include "csi-unity.isStorageCapacitySupported" .) | default false }}" + - "--capacity-ownerref-level=2" + - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}" env: - name: ADDRESS value: /var/run/csi/csi.sock + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- if hasKey .Values.controller "snapshot" }} {{- if eq .Values.controller.snapshot.enabled true }} - name: snapshotter - image: {{ required "Must provide the CSI snapshotter container image. " ( include "csi-unity.snapshotterImage" . ) }} + image: {{ required "Must provide the CSI snapshotter container image. " .Values.images.snapshotter }} args: - "--csi-address=$(ADDRESS)" - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" @@ -216,7 +239,7 @@ spec: {{- if hasKey .Values.controller "resizer" }} {{- if eq .Values.controller.resizer.enabled true }} - name: resizer - image: {{ required "Must provide the CSI resizer container image." ( include "csi-unity.resizerImage" . ) }} + image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }} args: - "--csi-address=$(ADDRESS)" - "--v=5" @@ -232,7 +255,7 @@ spec: {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true }} - name: csi-external-health-monitor-controller - image: {{ required "Must provide the CSI external health monitor image." ( include "csi-unity.healthmonitorImage" . ) }} + image: {{ required "Must provide the CSI external health monitor image." .Values.images.healthmonitor }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--v=5" @@ -251,7 +274,7 @@ spec: {{- end }} {{- end }} - name: driver - image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + image: "{{ required "Must provide the driver image repository." .Values.images.driver }}" args: - "--driver-name=csi-unity.dellemc.com" - "--driver-config=/unity-config/driver-config-params.yaml" diff --git a/charts/dell/csi-unity/templates/csidriver.yaml b/charts/dell/csi-unity/templates/csidriver.yaml index 8903b0205..f9d57239d 100644 --- a/charts/dell/csi-unity/templates/csidriver.yaml +++ b/charts/dell/csi-unity/templates/csidriver.yaml @@ -3,6 +3,7 @@ kind: CSIDriver metadata: name: csi-unity.dellemc.com spec: + storageCapacity: {{ (include "csi-unity.isStorageCapacitySupported" .) | default false }} attachRequired: true podInfoOnMount: true volumeLifecycleModes: diff --git a/charts/dell/csi-unity/templates/node.yaml b/charts/dell/csi-unity/templates/node.yaml index d013812eb..9358b0cd5 100644 --- a/charts/dell/csi-unity/templates/node.yaml +++ b/charts/dell/csi-unity/templates/node.yaml @@ -97,7 +97,7 @@ spec: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true imagePullPolicy: {{ .Values.imagePullPolicy }} - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} args: {{- toYaml .Values.podmon.node.args | nindent 12 }} env: @@ -145,7 +145,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + image: "{{ required "Must provide the driver image repository." .Values.images.driver }}" args: - "--driver-name=csi-unity.dellemc.com" - "--driver-config=/unity-config/driver-config-params.yaml" @@ -204,7 +204,7 @@ spec: - name: unity-secret mountPath: /unity-secret - name: registrar - image: {{ required "Must provide the CSI registrar container image." ( include "csi-unity.registrarImage" . ) }} + image: {{ required "Must provide the CSI registrar container image." .Values.images.registrar }} args: - "--v=5" - "--csi-address=$(ADDRESS)" diff --git a/charts/dell/csi-unity/values.yaml b/charts/dell/csi-unity/values.yaml index 5cca28ff7..c311a19f4 100644 --- a/charts/dell/csi-unity/values.yaml +++ b/charts/dell/csi-unity/values.yaml @@ -3,8 +3,22 @@ # version: version of this values file # Note: Do not change this value -# Examples : "v2.7.0" , "nightly" -version: "v2.7.0" +# Examples : "v2.9.0" , "nightly" +version: "v2.9.0" + +images: + # "driver" defines the container image, used for the driver container. + driver: dellemc/csi-unity:v2.9.0 + # CSI sidecars + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + + # CSM sidecars + podmon: dellemc/podmon:v1.8.0 # LogLevel is used to set the logging level of the driver. # Allowed values: "error", "warn"/"warning", "info", "debug" @@ -190,11 +204,6 @@ podmon: # defaule value : None # Examples : true , false enabled: false - # image - image name - # allowed values - string - # default value : None - # Example : "podman:latest", "pod:latest" - image: dellemc/podmon:v1.6.0 controller: args: - "--csisock=unix:/var/run/csi/csi.sock" @@ -242,6 +251,16 @@ maxUnityVolumesPerNode: 0 # Examples : "tenant2" , "tenant3" tenantName: "" -images: - # "driver" defines the container image, used for the driver container. - driverRepository: dellemc +# Storage Capacity Tracking +# Note: Capacity tracking is supported in kubernetes v1.24 and above, this feature will be automatically disabled in older versions. +storageCapacity: + # enabled : Enable/Disable storage capacity tracking + # Allowed values: + # true: enable storage capacity tracking + # false: disable storage capacity tracking + # Default value: true + enabled: true + # pollInterval : Configure how often external-provisioner polls the driver to detect changed capacity + # Allowed values: 1m,2m,3m,...,10m,...,60m etc + # Default value: 5m + pollInterval: 5m diff --git a/charts/dell/csi-vxflexos/Chart.yaml b/charts/dell/csi-vxflexos/Chart.yaml index 83f5a781e..b31c7326a 100644 --- a/charts/dell/csi-vxflexos/Chart.yaml +++ b/charts/dell/csi-vxflexos/Chart.yaml @@ -1,11 +1,11 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerFlex - catalog.cattle.io/kube-version: '>= 1.21.0 < 1.28.0' + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' catalog.cattle.io/namespace: vxflexos catalog.cattle.io/release-name: vxflexos apiVersion: v2 -appVersion: 2.7.1 +appVersion: 2.9.0 description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a VxFlex OS StorageClass. ' @@ -13,10 +13,10 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.21.0 < 1.28.0' +kubeVersion: '>= 1.21.0 < 1.29.0' maintainers: - name: DellEMC name: csi-vxflexos sources: - https://github.com/dell/csi-vxflexos -version: 2.7.1 +version: 2.9.0 diff --git a/charts/dell/csi-vxflexos/templates/_helpers.tpl b/charts/dell/csi-vxflexos/templates/_helpers.tpl index 63e654eaf..a7df6b372 100644 --- a/charts/dell/csi-vxflexos/templates/_helpers.tpl +++ b/charts/dell/csi-vxflexos/templates/_helpers.tpl @@ -1,50 +1,10 @@ {{/* -Return the appropriate sidecar images based on k8s version +Return true if storage capacity tracking is enabled and is supported based on k8s version */}} -{{- define "csi-vxflexos.attacherImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} +{{- define "csi-vxflexos.isStorageCapacitySupported" -}} + {{- if eq .Values.storageCapacity.enabled true -}} + {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} + {{- true -}} {{- end -}} {{- end -}} -{{- end -}} - -{{- define "csi-vxflexos.provisionerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-vxflexos.snapshotterImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-vxflexos.resizerImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-vxflexos.registrarImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{- define "csi-vxflexos.healthmonitorImage" -}} - {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} - {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} - {{- end -}} - {{- end -}} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/dell/csi-vxflexos/templates/controller.yaml b/charts/dell/csi-vxflexos/templates/controller.yaml index 8c4b4befa..d308cc00a 100644 --- a/charts/dell/csi-vxflexos/templates/controller.yaml +++ b/charts/dell/csi-vxflexos/templates/controller.yaml @@ -111,6 +111,18 @@ rules: verbs: ["create", "get", "list", "watch"] {{- end}} {{- end}} +# Permissions for CSIStorageCapacity +{{- if eq (include "csi-vxflexos.isStorageCapacitySupported" .) "true" }} + - apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] +{{- end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -133,7 +145,7 @@ metadata: {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} annotations: - com.dell.karavi-authorization-proxy: "true" + com.dell.karavi-authorization-proxy: "true" {{ end }} {{ end }} spec: @@ -155,6 +167,8 @@ spec: vg-snapshotter-enabled: "false" {{- end }} name: {{ .Release.Name }}-controller + annotations: + kubectl.kubernetes.io/default-container: "driver" spec: affinity: nodeSelector: @@ -180,7 +194,7 @@ spec: {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: podmon - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.controller.args | nindent 12 }} @@ -205,7 +219,7 @@ spec: {{- end }} {{- end }} - name: attacher - image: {{ required "Must provide the CSI attacher container image." ( include "csi-vxflexos.attacherImage" . ) }} + image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -220,7 +234,7 @@ spec: {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - name: dell-csi-replicator - image: {{ required "Must provide the Dell CSI Replicator image." .Values.controller.replication.image}} + image: {{ required "Must provide the Dell CSI Replicator image." .Values.images.replication }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -246,7 +260,7 @@ spec: {{- end }} {{- end }} - name: provisioner - image: {{ required "Must provide the CSI provisioner container image." ( include "csi-vxflexos.provisionerImage" . ) }} + image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -258,16 +272,27 @@ spec: - "--v=5" - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}" - "--extra-create-metadata" + - "--enable-capacity={{ (include "csi-vxflexos.isStorageCapacitySupported" .) | default false }}" + - "--capacity-ownerref-level=2" + - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}" env: - name: ADDRESS value: /var/run/csi/csi.sock + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true}} - name: csi-external-health-monitor-controller - image: {{ required "Must provide the CSI external health monitor image." ( include "csi-vxflexos.healthmonitorImage" . ) }} + image: {{ required "Must provide the CSI external health monitor image." .Values.images.healthmonitor }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -288,7 +313,7 @@ spec: {{- if hasKey .Values "vgsnapshotter" }} {{- if eq .Values.vgsnapshotter.enabled true }} - name: vg-snapshotter - image: {{ required "Must provide the vgsnapshotter container image." .Values.vgsnapshotter.image }} + image: {{ required "Must provide the vgsnapshotter container image." .Values.images.vgsnapshotter }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: ADDRESS @@ -301,7 +326,7 @@ spec: {{- if hasKey .Values.controller "snapshot" }} {{- if eq .Values.controller.snapshot.enabled true }} - name: snapshotter - image: {{ required "Must provide the CSI snapshotter container image. " ( include "csi-vxflexos.snapshotterImage" . ) }} + image: {{ required "Must provide the CSI snapshotter container image. " .Values.images.snapshotter }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -319,7 +344,7 @@ spec: {{- if hasKey .Values.controller "resizer" }} {{- if eq .Values.controller.resizer.enabled true }} - name: resizer - image: {{ required "Must provide the CSI resizer container image." ( include "csi-vxflexos.resizerImage" . ) }} + image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" @@ -336,7 +361,7 @@ spec: {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy - image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: PROXY_HOST @@ -365,7 +390,7 @@ spec: {{- end }} {{- end }} - name: driver - image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + image: "{{ required "Must provide the driver image repository." .Values.images.driver }}" imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-vxflexos.sh" ] args: @@ -397,6 +422,14 @@ spec: value: "{{ .Values.controller.healthMonitor.enabled }}" {{- end }} {{- end }} + {{- if hasKey .Values "enableQuota" }} + {{- if eq .Values.enableQuota true}} + - name: X_CSI_QUOTA_ENABLED + value: "{{ .Values.enableQuota }}" + {{- end }} + {{- end }} + - name: X_CSI_POWERFLEX_EXTERNAL_ACCESS + value: {{ .Values.externalAccess }} volumeMounts: - name: socket-dir mountPath: /var/run/csi diff --git a/charts/dell/csi-vxflexos/templates/csidriver.yaml b/charts/dell/csi-vxflexos/templates/csidriver.yaml index f8aac7258..8bd88e7ae 100644 --- a/charts/dell/csi-vxflexos/templates/csidriver.yaml +++ b/charts/dell/csi-vxflexos/templates/csidriver.yaml @@ -3,6 +3,7 @@ kind: CSIDriver metadata: name: csi-vxflexos.dellemc.com spec: + storageCapacity: {{ (include "csi-vxflexos.isStorageCapacitySupported" .) | default false }} fsGroupPolicy: {{ .Values.fsGroupPolicy }} attachRequired: true podInfoOnMount: true diff --git a/charts/dell/csi-vxflexos/templates/node.yaml b/charts/dell/csi-vxflexos/templates/node.yaml index 2ba5d3c6c..80c898dc7 100644 --- a/charts/dell/csi-vxflexos/templates/node.yaml +++ b/charts/dell/csi-vxflexos/templates/node.yaml @@ -80,6 +80,8 @@ spec: {{- if eq .Values.podmon.enabled true }} driver.dellemc.com: dell-storage {{- end }} + annotations: + kubectl.kubernetes.io/default-container: "driver" spec: {{- if .Values.node.nodeSelector }} nodeSelector: @@ -106,7 +108,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + image: {{ required "Must provide the podmon container image." .Values.images.podmon }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.node.args | nindent 12 }} @@ -148,7 +150,7 @@ spec: {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy - image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: PROXY_HOST @@ -182,7 +184,7 @@ spec: allowPrivilegeEscalation: true capabilities: add: ["SYS_ADMIN"] - image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + image: "{{ required "Must provide the driver image repository." .Values.images.driver }}" imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-vxflexos.sh" ] args: @@ -197,6 +199,8 @@ spec: value: "{{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/disks" - name: X_CSI_ALLOW_RWO_MULTI_POD_ACCESS value: "{{ required "Must provide a true/false string to allow RWO multi pod access." .Values.allowRWOMultiPodAccess }}" + - name: X_CSI_MAX_VOLUMES_PER_NODE + value: "{{ .Values.maxVxflexosVolumesPerNode }}" - name: SSL_CERT_DIR value: /certs {{- if hasKey .Values.node "healthMonitor" }} @@ -224,6 +228,8 @@ spec: - name: pods-path mountPath: {{ .Values.kubeletConfigDir }}/pods mountPropagation: "Bidirectional" + - name: noderoot + mountPath: /noderoot - name: dev mountPath: /dev - name: vxflexos-config @@ -236,7 +242,7 @@ spec: readOnly: true {{- end}} - name: registrar - image: {{ required "Must provide the CSI registrar container image." ( include "csi-vxflexos.registrarImage" . ) }} + image: {{ required "Must provide the CSI registrar container image." .Values.images.registrar }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--v=5" @@ -340,6 +346,10 @@ spec: hostPath: path: {{ .Values.kubeletConfigDir }}/pods type: Directory + - name: noderoot + hostPath: + path: / + type: Directory - name: dev hostPath: path: /dev diff --git a/charts/dell/csi-vxflexos/values.yaml b/charts/dell/csi-vxflexos/values.yaml index fb4da903e..7cfab7be5 100644 --- a/charts/dell/csi-vxflexos/values.yaml +++ b/charts/dell/csi-vxflexos/values.yaml @@ -3,15 +3,28 @@ # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.7.1 +version: v2.9.0 + +# "images" defines every container images used for the driver and its sidecars. +# To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driverRepository: dellemc - + driver: dellemc/csi-vxflexos:v2.9.0 # "powerflexSdc" defines the SDC image for init container. - powerflexSdc: dellemc/sdc:3.6.0.6 - + powerflexSdc: dellemc/sdc:4.5 + # CSI sidecars + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + # CSM sidecars + replication: dellemc/dell-csi-replicator:v1.7.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.4.0 + podmon: dellemc/podmon:v1.8.0 + authorization: dellemc/csm-authorization-sidecar:v1.9.0 # Represents number of certificate secrets, which user is going to create for ssl authentication. (vxflexos-cert-0..vxflexos-cert-n) # If user does not use certificate, set to 0 @@ -46,6 +59,19 @@ defaultFsType: ext4 # Default value: None imagePullPolicy: IfNotPresent +# externalAccess: allows to specify additional entries for hostAccess of NFS volumes. Both single IP address and subnet are valid entries. +# Allowed Values: x.x.x.x/xx or x.x.x.x +# Default Value: None +externalAccess: + +# enableQuota: a boolean that, when enabled, will set quota limit for a newly provisioned NFS volume. +# Allowed values: +# true: set quota for volume +# false: do not set quota for volume +# Optional: true +# Default value: none +enableQuota: false + # "enablesnapshotcgdelete"- a boolean that, when enabled, will delete all snapshots in a consistency group # everytime a snap in the group is deleted # Allowed values: true, false @@ -54,7 +80,7 @@ enablesnapshotcgdelete: "false" # "enablelistvolumesnapshot" - a boolean that, when enabled, will allow list volume operation to include snapshots (since creating a volume # from a snap actually results in a new snap) -# It is recommend this be false unless instructed otherwise. +# It is recommended this be false unless instructed otherwise. # Allowed values: true, false # Default value: none enablelistvolumesnapshot: "false" @@ -62,7 +88,7 @@ enablelistvolumesnapshot: "false" # Setting allowRWOMultiPodAccess to "true" will allow multiple pods on the same node # to access the same RWO volume. This behavior conflicts with the CSI specification version 1.3 # NodePublishVolume descrition that requires an error to be returned in this case. -# However some other CSI drivers support this behavior and some customers desire this behavior. +# However, some other CSI drivers support this behavior and some customers desire this behavior. # Kubernetes could make a change at their discretion that would preclude our ability to support this option. # Customers use this option at their own risk. # You should leave this set as "false" unless instructed to change it by Dell support. @@ -79,6 +105,13 @@ allowRWOMultiPodAccess: "false" # None: volumes will be mounted with no modifications. fsGroupPolicy: File +# maxVxflexosVolumesPerNode: Specify default value for maximum number of volumes that controller can publish to the node. +# If value is zero CO SHALL decide how many volumes of this type can be published by the controller to the node. +# This limit is applicable to all the nodes in the cluster for which node label 'maxVxflexosVolumesPerNode' is not set. +# Allowed values: n, where n >= 0 +# Default value: 0 +maxVxflexosVolumesPerNode: 0 + # "controller" allows to configure controller specific parameters controller: @@ -92,11 +125,6 @@ controller: # Default value: false enabled: false - # image: Image to use for dell-csi-replicator. This shouldn't be changed - # Allowed values: string - # Default value: None - image: dellemc/dell-csi-replicator:v1.5.0 - # replicationContextPrefix: prefix to use for naming of resources created by replication feature # Allowed values: string # Default value: powerflex @@ -245,6 +273,21 @@ node: # Default value: false enabled: false +# Storage Capacity Tracking +# Note: Capacity tracking is supported in kubernetes v1.24 and above, this feature will be automatically disabled in older versions. +storageCapacity: + # enabled : Enable/Disable storage capacity tracking + # Allowed values: + # true: enable storage capacity tracking + # false: disable storage capacity tracking + # Default value: true + enabled: true + # pollInterval : Configure how often external-provisioner polls the driver to detect changed capacity + # Allowed values: 1m,2m,3m,...,10m,...,60m etc + # Default value: 5m + pollInterval: 5m + + # monitoring pod details # These options control the running of the monitoring container # This container gather diagnostic information in case of failure @@ -271,31 +314,30 @@ monitor: # These options control the running of the vgsnapshotter container vgsnapshotter: enabled: false - image: dellemc/csi-volumegroup-snapshotter:v1.2.0 # Podmon is an optional feature under development and tech preview. # Enable this feature only after contact support for additional information podmon: enabled: false - image: dellemc/podmon:v1.6.0 - #controller: - # args: - # - "--csisock=unix:/var/run/csi/csi.sock" - # - "--labelvalue=csi-vxflexos" - # - "--mode=controller" - # - "--skipArrayConnectionValidation=false" - # - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" - # - "--driverPodLabelValue=dell-storage" - # - "--ignoreVolumelessPods=false" - #node: - # args: - # - "--csisock=unix:/var/lib/kubelet/plugins/vxflexos.emc.dell.com/csi_sock" - # - "--labelvalue=csi-vxflexos" - # - "--mode=node" - # - "--leaderelection=false" - # - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" - # - "--driverPodLabelValue=dell-storage" - # - "--ignoreVolumelessPods=false" + + controller: + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-vxflexos" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + node: + args: + - "--csisock=unix:/var/lib/kubelet/plugins/vxflexos.emc.dell.com/csi_sock" + - "--labelvalue=csi-vxflexos" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" # CSM module attributes # authorization: enable csm-authorization for RBAC @@ -307,10 +349,6 @@ podmon: authorization: enabled: false - # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.7.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 - # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: diff --git a/charts/digitalis/vals-operator/Chart.yaml b/charts/digitalis/vals-operator/Chart.yaml index 8695c743f..59f6bf90b 100644 --- a/charts/digitalis/vals-operator/Chart.yaml +++ b/charts/digitalis/vals-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: vals-operator apiVersion: v2 -appVersion: v0.7.7 +appVersion: v0.7.8 description: 'This helm chart installs the Digitalis Vals Operator to manage and sync secrets from supported backends into Kubernetes. ## About Vals-Operator Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/helmfile/vals), @@ -20,4 +20,4 @@ maintainers: name: Digitalis.IO name: vals-operator type: application -version: 0.7.7 +version: 0.7.8 diff --git a/charts/digitalis/vals-operator/README.md b/charts/digitalis/vals-operator/README.md index 1338b762d..cfc03bc27 100644 --- a/charts/digitalis/vals-operator/README.md +++ b/charts/digitalis/vals-operator/README.md @@ -1,6 +1,6 @@ # vals-operator -![Version: 0.7.7](https://img.shields.io/badge/Version-0.7.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.7](https://img.shields.io/badge/AppVersion-v0.7.7-informational?style=flat-square) +![Version: 0.7.8](https://img.shields.io/badge/Version-0.7.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.8](https://img.shields.io/badge/AppVersion-v0.7.8-informational?style=flat-square) This helm chart installs the Digitalis Vals Operator to manage and sync secrets from supported backends into Kubernetes. ## About Vals-Operator diff --git a/charts/dynatrace/dynatrace-operator/Chart.yaml b/charts/dynatrace/dynatrace-operator/Chart.yaml index df7fb0fde..5f4355578 100644 --- a/charts/dynatrace/dynatrace-operator/Chart.yaml +++ b/charts/dynatrace/dynatrace-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19.0-0' catalog.cattle.io/release-name: dynatrace-operator apiVersion: v2 -appVersion: 0.14.2 +appVersion: 0.15.0 description: The Dynatrace Operator Helm chart for Kubernetes and OpenShift home: https://www.dynatrace.com/ icon: https://assets.dynatrace.com/global/resources/Signet_Logo_RGB_CP_512x512px.png @@ -20,4 +20,4 @@ name: dynatrace-operator sources: - https://github.com/Dynatrace/dynatrace-operator type: application -version: 0.14.2 +version: 0.15.0 diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml index 149bd7484..01d408cba 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/crd/dynatrace-operator-crd.yaml @@ -3451,6 +3451,9 @@ spec: description: Source of the image (tenant-registry, public-registry, ...) type: string + type: + description: Image type + type: string version: description: Image version type: string @@ -3470,6 +3473,9 @@ spec: description: Source of the image (tenant-registry, public-registry, ...) type: string + type: + description: Image type + type: string version: description: Image version type: string @@ -3626,6 +3632,9 @@ spec: description: Source of the image (tenant-registry, public-registry, ...) type: string + type: + description: Image type + type: string version: description: Image version type: string @@ -3649,6 +3658,9 @@ spec: description: Source of the image (tenant-registry, public-registry, ...) type: string + type: + description: Image type + type: string version: description: Image version type: string @@ -3839,6 +3851,12 @@ spec: - name type: object type: array + hostPatterns: + description: Host patterns to be set in the tenant, only considered + when provisioning is enabled. + items: + type: string + type: array hostRestrictions: description: Restrict outgoing HTTP requests to your internal resources to specified hosts @@ -3876,6 +3894,11 @@ spec: endpoint: description: Token endpoint URL of Dynatrace SSO type: string + provisioner: + description: Determines if the operator will create the EdgeConnect + and light OAuth client on the cluster using the credentials + provided. Requires more scopes than default behavior. + type: boolean resource: description: URN identifying your account. You get the URN when creating the OAuth client @@ -4252,6 +4275,9 @@ spec: description: Source of the image (tenant-registry, public-registry, ...) type: string + type: + description: Image type + type: string version: description: Image version type: string diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml index a5c9d630c..60663188f 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/operator/deployment-operator.yaml @@ -106,6 +106,8 @@ spec: - emptyDir: { } name: tmp-cert-dir serviceAccountName: {{ .Release.Name }} + securityContext: + {{- toYaml .Values.operator.podSecurityContext | nindent 8 }} {{- if .Values.customPullSecret }} imagePullSecrets: - name: {{ .Values.customPullSecret }} diff --git a/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml b/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml index c6677afe9..a70c30dd7 100644 --- a/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml +++ b/charts/dynatrace/dynatrace-operator/templates/Common/webhook/deployment-webhook.yaml @@ -134,6 +134,8 @@ spec: {{- if (.Values.webhook).hostNetwork }} hostNetwork: true {{- end }} + securityContext: + {{- toYaml .Values.webhook.podSecurityContext | nindent 8 }} {{- if .Values.customPullSecret }} imagePullSecrets: - name: {{ .Values.customPullSecret }} diff --git a/charts/dynatrace/dynatrace-operator/values.yaml b/charts/dynatrace/dynatrace-operator/values.yaml index ff7fb7092..576ec4d8e 100644 --- a/charts/dynatrace/dynatrace-operator/values.yaml +++ b/charts/dynatrace/dynatrace-operator/values.yaml @@ -45,6 +45,9 @@ operator: - ALL seccompProfile: type: RuntimeDefault + podSecurityContext: + seccompProfile: + type: RuntimeDefault requests: cpu: 50m memory: 64Mi @@ -71,6 +74,9 @@ webhook: - ALL seccompProfile: type: RuntimeDefault + podSecurityContext: + seccompProfile: + type: RuntimeDefault requests: cpu: 300m memory: 128Mi @@ -184,3 +190,4 @@ csidriver: limits: cpu: 20m memory: 30Mi + diff --git a/charts/external-secrets/external-secrets/Chart.yaml b/charts/external-secrets/external-secrets/Chart.yaml index bb0641494..ce4f35501 100644 --- a/charts/external-secrets/external-secrets/Chart.yaml +++ b/charts/external-secrets/external-secrets/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: external-secrets apiVersion: v2 -appVersion: v0.9.9 +appVersion: v0.9.11 description: External secret management for Kubernetes home: https://github.com/external-secrets/external-secrets icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png @@ -17,4 +17,4 @@ maintainers: name: mcavoyk name: external-secrets type: application -version: 0.9.9 +version: 0.9.11 diff --git a/charts/external-secrets/external-secrets/README.md b/charts/external-secrets/external-secrets/README.md index dd7e3ae26..96d2de05a 100644 --- a/charts/external-secrets/external-secrets/README.md +++ b/charts/external-secrets/external-secrets/README.md @@ -4,7 +4,7 @@ [//]: # (README.md generated by gotmpl. DO NOT EDIT.) -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.9](https://img.shields.io/badge/Version-0.9.9-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.11](https://img.shields.io/badge/Version-0.9.11-informational?style=flat-square) External secret management for Kubernetes @@ -48,6 +48,7 @@ The command removes all the Kubernetes components associated with the chart and | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | certController.image.tag | string | `""` | | | certController.imagePullSecrets | list | `[]` | | +| certController.metrics.listen.port | int | `8080` | | | certController.metrics.service.annotations | object | `{}` | Additional service annotations | | certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics | | certController.metrics.service.port | int | `8080` | Metrics service port to scrape | @@ -58,8 +59,6 @@ The command removes all the Kubernetes components associated with the chart and | certController.podLabels | object | `{}` | | | certController.podSecurityContext | object | `{}` | | | certController.priorityClassName | string | `""` | Pod priority class name. | -| certController.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | -| certController.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | certController.readinessProbe.address | string | `""` | Address for readiness probe | | certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet | @@ -105,6 +104,7 @@ The command removes all the Kubernetes components associated with the chart and | imagePullSecrets | list | `[]` | | | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. | | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. | +| metrics.listen.port | int | `8080` | | | metrics.service.annotations | object | `{}` | Additional service annotations | | metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics | | metrics.service.port | int | `8080` | Metrics service port to scrape | @@ -114,12 +114,11 @@ The command removes all the Kubernetes components associated with the chart and | podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | | podLabels | object | `{}` | | | podSecurityContext | object | `{}` | | +| podSpecExtra | object | `{}` | Any extra pod spec on the deployment | | priorityClassName | string | `""` | Pod priority class name. | | processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. | | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. | | processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. | -| prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. | -| prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead. | | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. | | replicaCount | int | `1` | | @@ -172,6 +171,7 @@ The command removes all the Kubernetes components associated with the chart and | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | | webhook.imagePullSecrets | list | `[]` | | | webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity | +| webhook.metrics.listen.port | int | `8080` | | | webhook.metrics.service.annotations | object | `{}` | Additional service annotations | | webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics | | webhook.metrics.service.port | int | `8080` | Metrics service port to scrape | @@ -183,8 +183,6 @@ The command removes all the Kubernetes components associated with the chart and | webhook.podSecurityContext | object | `{}` | | | webhook.port | int | `10250` | The port the webhook will listen to | | webhook.priorityClassName | string | `""` | Pod priority class name. | -| webhook.prometheus.enabled | bool | `false` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | -| webhook.prometheus.service.port | int | `8080` | deprecated. will be removed with 0.7.0, use serviceMonitor instead | | webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. | | webhook.readinessProbe.address | string | `""` | Address for readiness probe | | webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet | diff --git a/charts/external-secrets/external-secrets/templates/NOTES.txt b/charts/external-secrets/external-secrets/templates/NOTES.txt index a4bd27e0b..2887d22be 100644 --- a/charts/external-secrets/external-secrets/templates/NOTES.txt +++ b/charts/external-secrets/external-secrets/templates/NOTES.txt @@ -6,8 +6,3 @@ or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore). More information on the different types of SecretStores and how to configure them can be found in our Github: {{ .Chart.Home }} -{{ if .Values.prometheus.enabled -}} -deprecation warning: -> The flag `prometheus.enabled` is deprecated and will be removed in the next release. - Please migrate to using servicemonitor instead. -{{ end }} \ No newline at end of file diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml index e21270141..51083e565 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.certController.create }} +{{- if and .Values.certController.create (not .Values.webhook.certManager.enable) }} apiVersion: apps/v1 kind: Deployment metadata: @@ -54,7 +54,7 @@ spec: - --service-namespace={{ .Release.Namespace }} - --secret-name={{ include "external-secrets.fullname" . }}-webhook - --secret-namespace={{ .Release.Namespace }} - - --metrics-addr=:{{ .Values.certController.prometheus.service.port }} + - --metrics-addr=:{{ .Values.certController.metrics.listen.port }} - --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }} {{ if not .Values.crds.createClusterSecretStore -}} - --crd-names=externalsecrets.external-secrets.io @@ -68,7 +68,7 @@ spec: {{- end }} {{- end }} ports: - - containerPort: {{ .Values.certController.prometheus.service.port }} + - containerPort: {{ .Values.certController.metrics.listen.port }} protocol: TCP name: metrics readinessProbe: diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-poddisruptionbudget.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-poddisruptionbudget.yaml index 99e88c28e..5eca1a93e 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-poddisruptionbudget.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-poddisruptionbudget.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certController.create .Values.certController.podDisruptionBudget.enabled }} +{{- if and .Values.certController.create .Values.certController.podDisruptionBudget.enabled (not .Values.webhook.certManager.enabled) }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -16,4 +16,4 @@ spec: selector: matchLabels: {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-rbac.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-rbac.yaml index a61851438..62dbe3fae 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-rbac.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-rbac.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certController.create .Values.certController.rbac.create -}} +{{- if and .Values.certController.create .Values.certController.rbac.create (not .Values.webhook.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-service.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-service.yaml index e4571a775..570dc041f 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-service.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-service.yaml @@ -1,30 +1,20 @@ -{{- if or (and .Values.certController.create .Values.certController.prometheus.enabled) (and .Values.certController.create .Values.certController.metrics.service.enabled) }} +{{- if and .Values.certController.create .Values.certController.metrics.service.enabled (not .Values.webhook.certManager.enabled) }} apiVersion: v1 kind: Service metadata: name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics labels: {{- include "external-secrets.labels" . | nindent 4 }} - {{- if .Values.certController.prometheus.enabled }} - annotations: - prometheus.io/path: "/metrics" - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.certController.prometheus.service.port | quote }} - {{- else }} {{- with .Values.metrics.service.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - {{- end }} spec: type: ClusterIP ports: - {{- if .Values.certController.prometheus.enabled }} - - port: {{ .Values.certController.prometheus.service.port }} - {{- else }} - port: {{ .Values.certController.metrics.service.port }} - {{- end }} protocol: TCP + targetPort: metrics name: metrics selector: {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }} diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-serviceaccount.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-serviceaccount.yaml index c1ab0897c..4fb0644fc 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-serviceaccount.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certController.create .Values.certController.serviceAccount.create -}} +{{- if and .Values.certController.create .Values.certController.serviceAccount.create (not .Values.webhook.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml index 1f8c1a633..ea9ac2669 100644 --- a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml @@ -711,6 +711,11 @@ spec: type: string principalType: description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload type: string region: description: Region is the region where vault is located. @@ -1438,7 +1443,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -1517,8 +1522,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -1539,7 +1555,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -1863,6 +1879,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2255,6 +2272,11 @@ spec: type: string principalType: description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload type: string region: description: Region is the region where vault is located. diff --git a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml index 3f0649b6e..306eafea5 100644 --- a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml @@ -68,7 +68,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. @@ -145,6 +144,101 @@ spec: required: - secret type: object + template: + description: Template defines a blueprint for the created Secret resource. + properties: + data: + additionalProperties: + type: string + type: object + engineVersion: + default: v2 + description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + enum: + - v1 + - v2 + type: string + mergePolicy: + default: Replace + enum: + - Replace + - Merge + type: string + metadata: + description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + templateFrom: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + enum: + - Values + - KeysAndValues + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + literal: + type: string + secret: + properties: + items: + items: + properties: + key: + type: string + templateAs: + default: Values + enum: + - Values + - KeysAndValues + type: string + required: + - key + type: object + type: array + name: + type: string + required: + - items + - name + type: object + target: + default: Data + enum: + - Data + - Annotations + - Labels + type: string + type: object + type: array + type: + type: string + type: object required: - secretStoreRefs - selector @@ -202,7 +296,6 @@ spec: type: string required: - remoteRef - - secretKey type: object metadata: description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. diff --git a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml index 33f7def8b..20adc876c 100644 --- a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml @@ -711,6 +711,11 @@ spec: type: string principalType: description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload type: string region: description: Region is the region where vault is located. @@ -1438,7 +1443,7 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -1517,8 +1522,19 @@ spec: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -1539,7 +1555,7 @@ spec: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -1863,6 +1879,7 @@ spec: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2255,6 +2272,11 @@ spec: type: string principalType: description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload type: string region: description: Region is the region where vault is located. diff --git a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml index 0e0af579d..123558f86 100644 --- a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml @@ -439,6 +439,9 @@ spec: resultType: default: Data description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + enum: + - Data + - Auth type: string required: - path diff --git a/charts/external-secrets/external-secrets/templates/deployment.yaml b/charts/external-secrets/external-secrets/templates/deployment.yaml index 217e261f8..00ea999ba 100644 --- a/charts/external-secrets/external-secrets/templates/deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/deployment.yaml @@ -65,9 +65,9 @@ spec: {{- if not .Values.processClusterExternalSecret }} - --enable-cluster-external-secret-reconciler=false {{- end }} - {{- if not .Values.processPushSecret }} + {{- end }} + {{- if not .Values.processPushSecret }} - --enable-push-secret-reconciler=false - {{- end }} {{- end }} {{- if .Values.controllerClass }} - --controller-class={{ .Values.controllerClass }} @@ -86,8 +86,9 @@ spec: {{- end }} {{- end }} {{- end }} + - --metrics-addr=:{{ .Values.metrics.listen.port }} ports: - - containerPort: {{ .Values.prometheus.service.port }} + - containerPort: {{ .Values.metrics.listen.port }} protocol: TCP name: metrics {{- with .Values.extraEnv }} @@ -132,4 +133,7 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} + {{- if .Values.podSpecExtra }} + {{- toYaml .Values.podSpecExtra | nindent 6 }} + {{- end }} {{- end }} diff --git a/charts/external-secrets/external-secrets/templates/service.yaml b/charts/external-secrets/external-secrets/templates/service.yaml index 448f0327b..bf56fdea8 100644 --- a/charts/external-secrets/external-secrets/templates/service.yaml +++ b/charts/external-secrets/external-secrets/templates/service.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.prometheus.enabled .Values.metrics.service.enabled }} +{{- if .Values.metrics.service.enabled }} apiVersion: v1 kind: Service metadata: @@ -6,26 +6,16 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "external-secrets.labels" . | nindent 4 }} - {{- if .Values.prometheus.enabled }} - annotations: - prometheus.io/path: "/metrics" - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.prometheus.service.port | quote }} - {{- else }} {{- with .Values.metrics.service.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} - {{- end }} spec: type: ClusterIP ports: - {{- if .Values.prometheus.enabled }} - - port: {{ .Values.prometheus.service.port }} - {{- else }} - port: {{ .Values.metrics.service.port }} - {{- end }} protocol: TCP + targetPort: metrics name: metrics selector: {{- include "external-secrets.selectorLabels" . | nindent 4 }} diff --git a/charts/external-secrets/external-secrets/templates/servicemonitor.yaml b/charts/external-secrets/external-secrets/templates/servicemonitor.yaml index b56eefc00..63c9da02c 100644 --- a/charts/external-secrets/external-secrets/templates/servicemonitor.yaml +++ b/charts/external-secrets/external-secrets/templates/servicemonitor.yaml @@ -9,7 +9,7 @@ metadata: spec: type: ClusterIP ports: - - port: 8080 + - port: {{ .Values.metrics.service.port }} protocol: TCP name: metrics selector: @@ -57,7 +57,7 @@ metadata: spec: type: ClusterIP ports: - - port: 8080 + - port: {{ .Values.webhook.metrics.service.port }} protocol: TCP name: metrics selector: @@ -106,7 +106,7 @@ metadata: spec: type: ClusterIP ports: - - port: 8080 + - port: {{ .Values.certController.metrics.listen.port }} protocol: TCP name: metrics selector: diff --git a/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml b/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml index 3cc774fc3..5ab8fe9f6 100644 --- a/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml @@ -53,7 +53,7 @@ spec: - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc - --cert-dir={{ .Values.webhook.certDir }} - --check-interval={{ .Values.webhook.certCheckInterval }} - - --metrics-addr=:{{ .Values.webhook.prometheus.service.port }} + - --metrics-addr=:{{ .Values.webhook.metrics.listen.port }} - --healthz-addr={{ .Values.webhook.readinessProbe.address }}:{{ .Values.webhook.readinessProbe.port }} {{- if .Values.webhook.lookaheadInterval }} - --lookahead-interval={{ .Values.webhook.lookaheadInterval }} @@ -66,7 +66,7 @@ spec: {{- end }} {{- end }} ports: - - containerPort: {{ .Values.webhook.prometheus.service.port }} + - containerPort: {{ .Values.webhook.metrics.listen.port }} protocol: TCP name: metrics - containerPort: {{ .Values.webhook.port }} diff --git a/charts/external-secrets/external-secrets/templates/webhook-service.yaml b/charts/external-secrets/external-secrets/templates/webhook-service.yaml index 47826d223..ec2001dbd 100644 --- a/charts/external-secrets/external-secrets/templates/webhook-service.yaml +++ b/charts/external-secrets/external-secrets/templates/webhook-service.yaml @@ -7,12 +7,7 @@ metadata: labels: {{- include "external-secrets-webhook.labels" . | nindent 4 }} external-secrets.io/component: webhook - {{- if .Values.webhook.prometheus.enabled}} - annotations: - prometheus.io/path: "/metrics" - prometheus.io/scrape: "true" - prometheus.io/port: {{ .Values.prometheus.service.port | quote }} - {{- else }} + {{- if .Values.webhook.metrics.service.enabled }} {{- with .Values.webhook.metrics.service.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -25,15 +20,10 @@ spec: targetPort: {{ .Values.webhook.port }} protocol: TCP name: webhook - {{- if or .Values.webhook.prometheus.enabled .Values.webhook.metrics.service.enabled }} - {{- if .Values.webhook.prometheus.enabled }} - - port: {{ .Values.webhook.prometheus.service.port }} - targetPort: {{ .Values.webhook.prometheus.service.port }} - {{- else }} + {{- if .Values.webhook.metrics.service.enabled }} - port: {{ .Values.webhook.metrics.service.port }} - targetPort: {{ .Values.webhook.metrics.service.port }} - {{- end }} protocol: TCP + targetPort: metrics name: metrics {{- end }} selector: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap index 65a309fd2..24b24dca3 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/version: v0.9.9 - helm.sh/chart: external-secrets-0.9.9 + app.kubernetes.io/version: v0.9.11 + helm.sh/chart: external-secrets-0.9.11 name: RELEASE-NAME-external-secrets-cert-controller namespace: NAMESPACE spec: @@ -24,8 +24,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/version: v0.9.9 - helm.sh/chart: external-secrets-0.9.9 + app.kubernetes.io/version: v0.9.11 + helm.sh/chart: external-secrets-0.9.11 spec: automountServiceAccountToken: true containers: @@ -38,7 +38,7 @@ should match snapshot of default values: - --secret-namespace=NAMESPACE - --metrics-addr=:8080 - --healthz-addr=:8081 - image: ghcr.io/external-secrets/external-secrets:v0.9.9 + image: ghcr.io/external-secrets/external-secrets:v0.9.11 imagePullPolicy: IfNotPresent name: cert-controller ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap index 7040cd719..123207b31 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets - app.kubernetes.io/version: v0.9.9 - helm.sh/chart: external-secrets-0.9.9 + app.kubernetes.io/version: v0.9.11 + helm.sh/chart: external-secrets-0.9.11 name: RELEASE-NAME-external-secrets namespace: NAMESPACE spec: @@ -24,14 +24,15 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets - app.kubernetes.io/version: v0.9.9 - helm.sh/chart: external-secrets-0.9.9 + app.kubernetes.io/version: v0.9.11 + helm.sh/chart: external-secrets-0.9.11 spec: automountServiceAccountToken: true containers: - args: - --concurrent=1 - image: ghcr.io/external-secrets/external-secrets:v0.9.9 + - --metrics-addr=:8080 + image: ghcr.io/external-secrets/external-secrets:v0.9.11 imagePullPolicy: IfNotPresent name: external-secrets ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap index d8cdecce6..fa5b3224a 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap @@ -716,6 +716,11 @@ should match snapshot of default values: type: string principalType: description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload type: string region: description: Region is the region where vault is located. @@ -1443,7 +1448,7 @@ should match snapshot of default values: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: additionalRoles: - description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role + description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role items: type: string type: array @@ -1522,8 +1527,19 @@ should match snapshot of default values: description: AWS Region to be used for the provider type: string role: - description: Role is a Role ARN which the SecretManager provider will assume + description: Role is a Role ARN which the provider will assume type: string + secretsManager: + description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager + properties: + forceDeleteWithoutRecovery: + description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + type: boolean + recoveryWindowInDays: + description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + format: int64 + type: integer + type: object service: description: Service defines which service should be used to fetch the secrets enum: @@ -1544,7 +1560,7 @@ should match snapshot of default values: type: object type: array transitiveTagKeys: - description: AWS STS assume role transitive session tags. Required when multiple rules are used with SecretStore + description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider items: type: string type: array @@ -1868,6 +1884,7 @@ should match snapshot of default values: valueMap: additionalProperties: type: string + description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.' type: object version: type: string @@ -2260,6 +2277,11 @@ should match snapshot of default values: type: string principalType: description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + enum: + - "" + - UserPrincipal + - InstancePrincipal + - Workload type: string region: description: Region is the region where vault is located. diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap index 94c9cb193..b5aa2391a 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.9 - helm.sh/chart: external-secrets-0.9.9 + app.kubernetes.io/version: v0.9.11 + helm.sh/chart: external-secrets-0.9.11 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE spec: @@ -24,8 +24,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.9 - helm.sh/chart: external-secrets-0.9.9 + app.kubernetes.io/version: v0.9.11 + helm.sh/chart: external-secrets-0.9.11 spec: automountServiceAccountToken: true containers: @@ -37,7 +37,7 @@ should match snapshot of default values: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 - image: ghcr.io/external-secrets/external-secrets:v0.9.9 + image: ghcr.io/external-secrets/external-secrets:v0.9.11 imagePullPolicy: IfNotPresent name: webhook ports: @@ -81,8 +81,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.9 + app.kubernetes.io/version: v0.9.11 external-secrets.io/component: webhook - helm.sh/chart: external-secrets-0.9.9 + helm.sh/chart: external-secrets-0.9.11 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE diff --git a/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml b/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml index b2398c844..52cce7efd 100644 --- a/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml +++ b/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml @@ -56,7 +56,7 @@ tests: value: "--healthz-addr=:8082" - it: should override metrics port set: - certController.prometheus.service.port: 8888 + certController.metrics.listen.port: 8888 asserts: - equal: path: spec.template.spec.containers[0].args[6] diff --git a/charts/external-secrets/external-secrets/tests/controller_test.yaml b/charts/external-secrets/external-secrets/tests/controller_test.yaml index 727e71cf6..f74af187b 100644 --- a/charts/external-secrets/external-secrets/tests/controller_test.yaml +++ b/charts/external-secrets/external-secrets/tests/controller_test.yaml @@ -47,3 +47,10 @@ tests: - equal: path: spec.template.spec.hostNetwork value: true + - it: should override metrics port + set: + metrics.listen.port: 8888 + asserts: + - equal: + path: spec.template.spec.containers[0].args[1] + value: "--metrics-addr=:8888" diff --git a/charts/external-secrets/external-secrets/tests/webhook_test.yaml b/charts/external-secrets/external-secrets/tests/webhook_test.yaml index a81d8a499..b157e3bd4 100644 --- a/charts/external-secrets/external-secrets/tests/webhook_test.yaml +++ b/charts/external-secrets/external-secrets/tests/webhook_test.yaml @@ -161,3 +161,12 @@ tests: templates: - validatingwebhook.yaml - crds/externalsecret.yaml + - it: should override metrics port + set: + webhook.metrics.listen.port: 8888 + templates: + - webhook-deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].args[5] + value: "--metrics-addr=:8888" diff --git a/charts/external-secrets/external-secrets/values.yaml b/charts/external-secrets/external-secrets/values.yaml index 66f68b25a..5b4335720 100644 --- a/charts/external-secrets/external-secrets/values.yaml +++ b/charts/external-secrets/external-secrets/values.yaml @@ -132,13 +132,6 @@ resources: {} # cpu: 10m # memory: 32Mi -prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead. - port: 8080 - serviceMonitor: # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics enabled: false @@ -177,6 +170,10 @@ serviceMonitor: # action: replace metrics: + + listen: + port: 8080 + service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics enabled: false @@ -299,14 +296,12 @@ webhook: enabled: false minAvailable: 1 # maxUnavailable: 1 - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - port: 8080 metrics: + + listen: + port: 8080 + service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics enabled: false @@ -418,14 +413,11 @@ certController: minAvailable: 1 # maxUnavailable: 1 - prometheus: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead - enabled: false - service: - # -- deprecated. will be removed with 0.7.0, use serviceMonitor instead + metrics: + + listen: port: 8080 - metrics: service: # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics enabled: false @@ -484,3 +476,6 @@ certController: # -- Specifies `dnsOptions` to deployment dnsConfig: {} + +# -- Any extra pod spec on the deployment +podSpecExtra: {} diff --git a/charts/f5/nginx-ingress/Chart.yaml b/charts/f5/nginx-ingress/Chart.yaml index 43a7a13c6..345a3e401 100644 --- a/charts/f5/nginx-ingress/Chart.yaml +++ b/charts/f5/nginx-ingress/Chart.yaml @@ -4,10 +4,10 @@ annotations: catalog.cattle.io/kube-version: '>= 1.22.0-0' catalog.cattle.io/release-name: nginx-ingress apiVersion: v2 -appVersion: 3.3.2 +appVersion: 3.4.0 description: NGINX Ingress Controller home: https://github.com/nginxinc/kubernetes-ingress -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deployments/helm-chart/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/charts/nginx-ingress/chart-icon.png keywords: - ingress - nginx @@ -17,6 +17,6 @@ maintainers: name: nginxinc name: nginx-ingress sources: -- https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/deployments/helm-chart +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/charts/nginx-ingress type: application -version: 1.0.2 +version: 1.1.0 diff --git a/charts/f5/nginx-ingress/README.md b/charts/f5/nginx-ingress/README.md index 95115a070..cb0ffdc50 100644 --- a/charts/f5/nginx-ingress/README.md +++ b/charts/f5/nginx-ingress/README.md @@ -15,8 +15,9 @@ This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. - If you’d like to use NGINX Plus: - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from - [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to - specify the secret using `controller.serviceAccount.imagePullSecretName` parameter. + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). @@ -78,14 +79,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -100,7 +101,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 ``` ### Uninstalling the Chart @@ -141,7 +142,7 @@ upgrading/deleting the CRDs. 1. Pull the chart sources: ```console - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.0.2 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.0 ``` 2. Change your working directory to nginx-ingress: @@ -227,11 +228,11 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.3.2` +2. Checkout the latest available tag using `git checkout v3.4.0` -3. Navigate to `/kubernates-ingress/deployments/helm-chart` +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` -4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/deployments/helm-chart` +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` with the copied `Selector` value. ```shell @@ -279,11 +280,11 @@ reviewing its events: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.3.2` +2. Checkout the latest available tag using `git checkout v3.4.0` -3. Navigate to `/kubernates-ingress/deployments/helm-chart` +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` -4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/deployments/helm-chart` +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` with the copied `Selector` value. ```shell @@ -342,10 +343,11 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | |`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | |`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.3.2 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.0 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -370,15 +372,15 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | |`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | |`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | -|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.2, do not set the value to false. | true | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. | true | |`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | |`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | |`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | |`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | |`controller.enableCustomResources` | Enable the custom resources. | true | -|`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false | |`controller.enableOIDC` | Enable OIDC policies. | false | |`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | |`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | @@ -415,6 +417,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | |`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | |`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | |`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | |`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | |`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | @@ -441,6 +444,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | |`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | |`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | |`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | |`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | |`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | @@ -451,7 +455,10 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | |`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | |`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | |`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | |`rbac.create` | Configures RBAC. | true | |`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | |`prometheus.port` | Configures the port to scrape the metrics. | 9113 | diff --git a/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml index 8c494414c..0ca4649ce 100644 --- a/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml +++ b/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml @@ -109,6 +109,10 @@ spec: - IIS backslashes - IIS Unicode codepoints - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash type: string enabled: type: boolean @@ -134,6 +138,7 @@ spec: - CRLF characters before request start - Content length should be a positive number - Chunked request with Content-Length header + - Check maximum number of cookies - Check maximum number of parameters - Check maximum number of headers - Body in GET or HEAD requests @@ -144,9 +149,17 @@ spec: type: string enabled: type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer maxHeaders: + maximum: 150 + minimum: 1 type: integer maxParams: + maximum: 5000 + minimum: 1 type: integer type: object type: array @@ -161,61 +174,69 @@ spec: type: string name: enum: - - VIOL_GRPC_FORMAT - - VIOL_GRPC_MALFORMED - - VIOL_GRPC_METHOD - - VIOL_PARAMETER_ARRAY_VALUE - - VIOL_PARAMETER_VALUE_REGEXP - - VIOL_CSRF - - VIOL_PARAMETER_VALUE_BASE64 - - VIOL_MANDATORY_HEADER - - VIOL_HEADER_REPEATED - - VIOL_ASM_COOKIE_MODIFIED - - VIOL_BLACKLISTED_IP - - VIOL_COOKIE_EXPIRED - - VIOL_COOKIE_LENGTH - - VIOL_COOKIE_MALFORMED - - VIOL_COOKIE_MODIFIED - - VIOL_DATA_GUARD - - VIOL_ENCODING - - VIOL_EVASION - - VIOL_FILETYPE - - VIOL_FILE_UPLOAD - - VIOL_FILE_UPLOAD_IN_BODY - - VIOL_HEADER_LENGTH - - VIOL_HEADER_METACHAR - - VIOL_HTTP_PROTOCOL - - VIOL_HTTP_RESPONSE_STATUS - - VIOL_JSON_FORMAT - - VIOL_JSON_MALFORMED - - VIOL_JSON_SCHEMA - - VIOL_MANDATORY_PARAMETER - - VIOL_MANDATORY_REQUEST_BODY - - VIOL_METHOD - - VIOL_PARAMETER - - VIOL_PARAMETER_DATA_TYPE - - VIOL_PARAMETER_EMPTY_VALUE - - VIOL_PARAMETER_LOCATION - - VIOL_PARAMETER_MULTIPART_NULL_VALUE - - VIOL_PARAMETER_NAME_METACHAR - - VIOL_PARAMETER_NUMERIC_VALUE - - VIOL_PARAMETER_REPEATED - - VIOL_PARAMETER_STATIC_VALUE - - VIOL_PARAMETER_VALUE_LENGTH - - VIOL_PARAMETER_VALUE_METACHAR - - VIOL_POST_DATA_LENGTH - - VIOL_QUERY_STRING_LENGTH - - VIOL_RATING_THREAT - - VIOL_RATING_NEED_EXAMINATION - - VIOL_REQUEST_MAX_LENGTH - - VIOL_REQUEST_LENGTH - - VIOL_THREAT_CAMPAIGN - - VIOL_URL - - VIOL_URL_CONTENT_TYPE - - VIOL_URL_LENGTH - - VIOL_URL_METACHAR - - VIOL_XML_FORMAT - - VIOL_XML_MALFORMED + - "VIOL_ACCESS_INVALID" + - "VIOL_ACCESS_MALFORMED" + - "VIOL_ACCESS_MISSING" + - "VIOL_ASM_COOKIE_HIJACKING" + - "VIOL_ASM_COOKIE_MODIFIED" + - "VIOL_BLACKLISTED_IP" + - "VIOL_COOKIE_EXPIRED" + - "VIOL_COOKIE_LENGTH" + - "VIOL_COOKIE_MALFORMED" + - "VIOL_COOKIE_MODIFIED" + - "VIOL_CSRF" + - "VIOL_DATA_GUARD" + - "VIOL_ENCODING" + - "VIOL_EVASION" + - "VIOL_FILETYPE" + - "VIOL_FILE_UPLOAD" + - "VIOL_FILE_UPLOAD_IN_BODY" + - "VIOL_GRAPHQL_ERROR_RESPONSE" + - "VIOL_GRAPHQL_FORMAT" + - "VIOL_GRAPHQL_INTROSPECTION_QUERY" + - "VIOL_GRAPHQL_MALFORMED" + - "VIOL_GRPC_FORMAT" + - "VIOL_GRPC_MALFORMED" + - "VIOL_GRPC_METHOD" + - "VIOL_HEADER_LENGTH" + - "VIOL_HEADER_METACHAR" + - "VIOL_HEADER_REPEATED" + - "VIOL_HTTP_PROTOCOL" + - "VIOL_HTTP_RESPONSE_STATUS" + - "VIOL_JSON_FORMAT" + - "VIOL_JSON_MALFORMED" + - "VIOL_JSON_SCHEMA" + - "VIOL_MANDATORY_HEADER" + - "VIOL_MANDATORY_PARAMETER" + - "VIOL_MANDATORY_REQUEST_BODY" + - "VIOL_METHOD" + - "VIOL_PARAMETER" + - "VIOL_PARAMETER_ARRAY_VALUE" + - "VIOL_PARAMETER_DATA_TYPE" + - "VIOL_PARAMETER_EMPTY_VALUE" + - "VIOL_PARAMETER_LOCATION" + - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" + - "VIOL_PARAMETER_NAME_METACHAR" + - "VIOL_PARAMETER_NUMERIC_VALUE" + - "VIOL_PARAMETER_REPEATED" + - "VIOL_PARAMETER_STATIC_VALUE" + - "VIOL_PARAMETER_VALUE_BASE64" + - "VIOL_PARAMETER_VALUE_LENGTH" + - "VIOL_PARAMETER_VALUE_METACHAR" + - "VIOL_PARAMETER_VALUE_REGEXP" + - "VIOL_POST_DATA_LENGTH" + - "VIOL_QUERY_STRING_LENGTH" + - "VIOL_RATING_NEED_EXAMINATION" + - "VIOL_RATING_THREAT" + - "VIOL_REQUEST_LENGTH" + - "VIOL_REQUEST_MAX_LENGTH" + - "VIOL_THREAT_CAMPAIGN" + - "VIOL_URL" + - "VIOL_URL_CONTENT_TYPE" + - "VIOL_URL_LENGTH" + - "VIOL_URL_METACHAR" + - "VIOL_XML_FORMAT" + - "VIOL_XML_MALFORMED" type: string type: object type: array @@ -248,8 +269,10 @@ spec: name: type: string scoreThreshold: - pattern: '[0-9]|[1-9][0-9]|1[0-4][0-9]|150|default' - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true type: object type: array browsers: @@ -265,21 +288,6 @@ spec: - block - detect type: string - browserDefinition: - properties: - $action: - enum: - - delete - type: string - isUserDefined: - type: boolean - matchRegex: - type: string - matchString: - type: string - name: - type: string - type: object maxVersion: maximum: 2147483647 minimum: 0 @@ -393,8 +401,10 @@ spec: cookie-settings: properties: maximumCookieHeaderLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true type: object cookieReference: properties: @@ -434,6 +444,8 @@ spec: - none-value - strict type: string + maskValueInLogs: + type: boolean name: type: string securedOverHttpsConnection: @@ -634,13 +646,22 @@ spec: type: boolean attackSignaturesCheck: type: boolean + metacharCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string defenseAttributes: properties: allowUnknownFields: type: boolean maximumDataLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true type: object description: type: string @@ -688,8 +709,10 @@ spec: header-settings: properties: maximumHttpHeaderLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true type: object headerReference: properties: @@ -794,17 +817,25 @@ spec: defenseAttributes: properties: maximumArrayLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumStructureDepth: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumTotalLengthOfJSONData: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumValueLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true tolerateJSONParsingWarnings: type: boolean type: object @@ -1065,6 +1096,62 @@ spec: - wildcard type: string url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string type: object valueMetacharOverrides: items: @@ -1402,8 +1489,10 @@ spec: originName: type: string originPort: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true originProtocol: enum: - http @@ -1676,6 +1765,62 @@ spec: - wildcard type: string url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string type: object valueMetacharOverrides: items: @@ -1741,7 +1886,10 @@ spec: headerName: type: string headerOrder: - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true headerValue: type: string name: @@ -1813,32 +1961,50 @@ spec: allowProcessingInstructions: type: boolean maximumAttributeValueLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumAttributesPerElement: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumChildrenPerElement: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumDocumentDepth: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumDocumentSize: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumElements: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumNSDeclarations: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumNameLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true maximumNamespaceLength: - pattern: any|\d+ - type: string + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true tolerateCloseTagShorthand: type: boolean tolerateLeadingWhiteSpace: @@ -1867,6 +2033,8 @@ spec: type: string type: object type: array + useXmlResponsePage: + type: boolean type: object type: array xml-validation-files: @@ -1896,6 +2064,93 @@ spec: pattern: ^http type: string type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensetiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + name: + type: string + type: object + type: array type: object type: object type: object diff --git a/charts/f5/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml index 53a51c493..34d85433f 100644 --- a/charts/f5/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml +++ b/charts/f5/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -11,71 +12,87 @@ spec: listKind: DosProtectedResourceList plural: dosprotectedresources shortNames: - - pr + - pr singular: dosprotectedresource scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: DosProtectedResource defines a Dos protected resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: DosProtectedResourceSpec defines the properties and values a DosProtectedResource can have. - type: object - properties: - apDosMonitor: - description: 'ApDosMonitor is how NGINX App Protect DoS monitors the stress level of the protected object. The monitor requests are sent from localhost (127.0.0.1). Default value: URI - None, protocol - http1, timeout - NGINX App Protect DoS default.' - type: object - properties: - protocol: - description: Protocol determines if the server listens on http1 / http2 / grpc / websocket. The default is http1. - type: string - enum: - - http1 - - http2 - - grpc - - websocket - timeout: - description: Timeout determines how long (in seconds) should NGINX App Protect DoS wait for a response. Default is 10 seconds for http1/http2 and 5 seconds for grpc. - type: integer - format: int64 - uri: - description: 'URI is the destination to the desired protected object in the nginx.conf:' - type: string - apDosPolicy: - description: ApDosPolicy is the namespace/name of a ApDosPolicy resource - type: string - dosAccessLogDest: - description: DosAccessLogDest is the network address for the access logs - type: string - dosSecurityLog: - description: DosSecurityLog defines the security log of the DosProtectedResource. - type: object - properties: - apDosLogConf: - description: ApDosLogConf is the namespace/name of a APDosLogConf resource - type: string - dosLogDest: - description: DosLogDest is the network address of a logging service, can be either IP or DNS name. - type: string - enable: - description: Enable enables the security logging feature if set to true - type: boolean - enable: - description: Enable enables the DOS feature if set to true - type: boolean - name: - description: Name is the name of protected object, max of 63 characters. - type: string - served: true - storage: true + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml index 82790713b..54d27d796 100644 --- a/charts/f5/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml +++ b/charts/f5/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -13,72 +14,79 @@ spec: singular: dnsendpoint scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - description: DNSEndpoint is the CRD wrapper for Endpoint - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: DNSEndpointSpec holds information about endpoints. - type: object - properties: - endpoints: - type: array - items: - description: Endpoint describes DNS Endpoint. - type: object - properties: - dnsName: - description: The hostname for the DNS record + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: type: string - labels: - description: Labels stores labels defined for the Endpoint + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string type: object - additionalProperties: - type: string - providerSpecific: - description: ProviderSpecific stores provider specific config - type: array - items: - description: ProviderSpecificProperty represents provider specific config property. - type: object - properties: - name: - description: Name of the property - type: string - value: - description: Value of the property - type: string - recordTTL: - description: TTL for the record - type: integer - format: int64 - recordType: - description: RecordType type of record, e.g. CNAME, A, SRV, TXT, MX + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: type: string - targets: - description: The targets the DNS service points to - type: array - items: - type: string - status: - description: DNSEndpointStatus represents generation observed by the external dns controller. - type: object - properties: - observedGeneration: - description: The generation observed by by the external-dns controller. - type: integer - format: int64 - served: true - storage: true - subresources: - status: {} + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml index b0dc371fd..e5695ddd8 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -11,41 +12,85 @@ spec: listKind: GlobalConfigurationList plural: globalconfigurations shortNames: - - gc + - gc singular: globalconfiguration scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GlobalConfiguration defines the GlobalConfiguration resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. - type: object - properties: - listeners: - type: array - items: - description: Listener defines a listener. - type: object - properties: - name: - type: string - port: - type: integer - protocol: - type: string - ssl: - type: boolean - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml index 907c22a88..59bc5cb9d 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -11,167 +12,184 @@ spec: listKind: PolicyList plural: policies shortNames: - - pol + - pol singular: policy scope: Namespaced versions: - - additionalPrinterColumns: - - description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. - type: object - properties: - accessControl: - description: AccessControl defines an access policy based on the source IP of a request. - type: object - properties: - allow: - type: array - items: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: 'BasicAuth holds HTTP Basic authentication configuration + policy status: preview' + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: type: string - deny: - type: array - items: + enable: + type: boolean + logDest: type: string - basicAuth: - description: 'BasicAuth holds HTTP Basic authentication configuration policy status: preview' - type: object - properties: - realm: - type: string - secret: - type: string - egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. - type: object - properties: - ciphers: - type: string - protocols: - type: string - serverName: - type: boolean - sessionReuse: - type: boolean - sslName: - type: string - tlsSecret: - type: string - trustedCertSecret: - type: string - verifyDepth: - type: integer - verifyServer: - type: boolean - ingressClassName: - type: string - ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. - type: object - properties: - clientCertSecret: - type: string - crlFileName: - type: string - verifyClient: - type: string - verifyDepth: - type: integer - jwt: - description: JWTAuth holds JWT authentication configuration. - type: object - properties: - jwksURI: - type: string - keyCache: - type: string - realm: - type: string - secret: - type: string - token: - type: string - oidc: - description: OIDC defines an Open ID Connect policy. - type: object - properties: - accessTokenEnable: - type: boolean - authEndpoint: - type: string - authExtraArgs: - type: array - items: - type: string - clientID: - type: string - clientSecret: - type: string - jwksURI: - type: string - redirectURI: - type: string - scope: - type: string - tokenEndpoint: - type: string - zoneSyncLeeway: - type: integer - rateLimit: - description: RateLimit defines a rate limit policy. - type: object - properties: - burst: - type: integer - delay: - type: integer - dryRun: - type: boolean - key: - type: string - logLevel: - type: string - noDelay: - type: boolean - rate: - type: string - rejectCode: - type: integer - zoneSize: - type: string - waf: - description: WAF defines an WAF policy. - type: object - properties: - apBundle: - type: string - apPolicy: - type: string - enable: - type: boolean - securityLog: + type: object + securityLogs: + items: description: SecurityLog defines the security log of a WAF policy. - type: object properties: apLogConf: type: string @@ -179,125 +197,126 @@ spec: type: boolean logDest: type: string - securityLogs: - type: array - items: - description: SecurityLog defines the security log of a WAF policy. - type: object - properties: - apLogConf: - type: string - enable: - type: boolean - logDest: - type: string - status: - description: PolicyStatus is the status of the policy resource - type: object - properties: - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. - type: object - properties: - accessControl: - description: AccessControl defines an access policy based on the source IP of a request. - type: object - properties: - allow: - type: array - items: - type: string - deny: - type: array - items: - type: string - egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. - type: object - properties: - ciphers: + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: type: string - protocols: + type: array + deny: + items: type: string - serverName: - type: boolean - sessionReuse: - type: boolean - sslName: - type: string - tlsSecret: - type: string - trustedCertSecret: - type: string - verifyDepth: - type: integer - verifyServer: - type: boolean - ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. - type: object - properties: - clientCertSecret: - type: string - verifyClient: - type: string - verifyDepth: - type: integer - jwt: - description: JWTAuth holds JWT authentication configuration. - type: object - properties: - realm: - type: string - secret: - type: string - token: - type: string - rateLimit: - description: RateLimit defines a rate limit policy. - type: object - properties: - burst: - type: integer - delay: - type: integer - dryRun: - type: boolean - key: - type: string - logLevel: - type: string - noDelay: - type: boolean - rate: - type: string - rejectCode: - type: integer - zoneSize: - type: string - served: true - storage: false + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml index b1448e9e3..ab3079a16 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -11,146 +12,311 @@ spec: listKind: TransportServerList plural: transportservers shortNames: - - ts + - ts singular: transportserver scope: Namespaced versions: - - additionalPrinterColumns: - - description: Current state of the TransportServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .status.reason - name: Reason - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: TransportServer defines the TransportServer resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TransportServerSpec is the spec of the TransportServer resource. - type: object - properties: - action: - description: Action defines an action. - type: object + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. properties: - pass: + backup: type: string - host: - type: string - ingressClassName: - type: string - listener: - description: TransportServerListener defines a listener for a TransportServer. - type: object - properties: + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer name: type: string - protocol: - type: string - serverSnippets: - type: string - sessionParameters: - description: SessionParameters defines session parameters. - type: object - properties: - timeout: - type: string - streamSnippets: - type: string - tls: - description: TLS defines TLS configuration for a TransportServer. - type: object - properties: - secret: - type: string - upstreamParameters: - description: UpstreamParameters defines parameters for an upstream. - type: object - properties: - connectTimeout: - type: string - nextUpstream: - type: boolean - nextUpstreamTimeout: - type: string - nextUpstreamTries: + port: type: integer - udpRequests: + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: type: integer - udpResponses: + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: type: integer - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - failTimeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - enable: - type: boolean - fails: - type: integer - interval: - type: string - jitter: - type: string - match: - description: Match defines the parameters of a custom health check. - type: object - properties: - expect: - type: string - send: - type: string - passes: - type: integer - port: - type: integer - timeout: - type: string - loadBalancingMethod: - type: string - maxConns: - type: integer - maxFails: - type: integer - name: - type: string - port: - type: integer - service: - type: string - status: - description: TransportServerStatus defines the status for the TransportServer resource. - type: object - properties: - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml index d21640a39..bc5b47c50 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -11,628 +12,673 @@ spec: listKind: VirtualServerRouteList plural: virtualserverroutes shortNames: - - vsr + - vsr singular: virtualserverroute scope: Namespaced versions: - - additionalPrinterColumns: - - description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.externalEndpoints[*].ip - name: IP - type: string - - jsonPath: .status.externalEndpoints[*].hostname - name: ExternalHostname - priority: 1 - type: string - - jsonPath: .status.externalEndpoints[*].ports - name: Ports - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VirtualServerRoute defines the VirtualServerRoute resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. - type: object - properties: - host: - type: string - ingressClassName: - type: string - subroutes: - type: array - items: - description: Route defines a route. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - dos: - type: string - errorPages: - type: array - items: - description: ErrorPage defines an ErrorPage in a Route. - type: object + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. properties: - codes: - type: array - items: - type: integer - redirect: - description: ErrorPageRedirect defines a redirect for an ErrorPage. - type: object + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. properties: - code: - type: integer - url: - type: string - return: - description: ErrorPageReturn defines a return for an ErrorPage. - type: object - properties: - body: - type: string - code: - type: integer - headers: - type: array + pass: + type: boolean + set: items: description: Header defines an HTTP Header. - type: object properties: name: type: string value: type: string - type: - type: string - location-snippets: - type: string - matches: - type: array - items: - description: Match defines a match. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - conditions: - type: array - items: - description: Condition defines a condition in a MatchRule. - type: object - properties: - argument: - type: string - cookie: - type: string - header: - type: string - value: - type: string - variable: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. properties: pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: type: integer - path: - type: string - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - route: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - buffer-size: - type: string - buffering: - type: boolean - buffers: - description: UpstreamBuffers defines Buffer Configuration for an Upstream. - type: object - properties: - number: - type: integer - size: - type: string - client-max-body-size: - type: string - connect-timeout: - type: string - fail-timeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - connect-timeout: - type: string - enable: - type: boolean - fails: - type: integer - grpcService: - type: string - grpcStatus: - type: integer - headers: - type: array + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: items: - description: Header defines an HTTP Header. - type: object + description: Condition defines a condition in a MatchRule. properties: - name: + argument: + type: string + cookie: + type: string + header: type: string value: type: string - interval: - type: string - jitter: - type: string - keepalive-time: - type: string - mandatory: - type: boolean - passes: - type: integer - path: - type: string - persistent: - type: boolean - port: - type: integer - read-timeout: - type: string - send-timeout: - type: string - statusMatch: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - keepalive: - type: integer - lb-method: - type: string - max-conns: - type: integer - max-fails: - type: integer - name: - type: string - next-upstream: - type: string - next-upstream-timeout: - type: string - next-upstream-tries: - type: integer - ntlm: - type: boolean - port: - type: integer - queue: - description: UpstreamQueue defines Queue Configuration for an Upstream. + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. properties: - size: - type: integer - timeout: - type: string - read-timeout: - type: string - send-timeout: - type: string - service: - type: string - sessionCookie: - description: SessionCookie defines the parameters for session persistence. - type: object - properties: - domain: - type: string - enable: - type: boolean - expires: - type: string - httpOnly: - type: boolean name: type: string - path: + namespace: type: string - samesite: - type: string - secure: - type: boolean - slow-start: - type: string - subselector: - type: object - additionalProperties: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. properties: - enable: - type: boolean - type: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: type: string - use-cluster-ip: - type: boolean - status: - description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. - type: object - properties: - externalEndpoints: - type: array - items: - description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. - type: object - properties: - hostname: - type: string - ip: - type: string - ports: - type: string - message: - type: string - reason: - type: string - referencedBy: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml index 189cce4f6..73f12b169 100644 --- a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml +++ b/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml @@ -1,3 +1,4 @@ +--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -11,721 +12,772 @@ spec: listKind: VirtualServerList plural: virtualservers shortNames: - - vs + - vs singular: virtualserver scope: Namespaced versions: - - additionalPrinterColumns: - - description: Current state of the VirtualServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. - jsonPath: .status.state - name: State - type: string - - jsonPath: .spec.host - name: Host - type: string - - jsonPath: .status.externalEndpoints[*].ip - name: IP - type: string - - jsonPath: .status.externalEndpoints[*].hostname - name: ExternalHostname - priority: 1 - type: string - - jsonPath: .status.externalEndpoints[*].ports - name: Ports - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: VirtualServer defines the VirtualServer resource. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VirtualServerSpec is the spec of the VirtualServer resource. - type: object - properties: - dos: - type: string - externalDNS: - description: ExternalDNS defines externaldns sub-resource of a virtual server. - type: object - properties: - enable: - type: boolean - labels: - description: Labels stores labels defined for the Endpoint + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string type: object - additionalProperties: - type: string - providerSpecific: - description: ProviderSpecific stores provider specific config - type: array - items: - description: ProviderSpecificProperty defines specific property for using with ExternalDNS sub-resource. - type: object - properties: - name: - description: Name of the property - type: string - value: - description: Value of the property - type: string - recordTTL: - description: TTL for the record - type: integer - format: int64 - recordType: - type: string - gunzip: - type: boolean - host: - type: string - http-snippets: - type: string - ingressClassName: - type: string - internalRoute: - description: InternalRoute allows for the configuration of internal routing. - type: boolean - listener: - description: Listener references a custom http and/or https listener defined in GlobalConfiguration. - type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. properties: - http: + name: type: string - https: + namespace: type: string - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - routes: - type: array - items: - description: Route defines a route. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - dos: - type: string - errorPages: - type: array - items: - description: ErrorPage defines an ErrorPage in a Route. - type: object + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. properties: - codes: - type: array - items: - type: integer - redirect: - description: ErrorPageRedirect defines a redirect for an ErrorPage. - type: object + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. properties: - code: - type: integer - url: - type: string - return: - description: ErrorPageReturn defines a return for an ErrorPage. - type: object - properties: - body: - type: string - code: - type: integer - headers: - type: array + pass: + type: boolean + set: items: description: Header defines an HTTP Header. - type: object properties: name: type: string value: type: string - type: - type: string - location-snippets: - type: string - matches: - type: array - items: - description: Match defines a match. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - conditions: - type: array - items: - description: Condition defines a condition in a MatchRule. - type: object - properties: - argument: - type: string - cookie: - type: string - header: - type: string - value: - type: string - variable: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. properties: pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: type: integer - path: - type: string - policies: - type: array - items: - description: PolicyReference references a policy by name and an optional namespace. - type: object - properties: - name: - type: string - namespace: - type: string - route: - type: string - splits: - type: array - items: - description: Split defines a split. - type: object - properties: - action: - description: Action defines an action. - type: object - properties: - pass: - type: string - proxy: - description: ActionProxy defines a proxy in an Action. - type: object - properties: - requestHeaders: - description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. - type: object - properties: - pass: - type: boolean - set: - type: array - items: - description: Header defines an HTTP Header. - type: object - properties: - name: - type: string - value: - type: string - responseHeaders: - description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. - type: object - properties: - add: - type: array - items: - description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. - type: object - properties: - always: - type: boolean - name: - type: string - value: - type: string - hide: - type: array - items: - type: string - ignore: - type: array - items: - type: string - pass: - type: array - items: - type: string - rewritePath: - type: string - upstream: - type: string - redirect: - description: ActionRedirect defines a redirect in an Action. - type: object - properties: - code: - type: integer - url: - type: string - return: - description: ActionReturn defines a return in an Action. - type: object - properties: - body: - type: string - code: - type: integer - type: - type: string - weight: - type: integer - server-snippets: - type: string - tls: - description: TLS defines TLS configuration for a VirtualServer. - type: object - properties: - cert-manager: - description: CertManager defines a cert manager config for a TLS. - type: object - properties: - cluster-issuer: - type: string - common-name: - type: string - duration: - type: string - issuer: - type: string - issuer-group: - type: string - issuer-kind: - type: string - renew-before: - type: string - usages: - type: string - redirect: - description: TLSRedirect defines a redirect for a TLS. - type: object - properties: - basedOn: - type: string - code: - type: integer - enable: - type: boolean - secret: - type: string - upstreams: - type: array - items: - description: Upstream defines an upstream. - type: object - properties: - buffer-size: - type: string - buffering: - type: boolean - buffers: - description: UpstreamBuffers defines Buffer Configuration for an Upstream. - type: object - properties: - number: - type: integer - size: - type: string - client-max-body-size: - type: string - connect-timeout: - type: string - fail-timeout: - type: string - healthCheck: - description: HealthCheck defines the parameters for active Upstream HealthChecks. - type: object - properties: - connect-timeout: - type: string - enable: - type: boolean - fails: - type: integer - grpcService: - type: string - grpcStatus: - type: integer - headers: - type: array + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: items: - description: Header defines an HTTP Header. - type: object + description: Condition defines a condition in a MatchRule. properties: - name: + argument: + type: string + cookie: + type: string + header: type: string value: type: string - interval: - type: string - jitter: - type: string - keepalive-time: - type: string - mandatory: - type: boolean - passes: - type: integer - path: - type: string - persistent: - type: boolean - port: - type: integer - read-timeout: - type: string - send-timeout: - type: string - statusMatch: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. - type: object - properties: - enable: - type: boolean - keepalive: - type: integer - lb-method: - type: string - max-conns: - type: integer - max-fails: - type: integer - name: - type: string - next-upstream: - type: string - next-upstream-timeout: - type: string - next-upstream-tries: - type: integer - ntlm: - type: boolean - port: - type: integer - queue: - description: UpstreamQueue defines Queue Configuration for an Upstream. + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. properties: - size: - type: integer - timeout: - type: string - read-timeout: - type: string - send-timeout: - type: string - service: - type: string - sessionCookie: - description: SessionCookie defines the parameters for session persistence. - type: object - properties: - domain: - type: string - enable: - type: boolean - expires: - type: string - httpOnly: - type: boolean name: type: string - path: + namespace: type: string - samesite: - type: string - secure: - type: boolean - slow-start: - type: string - subselector: - type: object - additionalProperties: - type: string - tls: - description: UpstreamTLS defines a TLS configuration for an Upstream. type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. properties: - enable: - type: boolean - type: - type: string - use-cluster-ip: - type: boolean - status: - description: VirtualServerStatus defines the status for the VirtualServer resource. - type: object - properties: - externalEndpoints: - type: array - items: - description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. - type: object + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. properties: - hostname: + cluster-issuer: type: string - ip: + common-name: type: string - ports: + duration: type: string - message: - type: string - reason: - type: string - state: - type: string - served: true - storage: true - subresources: - status: {} + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/templates/_helpers.tpl b/charts/f5/nginx-ingress/templates/_helpers.tpl index 5372053b0..2f5add833 100644 --- a/charts/f5/nginx-ingress/templates/_helpers.tpl +++ b/charts/f5/nginx-ingress/templates/_helpers.tpl @@ -133,3 +133,94 @@ Expand image name. {{- define "nginx-ingress.prometheus.serviceName" -}} {{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} {{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +{{- end -}} diff --git a/charts/f5/nginx-ingress/templates/rbac.yaml b/charts/f5/nginx-ingress/templates/clusterrole.yaml similarity index 73% rename from charts/f5/nginx-ingress/templates/rbac.yaml rename to charts/f5/nginx-ingress/templates/clusterrole.yaml index 1410642d9..559006ff6 100644 --- a/charts/f5/nginx-ingress/templates/rbac.yaml +++ b/charts/f5/nginx-ingress/templates/clusterrole.yaml @@ -6,6 +6,63 @@ metadata: labels: {{- include "nginx-ingress.labels" . | nindent 4 }} rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} {{- if .Values.controller.appprotect.enable }} - apiGroups: - appprotect.f5.com @@ -30,99 +87,6 @@ rules: - watch - list {{- end }} -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} - - update - - create -{{- end }} -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - update - - create -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get -{{- if .Values.controller.reportIngressStatus.enable }} -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -{{- end }} {{- if .Values.controller.enableCustomResources }} - apiGroups: - k8s.nginx.org @@ -188,19 +152,4 @@ rules: verbs: - update {{- end }} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "nginx-ingress.fullname" . }} - labels: - {{- include "nginx-ingress.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ include "nginx-ingress.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "nginx-ingress.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/templates/clusterrolebiding.yaml b/charts/f5/nginx-ingress/templates/clusterrolebiding.yaml new file mode 100644 index 000000000..ed06c48cc --- /dev/null +++ b/charts/f5/nginx-ingress/templates/clusterrolebiding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/templates/controller-daemonset.yaml index d6012c3a3..b2459c927 100644 --- a/charts/f5/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/f5/nginx-ingress/templates/controller-daemonset.yaml @@ -76,6 +76,9 @@ spec: {{- end }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} containers: - name: {{ include "nginx-ingress.name" . }} image: {{ include "nginx-ingress.image" . }} @@ -161,89 +164,7 @@ spec: resources: {{ toYaml .Values.controller.resources | indent 10 }} args: - - -nginx-plus={{ .Values.controller.nginxplus }} - - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} - - -enable-app-protect={{ .Values.controller.appprotect.enable }} -{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} -{{ end }} - - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} - {{- if .Values.controller.appprotectdos.enable }} - - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} - - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} - {{ end }} - - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} -{{- if .Values.controller.defaultTLS.secret }} - - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} -{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} - - -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} -{{- end }} - - -ingress-class={{ .Values.controller.ingressClass.name }} -{{- if .Values.controller.watchNamespace }} - - -watch-namespace={{ .Values.controller.watchNamespace }} -{{- end }} -{{- if .Values.controller.watchNamespaceLabel }} - - -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} -{{- end }} -{{- if .Values.controller.watchSecretNamespace }} - - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} -{{- end }} - - -health-status={{ .Values.controller.healthStatus }} - - -health-status-uri={{ .Values.controller.healthStatusURI }} - - -nginx-debug={{ .Values.controller.nginxDebug }} - - -v={{ .Values.controller.logLevel }} - - -nginx-status={{ .Values.controller.nginxStatus.enable }} -{{- if .Values.controller.nginxStatus.enable }} - - -nginx-status-port={{ .Values.controller.nginxStatus.port }} - - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} -{{- end }} -{{- if .Values.controller.reportIngressStatus.enable }} - - -report-ingress-status -{{- if .Values.controller.reportIngressStatus.ingressLink }} - - -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} -{{- else if .Values.controller.reportIngressStatus.externalService }} - - -external-service={{ .Values.controller.reportIngressStatus.externalService }} -{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.controller.service.name" . }} -{{- end }} -{{- end }} - - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} -{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} - - -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} -{{- end }} -{{- if .Values.controller.wildcardTLS.secret }} - - -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} -{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} - - -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} -{{- end }} - - -enable-prometheus-metrics={{ .Values.prometheus.create }} - - -prometheus-metrics-listen-port={{ .Values.prometheus.port }} - - -prometheus-tls-secret={{ .Values.prometheus.secret }} - - -enable-service-insight={{ .Values.serviceInsight.create }} - - -service-insight-listen-port={{ .Values.serviceInsight.port }} - - -service-insight-tls-secret={{ .Values.serviceInsight.secret }} - - -enable-custom-resources={{ .Values.controller.enableCustomResources }} - - -enable-snippets={{ .Values.controller.enableSnippets }} - - -include-year={{ .Values.controller.includeYear }} - - -disable-ipv6={{ .Values.controller.disableIPV6 }} -{{- if .Values.controller.enableCustomResources }} - - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} - - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} - - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - - -enable-cert-manager={{ .Values.controller.enableCertManager }} - - -enable-oidc={{ .Values.controller.enableOIDC }} - - -enable-external-dns={{ .Values.controller.enableExternalDNS }} -{{- if .Values.controller.globalConfiguration.create }} - - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} -{{- end }} -{{- end }} - - -ready-status={{ .Values.controller.readyStatus.enable }} - - -ready-status-port={{ .Values.controller.readyStatus.port }} - - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +{{- include "nginx-ingress.args" . | nindent 10 }} {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} @@ -255,6 +176,10 @@ spec: image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/charts/f5/nginx-ingress/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/templates/controller-deployment.yaml index f23f515ef..1f291ff4c 100644 --- a/charts/f5/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/f5/nginx-ingress/templates/controller-deployment.yaml @@ -83,6 +83,9 @@ spec: terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} containers: - image: {{ include "nginx-ingress.image" . }} name: {{ include "nginx-ingress.name" . }} @@ -168,89 +171,7 @@ spec: fieldPath: spec.serviceAccountName {{- end }} args: - - -nginx-plus={{ .Values.controller.nginxplus }} - - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} - - -enable-app-protect={{ .Values.controller.appprotect.enable }} -{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} -{{ end }} - - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} -{{- if .Values.controller.appprotectdos.enable }} - - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} - - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} -{{ end }} - - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} -{{- if .Values.controller.defaultTLS.secret }} - - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} -{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} - - -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} -{{- end }} - - -ingress-class={{ .Values.controller.ingressClass.name }} -{{- if .Values.controller.watchNamespace }} - - -watch-namespace={{ .Values.controller.watchNamespace }} -{{- end }} -{{- if .Values.controller.watchNamespaceLabel }} - - -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} -{{- end }} -{{- if .Values.controller.watchSecretNamespace }} - - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} -{{- end }} - - -health-status={{ .Values.controller.healthStatus }} - - -health-status-uri={{ .Values.controller.healthStatusURI }} - - -nginx-debug={{ .Values.controller.nginxDebug }} - - -v={{ .Values.controller.logLevel }} - - -nginx-status={{ .Values.controller.nginxStatus.enable }} -{{- if .Values.controller.nginxStatus.enable }} - - -nginx-status-port={{ .Values.controller.nginxStatus.port }} - - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} -{{- end }} -{{- if .Values.controller.reportIngressStatus.enable }} - - -report-ingress-status -{{- if .Values.controller.reportIngressStatus.ingressLink }} - - -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} -{{- else if .Values.controller.reportIngressStatus.externalService }} - - -external-service={{ .Values.controller.reportIngressStatus.externalService }} -{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.controller.service.name" . }} -{{- end }} -{{- end }} - - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} -{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} - - -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} -{{- end }} -{{- if .Values.controller.wildcardTLS.secret }} - - -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} -{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} - - -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} -{{- end }} - - -enable-prometheus-metrics={{ .Values.prometheus.create }} - - -prometheus-metrics-listen-port={{ .Values.prometheus.port }} - - -prometheus-tls-secret={{ .Values.prometheus.secret }} - - -enable-service-insight={{ .Values.serviceInsight.create }} - - -service-insight-listen-port={{ .Values.serviceInsight.port }} - - -service-insight-tls-secret={{ .Values.serviceInsight.secret }} - - -enable-custom-resources={{ .Values.controller.enableCustomResources }} - - -enable-snippets={{ .Values.controller.enableSnippets }} - - -include-year={{ .Values.controller.includeYear }} - - -disable-ipv6={{ .Values.controller.disableIPV6 }} -{{- if .Values.controller.enableCustomResources }} - - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} - - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} - - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - - -enable-cert-manager={{ .Values.controller.enableCertManager }} - - -enable-oidc={{ .Values.controller.enableOIDC }} - - -enable-external-dns={{ .Values.controller.enableExternalDNS }} -{{- if .Values.controller.globalConfiguration.create }} - - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} -{{- end }} -{{- end }} - - -ready-status={{ .Values.controller.readyStatus.enable }} - - -ready-status-port={{ .Values.controller.readyStatus.port }} - - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +{{- include "nginx-ingress.args" . | nindent 10 }} {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} @@ -262,6 +183,10 @@ spec: image: {{ include "nginx-ingress.image" . }} imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/charts/f5/nginx-ingress/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/templates/controller-hpa.yaml index b8691648e..971aca90d 100644 --- a/charts/f5/nginx-ingress/templates/controller-hpa.yaml +++ b/charts/f5/nginx-ingress/templates/controller-hpa.yaml @@ -17,6 +17,10 @@ spec: name: {{ include "nginx-ingress.controller.fullname" . }} minReplicas: {{ .Values.controller.autoscaling.minReplicas }} maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} metrics: {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource diff --git a/charts/f5/nginx-ingress/templates/controller-role.yaml b/charts/f5/nginx-ingress/templates/controller-role.yaml new file mode 100644 index 000000000..e90238177 --- /dev/null +++ b/charts/f5/nginx-ingress/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-rolebiding.yaml b/charts/f5/nginx-ingress/templates/controller-rolebiding.yaml new file mode 100644 index 000000000..51ee528da --- /dev/null +++ b/charts/f5/nginx-ingress/templates/controller-rolebiding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/templates/controller-serviceaccount.yaml index 0553a0e23..8cde4f5b0 100644 --- a/charts/f5/nginx-ingress/templates/controller-serviceaccount.yaml +++ b/charts/f5/nginx-ingress/templates/controller-serviceaccount.yaml @@ -9,8 +9,17 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} -{{- if .Values.controller.serviceAccount.imagePullSecretName }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} imagePullSecrets: -- name: {{ .Values.controller.serviceAccount.imagePullSecretName }} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} {{- end }} {{- end }} diff --git a/charts/f5/nginx-ingress/values-icp.yaml b/charts/f5/nginx-ingress/values-icp.yaml index 7c1025ba6..c2969ed7c 100644 --- a/charts/f5/nginx-ingress/values-icp.yaml +++ b/charts/f5/nginx-ingress/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.3.2" + tag: "3.4.0" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/charts/f5/nginx-ingress/values-plus.yaml b/charts/f5/nginx-ingress/values-plus.yaml index 072e265b0..54d8551ac 100644 --- a/charts/f5/nginx-ingress/values-plus.yaml +++ b/charts/f5/nginx-ingress/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.3.2" + tag: "3.4.0" diff --git a/charts/f5/nginx-ingress/values.schema.json b/charts/f5/nginx-ingress/values.schema.json index 39f65da62..029211810 100644 --- a/charts/f5/nginx-ingress/values.schema.json +++ b/charts/f5/nginx-ingress/values.schema.json @@ -46,13 +46,13 @@ "type": "object", "default": {}, "title": "The selectorLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "annotations": { "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "nginxplus": { "type": "boolean", @@ -195,7 +195,7 @@ "^.*$": { "anyOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" }, { "type": "boolean" @@ -211,7 +211,7 @@ "title": "The containerPort Schema", "patternProperties": { "^.*$": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" } }, "additionalProperties": false @@ -220,7 +220,7 @@ "type": "string", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" }, { "enum": [ @@ -241,6 +241,15 @@ true ] }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, "logLevel": { "type": "integer", "default": 1, @@ -261,7 +270,7 @@ "title": "The customPorts to expose on the NGINX Ingress Controller pod", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" }, "examples": [ [ @@ -296,10 +305,10 @@ }, "tag": { "type": "string", - "default": "2.3.1", + "default": "3.4.0", "title": "The tag of the Ingress Controller image", "examples": [ - "2.3.1" + "3.4.0" ] }, "digest": { @@ -316,7 +325,7 @@ "title": "The pullPolicy for the Ingress Controller image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -336,7 +345,7 @@ "examples": [ { "repository": "nginx/nginx-ingress", - "tag": "2.3.1", + "tag": "3.4.0", "pullPolicy": "IfNotPresent" } ] @@ -345,7 +354,7 @@ "type": "object", "default": {}, "title": "The lifecycle Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" }, "customConfigMap": { "type": "string", @@ -373,7 +382,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "entries": { "type": "object", @@ -460,19 +469,25 @@ "type": "object", "default": {}, "title": "The nodeSelector Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" }, "terminationGracePeriodSeconds": { "type": "integer", "default": 30, "title": "The terminationGracePeriodSeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, "resources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "tolerations": { "type": "array", @@ -480,20 +495,20 @@ "title": "The tolerations Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" } }, "affinity": { "type": "object", "default": {}, "title": "The affinity Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" }, "topologySpreadConstraints": { "type": "object", "default": {}, "title": "The topologySpreadConstraints Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" }, "env": { "type": "array", @@ -501,7 +516,7 @@ "title": "The env Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" } }, "volumes": { @@ -510,7 +525,7 @@ "title": "The volumes Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" } }, "volumeMounts": { @@ -519,7 +534,7 @@ "title": "The volumeMounts Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" } }, "initContainers": { @@ -528,14 +543,14 @@ "title": "The initContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "minReadySeconds": { "type": "integer", "default": 0, "title": "The minReadySeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" }, "strategy": { "type": "object", @@ -543,7 +558,7 @@ "title": "The strategy Schema", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" }, { "properties": { @@ -565,7 +580,7 @@ "title": "The extraContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "replicaCount": { @@ -632,14 +647,6 @@ true ] }, - "enablePreviewPolicies": { - "type": "boolean", - "default": false, - "title": "The enablePreviewPolicies", - "examples": [ - false - ] - }, "enableOIDC": { "type": "boolean", "default": false, @@ -841,19 +848,19 @@ "type": "string", "default": "", "title": "The type", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" }, "externalTrafficPolicy": { "type": "string", "default": "", "title": "The externalTrafficPolicy", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" }, "annotations": { "type": "object", "default": {}, "title": "The annotations", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", @@ -869,13 +876,13 @@ "type": "string", "default": "", "title": "The loadBalancerIP", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" }, "externalIPs": { "type": "array", "default": [], "title": "The externalIPs", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" }, "loadBalancerSourceRanges": { "type": "array", @@ -890,13 +897,13 @@ "type": "boolean", "default": false, "title": "The allocateLoadBalancerNodePorts Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" }, "ipFamilyPolicy": { "type": "string", "default": "", "title": "The ipFamilyPolicy Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", "examples": [ "" ] @@ -905,7 +912,7 @@ "type": "array", "default": [], "title": "The ipFamilies Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" }, "httpPort": { "type": "object", @@ -1009,7 +1016,7 @@ "title": "The customPorts", "items": { "type": "object", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" } } }, @@ -1051,7 +1058,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "name": { "type": "string", @@ -1068,12 +1075,79 @@ "examples": [ "" ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] } }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], "examples": [ { "name": "", - "imagePullSecretName": "" + "imagePullSecretName": "", + "imagePullSecretsNames": [] } ] }, @@ -1129,7 +1203,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" } }, "examples": [ @@ -1153,13 +1227,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", "default": {}, "title": "The extraLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } }, "examples": [ @@ -1173,7 +1247,7 @@ "type": "string", "default": "", "title": "The priorityClassName", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" }, "podDisruptionBudget": { "type": "object", @@ -1190,13 +1264,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "minAvailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" }, "maxUnavailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" } }, "examples": [ @@ -1235,7 +1309,7 @@ "initialDelaySeconds": { "type": "integer", "default": 0, - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" } }, "examples": [ @@ -1262,6 +1336,22 @@ false ] }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, "readOnlyRootFilesystem": { "type": "boolean", "default": false, @@ -1269,6 +1359,14 @@ "examples": [ false ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] } }, "examples": [ @@ -1290,11 +1388,12 @@ }, "hostNetwork": false, "nginxDebug": false, + "shareProcessNamespace": false, "logLevel": 1, "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "2.3.1", + "tag": "3.4.0", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1323,6 +1422,12 @@ "memory": "128Mi" } }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, "tolerations": [], "affinity": {}, "topologySpreadConstraints": {}, @@ -1338,7 +1443,6 @@ "setAsDefaultIngress": false, "watchNamespace": "", "enableCustomResources": true, - "enablePreviewPolicies": false, "enableOIDC": false, "includeYear": false, "enableTLSPassthrough": false, @@ -1383,7 +1487,8 @@ }, "serviceAccount": { "name": "", - "imagePullSecretName": "" + "imagePullSecretName": "", + "imagePullSecretsNames": [] }, "serviceMonitor": { "create": false, @@ -1411,6 +1516,8 @@ }, "enableLatencyMetrics": false, "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, "readOnlyRootFilesystem": false } ] @@ -1494,7 +1601,7 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } } }, @@ -1516,13 +1623,13 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" }, "selectorMatchLabels": { "type": "object", "default": {}, "title": "The selectorMatchLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "endpoints": { "type": "array", @@ -1658,7 +1765,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "2.3.1", + "tag": "3.4.0", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1687,6 +1794,12 @@ "memory": "128Mi" } }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, "tolerations": [], "affinity": {}, "topologySpreadConstraints": {}, @@ -1702,7 +1815,6 @@ "setAsDefaultIngress": false, "watchNamespace": "", "enableCustomResources": true, - "enablePreviewPolicies": false, "enableOIDC": false, "includeYear": false, "enableTLSPassthrough": false, @@ -1748,7 +1860,8 @@ }, "serviceAccount": { "name": "", - "imagePullSecretName": "" + "imagePullSecretName": "", + "imagePullSecretsNames": [] }, "podDisruptionBudget": { "enabled": false, @@ -1776,6 +1889,8 @@ }, "enableLatencyMetrics": false, "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, "readOnlyRootFilesystem": false }, "rbac": { diff --git a/charts/f5/nginx-ingress/values.yaml b/charts/f5/nginx-ingress/values.yaml index 352497d95..1d7829266 100644 --- a/charts/f5/nginx-ingress/values.yaml +++ b/charts/f5/nginx-ingress/values.yaml @@ -14,7 +14,7 @@ controller: ## Deploys the Ingress Controller for NGINX Plus. nginxplus: false - # Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. nginxReloadTimeout: 60000 ## Support for App Protect WAF @@ -64,6 +64,9 @@ controller: ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. nginxDebug: false + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + ## The log level of the Ingress Controller. logLevel: 1 @@ -75,7 +78,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.3.2" + # tag: "3.4.0" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead @@ -153,6 +156,8 @@ controller: targetCPUUtilizationPercentage: 50 ## The target memory utilization percentage. targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} ## The resources of the Ingress Controller pods. resources: @@ -163,6 +168,15 @@ controller: # cpu: 1 # memory: 1Gi + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + ## The tolerations of the Ingress Controller pods. tolerations: [] @@ -221,7 +235,7 @@ controller: ## The number of replicas of the Ingress Controller deployment. replicaCount: 1 - # Configures the ingress class the Ingress Controller uses. + ## Configures the ingress class the Ingress Controller uses. ingressClass: ## A class of the Ingress Controller. @@ -232,7 +246,7 @@ controller: ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. name: nginx - ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.2, do not set the value to false. + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. create: true ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". @@ -250,9 +264,6 @@ controller: ## Enable the custom resources. enableCustomResources: true - ## Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use controller.enableOIDC instead. - enablePreviewPolicies: false - ## Enable OIDC policies. enableOIDC: false @@ -285,7 +296,6 @@ controller: # port: 5353 # protocol: TCP - ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. enableSnippets: false @@ -387,6 +397,10 @@ controller: ## Secret must exist in the same namespace as the helm release. imagePullSecretName: "" + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + reportIngressStatus: ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, @@ -408,9 +422,8 @@ controller: ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. enableLeaderElection: true - ## Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. - ## Autogenerated if not set or set to "". - # leaderElectionLockName: "nginx-ingress-leader-election" + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" ## The annotations of the leader election configmap. annotations: {} @@ -441,9 +454,18 @@ controller: ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. disableIPV6: false + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + ## Configure root filesystem as read-only and add volumes for temporary data. readOnlyRootFilesystem: false + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + rbac: ## Configures RBAC. create: true @@ -483,7 +505,7 @@ prometheus: ## A list of endpoints allowed as part of this ServiceMonitor. ## Matches on the name of a Service port. endpoints: - - port: prometheus + - port: prometheus serviceInsight: ## Expose NGINX Plus Service Insight endpoint. diff --git a/charts/fairwinds/polaris/CHANGELOG.md b/charts/fairwinds/polaris/CHANGELOG.md index 581cee468..4e18536ce 100644 --- a/charts/fairwinds/polaris/CHANGELOG.md +++ b/charts/fairwinds/polaris/CHANGELOG.md @@ -5,6 +5,9 @@ All notable changes to this Helm chart will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## 5.17.0 +* Removed the switch for networking apiVersion and default to networking/v1 + ## 5.16.0 * Added default PDBs for both the webhook and the dashboard diff --git a/charts/fairwinds/polaris/Chart.yaml b/charts/fairwinds/polaris/Chart.yaml index a786df4e7..b525554ae 100644 --- a/charts/fairwinds/polaris/Chart.yaml +++ b/charts/fairwinds/polaris/Chart.yaml @@ -12,4 +12,4 @@ maintainers: - email: robertb@fairwinds.com name: rbren name: polaris -version: 5.16.0 +version: 5.17.0 diff --git a/charts/fairwinds/polaris/templates/ingress.yaml b/charts/fairwinds/polaris/templates/ingress.yaml index d0cdd308f..92318bde9 100644 --- a/charts/fairwinds/polaris/templates/ingress.yaml +++ b/charts/fairwinds/polaris/templates/ingress.yaml @@ -1,10 +1,6 @@ {{- if .Values.dashboard.ingress.enabled -}} {{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} -{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} -apiVersion: networking.k8s.io/v1beta1 -{{- else }} apiVersion: networking.k8s.io/v1 -{{- end }} kind: Ingress metadata: annotations: @@ -17,9 +13,7 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} name: polaris spec: -{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} -{{- end }} {{- if .Values.dashboard.ingress.defaultBackendEnabled }} defaultBackend: service: @@ -32,11 +26,6 @@ spec: - host: {{ . }} http: paths: - {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} - - backend: - serviceName: {{ $serviceName }} - servicePort: 80 - {{- else }} - backend: service: name: {{ $serviceName }} @@ -44,7 +33,6 @@ spec: number: 80 path: / pathType: Prefix - {{- end }} {{- end -}} {{- if .Values.dashboard.ingress.tls }} tls: diff --git a/charts/gluu/gluu/Chart.yaml b/charts/gluu/gluu/Chart.yaml index 8bd5292ed..2278afc21 100644 --- a/charts/gluu/gluu/Chart.yaml +++ b/charts/gluu/gluu/Chart.yaml @@ -1,28 +1,26 @@ annotations: - artifacthub.io/changes: | - - Chart 5.0.23 release artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/images: | - name: auth-server - image: ghcr.io/janssenproject/jans/auth-server:1.0.19_dev + image: ghcr.io/janssenproject/jans/auth-server:1.0.21-1 - name: auth-server-key-rotation - image: ghcr.io/janssenproject/jans/certmanager:1.0.19_dev + image: ghcr.io/janssenproject/jans/certmanager:1.0.21-1 - name: configuration-manager - image: ghcr.io/janssenproject/jans/configurator:1.0.19_dev + image: ghcr.io/janssenproject/jans/configurator:1.0.21-1 - name: config-api - image: ghcr.io/janssenproject/jans/config-api:1.0.19_dev + image: ghcr.io/janssenproject/jans/config-api:1.0.21-1 - name: fido2 - image: ghcr.io/janssenproject/jans/fido2:1.0.19_dev + image: ghcr.io/janssenproject/jans/fido2:1.0.21-1 - name: opendj - image: gluufederation/opendj:5.0.0-1 + image: gluufederation/opendj:5.0.0_dev - name: persistence - image: ghcr.io/janssenproject/jans/persistence-loader:1.0.19_dev + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.21-1 - name: scim - image: ghcr.io/janssenproject/jans/scim:1.0.19_dev + image: ghcr.io/janssenproject/jans/scim:1.0.21-1 - name: casa - image: ghcr.io/janssenproject/jans/casa:1.0.19_dev + image: ghcr.io/janssenproject/jans/casa:1.0.21-1 - name: admin-ui - image: ghcr.io/gluufederation/flex/admin-ui:1.0.19_dev + image: ghcr.io/gluufederation/flex/admin-ui:1.0.21-1 artifacthub.io/license: Apache-2.0 artifacthub.io/prerelease: "true" catalog.cattle.io/certified: partner @@ -36,59 +34,51 @@ dependencies: - condition: global.config.enabled name: config repository: file://./charts/config - version: 5.0.23 + version: 5.0.24 - condition: global.config-api.enabled name: config-api repository: file://./charts/config-api - version: 5.0.23 + version: 5.0.24 - condition: global.opendj.enabled name: opendj repository: file://./charts/opendj - version: 5.0.23 + version: 5.0.24 - condition: global.auth-server.enabled name: auth-server repository: file://./charts/auth-server - version: 5.0.23 + version: 5.0.24 - condition: global.admin-ui.enabled name: admin-ui repository: file://./charts/admin-ui - version: 5.0.23 + version: 5.0.24 - condition: global.fido2.enabled name: fido2 repository: file://./charts/fido2 - version: 5.0.23 + version: 5.0.24 - condition: global.scim.enabled name: scim repository: file://./charts/scim - version: 5.0.23 + version: 5.0.24 - condition: global.nginx-ingress.enabled name: nginx-ingress repository: file://./charts/nginx-ingress - version: 5.0.23 -- condition: global.oxshibboleth.enabled - name: oxshibboleth - repository: file://./charts/oxshibboleth - version: 5.0.23 -- condition: global.oxpassport.enabled - name: oxpassport - repository: file://./charts/oxpassport - version: 5.0.23 + version: 5.0.24 - condition: global.casa.enabled name: casa repository: file://./charts/casa - version: 5.0.23 + version: 5.0.24 - condition: global.auth-server-key-rotation.enabled name: auth-server-key-rotation repository: file://./charts/auth-server-key-rotation - version: 5.0.23 + version: 5.0.24 - condition: global.persistence.enabled name: persistence repository: file://./charts/persistence - version: 5.0.23 + version: 5.0.24 - condition: global.istio.ingress name: cn-istio-ingress repository: file://./charts/cn-istio-ingress - version: 5.0.23 + version: 5.0.24 description: Gluu Access and Identity Management home: https://www.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -98,6 +88,5 @@ maintainers: name: moabu name: gluu sources: -- https://gluu.org/docs/gluu-server -- https://github.com/GluuFederation/flex/flex-cn-setup -version: 5.0.23 +- https://docs.gluu.org +version: 5.0.24 diff --git a/charts/gluu/gluu/README.md b/charts/gluu/gluu/README.md index 502b849d9..fa27c946a 100644 --- a/charts/gluu/gluu/README.md +++ b/charts/gluu/gluu/README.md @@ -1,6 +1,6 @@ # gluu -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Gluu Access and Identity Management @@ -14,8 +14,7 @@ Gluu Access and Identity Management ## Source Code -* -* +* ## Requirements @@ -23,26 +22,24 @@ Kubernetes: `>=v1.21.0-0` | Repository | Name | Version | |------------|------|---------| -| | admin-ui | 5.0.23 | -| | auth-server | 5.0.23 | -| | auth-server-key-rotation | 5.0.23 | -| | casa | 5.0.23 | -| | cn-istio-ingress | 5.0.23 | -| | config | 5.0.23 | -| | config-api | 5.0.23 | -| | fido2 | 5.0.23 | -| | nginx-ingress | 5.0.23 | -| | opendj | 5.0.23 | -| | oxpassport | 5.0.23 | -| | oxshibboleth | 5.0.23 | -| | persistence | 5.0.23 | -| | scim | 5.0.23 | +| | admin-ui | 5.0.24 | +| | auth-server | 5.0.24 | +| | auth-server-key-rotation | 5.0.24 | +| | casa | 5.0.24 | +| | cn-istio-ingress | 5.0.24 | +| | config | 5.0.24 | +| | config-api | 5.0.24 | +| | fido2 | 5.0.24 | +| | nginx-ingress | 5.0.24 | +| | opendj | 5.0.24 | +| | persistence | 5.0.24 | +| | scim | 5.0.24 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | | admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | admin-ui.dnsConfig | object | `{}` | Add custom dns config | @@ -53,7 +50,7 @@ Kubernetes: `>=v1.21.0-0` | admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | | admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | -| admin-ui.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| admin-ui.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | | admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | | admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | @@ -69,16 +66,17 @@ Kubernetes: `>=v1.21.0-0` | admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | -| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.19-1"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.21-1"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | | auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | | auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | | auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | | auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | -| auth-server-key-rotation.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | | auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | | auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | @@ -92,6 +90,7 @@ Kubernetes: `>=v1.21.0-0` | auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | | auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | auth-server.dnsConfig | object | `{}` | Add custom dns config | | auth-server.dnsPolicy | string | `""` | Add custom dns policy | | auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -100,7 +99,7 @@ Kubernetes: `>=v1.21.0-0` | auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | | auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | -| auth-server.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| auth-server.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | | auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -117,7 +116,7 @@ Kubernetes: `>=v1.21.0-0` | auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/casa","tag":"5.0.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | | casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | casa.dnsConfig | object | `{}` | Add custom dns config | @@ -127,13 +126,13 @@ Kubernetes: `>=v1.21.0-0` | casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | | casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | casa.image.pullSecrets | list | `[]` | Image Pull Secrets | -| casa.image.repository | string | `"ghcr.io/gluufederation/flex/casa"` | Image to use for deploying. | -| casa.image.tag | string | `"5.0.0-1"` | Image tag to use for deploying. | -| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | -| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.image.repository | string | `"ghcr.io/janssenproject/jans/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | | casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | -| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | -| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | | casa.replicas | int | `1` | Service replica number. | | casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | | casa.resources.limits.cpu | string | `"500m"` | CPU limit. | @@ -146,8 +145,8 @@ Kubernetes: `>=v1.21.0-0` | casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.19-1"},"ldapPassword":"P@ssw0rds","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | -| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapKey":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.21-1"},"ldapPassword":"P@ssw0rds","ldapTruststorePassword":"changeit","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | | config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | config-api.dnsConfig | object | `{}` | Add custom dns config | @@ -158,7 +157,7 @@ Kubernetes: `>=v1.21.0-0` | config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | | config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | -| config-api.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| config-api.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | | config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -196,6 +195,8 @@ Kubernetes: `>=v1.21.0-0` | config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | | config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | | config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| config.configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | | config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | | config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | | config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | @@ -221,8 +222,9 @@ Kubernetes: `>=v1.21.0-0` | config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | | config.image.pullSecrets | list | `[]` | Image Pull Secrets | | config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | -| config.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| config.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | | config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | | config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | | config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | @@ -240,7 +242,7 @@ Kubernetes: `>=v1.21.0-0` | config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | | config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | | fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | fido2.dnsConfig | object | `{}` | Add custom dns config | @@ -251,7 +253,7 @@ Kubernetes: `>=v1.21.0-0` | fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | | fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | -| fido2.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| fido2.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | | fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | | fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -270,12 +272,12 @@ Kubernetes: `>=v1.21.0-0` | fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":true},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | | global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | | global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | | global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | | global.alb.ingress | bool | `false` | Activates ALB ingress | -| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | | global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | | global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | | global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | @@ -321,8 +323,16 @@ Kubernetes: `>=v1.21.0-0` | global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | | global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | | global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnCouchbasePasswordFile | string | `"/etc/jans/conf/couchbase_password"` | Path to Couchbase password file | +| global.cnCouchbaseSuperuserPasswordFile | string | `"/etc/jans/conf/couchbase_superuser_password"` | Path to Couchbase superuser password file | | global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | | global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnLdapCacertFile | string | `"/etc/certs/opendj.pem"` | Path to OpenDJ CA cert file | +| global.cnLdapCertFile | string | `"/etc/certs/opendj.crt"` | Path to OpenDJ cert file | +| global.cnLdapKeyFile | string | `"/etc/certs/opendj.key"` | Path to OpenDJ key file | +| global.cnLdapPasswordFile | string | `"/etc/jans/conf/ldap_password"` | Path to LDAP password file | +| global.cnLdapTruststoreFile | string | `"/etc/certs/opendj.pkcs12"` | Path to OpenDJ truststore file | +| global.cnLdapTruststorePasswordFile | string | `"/etc/jans/conf/ldap_truststore_password"` | Path to LDAP truststore password file | | global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | | global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | | global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | @@ -336,6 +346,7 @@ Kubernetes: `>=v1.21.0-0` | global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | | global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | | global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | Path to SQL password file | | global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | | global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | | global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | @@ -389,20 +400,6 @@ Kubernetes: `>=v1.21.0-0` | global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | | global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | | global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | -| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | -| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | -| global.oxshibboleth.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | -| global.oxshibboleth.appLoggers.auditStatsLogLevel | string | `"INFO"` | idp-audit.log level | -| global.oxshibboleth.appLoggers.auditStatsLogTarget | string | `"FILE"` | idp-audit.log target | -| global.oxshibboleth.appLoggers.consentAuditLogLevel | string | `"INFO"` | idp-consent-audit.log level | -| global.oxshibboleth.appLoggers.consentAuditLogTarget | string | `"FILE"` | idp-consent-audit.log target | -| global.oxshibboleth.appLoggers.idpLogLevel | string | `"INFO"` | idp-process.log level | -| global.oxshibboleth.appLoggers.idpLogTarget | string | `"STDOUT"` | idp-process.log target | -| global.oxshibboleth.appLoggers.ldapLogLevel | string | `""` | https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration The below are very noisy logs and are better left untouched | -| global.oxshibboleth.appLoggers.scriptLogLevel | string | `"INFO"` | idp-script.log level | -| global.oxshibboleth.appLoggers.scriptLogTarget | string | `"FILE"` | idp-script.log target | -| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. | -| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | | global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | | global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | | global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | @@ -463,10 +460,11 @@ Kubernetes: `>=v1.21.0-0` | nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | | nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | | nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | -| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-1"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-1"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | | opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | opendj.dnsConfig | object | `{}` | Add custom dns config | | opendj.dnsPolicy | string | `""` | Add custom dns policy | | opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -493,73 +491,16 @@ Kubernetes: `>=v1.21.0-0` | opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | -| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | -| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | -| oxpassport.dnsConfig | object | `{}` | Add custom dns config | -| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | -| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | -| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | -| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | -| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | -| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | -| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | -| oxpassport.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | -| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | -| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | -| oxpassport.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | -| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | -| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | -| oxpassport.replicas | int | `1` | Service replica number | -| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | -| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | -| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | -| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | -| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | -| oxpassport.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | -| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | -| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | -| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | -| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | -| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | -| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | -| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | -| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | -| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | -| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | -| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | -| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | -| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | -| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | -| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | -| oxshibboleth.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | -| oxshibboleth.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxshibboleth if needed. https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py | -| oxshibboleth.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | -| oxshibboleth.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | -| oxshibboleth.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | -| oxshibboleth.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | -| oxshibboleth.replicas | int | `1` | Service replica number. | -| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | -| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | -| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | -| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | -| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | -| oxshibboleth.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | -| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | -| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | -| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | -| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | -| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.19-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.21-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | | persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | persistence.dnsConfig | object | `{}` | Add custom dns config | | persistence.dnsPolicy | string | `""` | Add custom dns policy | | persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | | persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | -| persistence.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| persistence.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | | persistence.resources.limits.cpu | string | `"300m"` | CPU limit | | persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | @@ -570,9 +511,10 @@ Kubernetes: `>=v1.21.0-0` | persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | | scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | scim.dnsConfig | object | `{}` | Add custom dns config | | scim.dnsPolicy | string | `""` | Add custom dns policy | | scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -581,7 +523,7 @@ Kubernetes: `>=v1.21.0-0` | scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | scim.image.pullSecrets | list | `[]` | Image Pull Secrets | | scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | -| scim.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| scim.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | | scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | | scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | diff --git a/charts/gluu/gluu/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/charts/admin-ui/Chart.yaml index 2599dcd5b..169b00209 100644 --- a/charts/gluu/gluu/charts/admin-ui/Chart.yaml +++ b/charts/gluu/gluu/charts/admin-ui/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: 5.0.0 description: Admin GUI. Requires license. -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - Authorization @@ -15,6 +15,6 @@ maintainers: name: admin-ui sources: - https://github.com/GluuFederation/docker-gluu-admin-ui -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/admin-ui/README.md b/charts/gluu/gluu/charts/admin-ui/README.md index 3a9fb9974..7870e21b3 100644 --- a/charts/gluu/gluu/charts/admin-ui/README.md +++ b/charts/gluu/gluu/charts/admin-ui/README.md @@ -1,10 +1,10 @@ # admin-ui -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Admin GUI. Requires license. -**Homepage:** +**Homepage:** ## Maintainers @@ -15,7 +15,7 @@ Admin GUI. Requires license. ## Source Code * -* +* ## Requirements @@ -27,6 +27,7 @@ Kubernetes: `>=v1.21.0-0` |-----|------|---------|-------------| | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -35,7 +36,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | | readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | diff --git a/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml index 9a173cad9..0dbaac066 100644 --- a/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml +++ b/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml @@ -51,13 +51,17 @@ spec: securityContext: runAsUser: 1000 runAsNonRoot: true - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} command: - /bin/sh - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} /usr/bin/python3 /scripts/updatelbip.py & - /app/scripts/entrypoint.sh + {{- end}} {{- end}} ports: - name: {{ .Values.service.name }} @@ -74,7 +78,7 @@ spec: name: {{ .Release.Name }}-global-user-custom-envs {{- end }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} +{{- toYaml .Values.lifecycle | nindent 10 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} @@ -105,10 +109,26 @@ spec: {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - - name: cb-crt + - name: cb-crt mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 10 }} @@ -162,14 +182,35 @@ spec: {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - - name: cb-crt + - name: cb-crt secret: secretName: {{ .Release.Name }}-cb-crt {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "admin-ui.fullname" . }}-updatelbip configMap: name: {{ .Release.Name }}-updatelbip {{- end }} - \ No newline at end of file + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/charts/admin-ui/values.yaml b/charts/gluu/gluu/charts/admin-ui/values.yaml index 368419ff9..22b82df27 100644 --- a/charts/gluu/gluu/charts/admin-ui/values.yaml +++ b/charts/gluu/gluu/charts/admin-ui/values.yaml @@ -27,7 +27,7 @@ image: # -- Image to use for deploying. repository: gluufederation/admin-ui # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -86,3 +86,7 @@ lifecycle: {} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml index 1bfea05c2..06a084e8d 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: 5.0.0 description: Responsible for regenerating auth-keys per x hours -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - Auth keys Rotation @@ -13,6 +13,6 @@ maintainers: name: auth-server-key-rotation sources: - https://github.com/JanssenProject/docker-jans-certmanager -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/charts/auth-server-key-rotation/README.md index fd9dde044..f03d939d5 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/README.md +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/README.md @@ -1,10 +1,10 @@ # auth-server-key-rotation -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Responsible for regenerating auth-keys per x hours -**Homepage:** +**Homepage:** ## Maintainers @@ -15,7 +15,7 @@ Responsible for regenerating auth-keys per x hours ## Source Code * -* +* ## Requirements @@ -28,12 +28,13 @@ Kubernetes: `>=v1.21.0-0` | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | | affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | keysLife | int | `48` | Auth server key rotation keys life in hours | | lifecycle | object | `{}` | | | nodeSelector | object | `{}` | | diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml index 5b5dd7da6..876cdd27d 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -15,7 +15,7 @@ metadata: {{ toYaml .Values.additionalAnnotations | indent 4 }} {{- end }} spec: - schedule: "0 */{{ .Values.keysLife }} * * *" + schedule: "@every {{ .Values.keysLife }}h" concurrencyPolicy: Forbid jobTemplate: spec: @@ -35,13 +35,23 @@ spec: {{- end }} containers: - name: {{ include "auth-server-key-rotation.name" . }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 20}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" env: {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} imagePullPolicy: {{ .Values.image.pullPolicy }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 16 }} +{{- toYaml .Values.lifecycle | nindent 16 }} volumeMounts: {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} @@ -68,7 +78,20 @@ spec: mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} envFrom: - configMapRef: name: {{ .Release.Name }}-config-cm @@ -124,6 +147,25 @@ spec: secret: secretName: {{ .Release.Name }}-cb-crt {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password {{- end }} restartPolicy: Never - diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml index 881ce06ce..71c0a21c2 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml @@ -18,7 +18,7 @@ image: # -- Image to use for deploying. repository: janssenproject/certmanager # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Auth server key rotation keys life in hours @@ -52,4 +52,6 @@ affinity: {} # -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken -additionalAnnotations: { } \ No newline at end of file +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server/Chart.yaml b/charts/gluu/gluu/charts/auth-server/Chart.yaml index cb11d03e1..7b6b7d291 100644 --- a/charts/gluu/gluu/charts/auth-server/Chart.yaml +++ b/charts/gluu/gluu/charts/auth-server/Chart.yaml @@ -3,7 +3,7 @@ appVersion: 5.0.0 description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - Autherization @@ -17,6 +17,6 @@ name: auth-server sources: - https://github.com/JanssenProject/jans-auth-server - https://github.com/JanssenProject/docker-jans-auth-server -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/auth-server/README.md b/charts/gluu/gluu/charts/auth-server/README.md index d6720e540..dae336e47 100644 --- a/charts/gluu/gluu/charts/auth-server/README.md +++ b/charts/gluu/gluu/charts/auth-server/README.md @@ -1,10 +1,10 @@ # auth-server -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. -**Homepage:** +**Homepage:** ## Maintainers @@ -16,7 +16,7 @@ OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization S * * -* +* ## Requirements @@ -28,6 +28,7 @@ Kubernetes: `>=v1.21.0-0` |-----|------|---------|-------------| | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -36,7 +37,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | diff --git a/charts/gluu/gluu/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/charts/auth-server/templates/deployment.yml index 000efa42e..10a69dec0 100644 --- a/charts/gluu/gluu/charts/auth-server/templates/deployment.yml +++ b/charts/gluu/gluu/charts/auth-server/templates/deployment.yml @@ -51,12 +51,17 @@ spec: securityContext: runAsUser: 1000 runAsNonRoot: true - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} command: - /bin/sh - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} /app/scripts/entrypoint.sh {{- end}} ports: @@ -78,7 +83,7 @@ spec: name: {{ .Release.Name }}-global-user-custom-envs {{- end }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} +{{- toYaml .Values.lifecycle | nindent 10 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} @@ -140,12 +145,27 @@ spec: {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - {{- if not .Values.global.istio.enabled }} - - name: cb-crt + - name: cb-crt mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 10 }} @@ -251,14 +271,35 @@ spec: {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - - name: cb-crt + - name: cb-crt secret: secretName: {{ .Release.Name }}-cb-crt {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "auth-server.fullname" . }}-updatelbip configMap: name: {{ .Release.Name }}-updatelbip {{- end }} - \ No newline at end of file + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/charts/auth-server/values.yaml b/charts/gluu/gluu/charts/auth-server/values.yaml index d50b10b54..5c5a9a27b 100644 --- a/charts/gluu/gluu/charts/auth-server/values.yaml +++ b/charts/gluu/gluu/charts/auth-server/values.yaml @@ -28,7 +28,7 @@ image: # -- Image to use for deploying. repository: janssenproject/auth-server # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -91,3 +91,5 @@ lifecycle: {} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/casa/Chart.yaml b/charts/gluu/gluu/charts/casa/Chart.yaml index 7030fca75..8b0d394b5 100644 --- a/charts/gluu/gluu/charts/casa/Chart.yaml +++ b/charts/gluu/gluu/charts/casa/Chart.yaml @@ -18,4 +18,4 @@ sources: - https://gluu.org/casa/ - https://github.com/JanssenProject/jans/docker-jans-casa type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/casa/README.md b/charts/gluu/gluu/charts/casa/README.md index e291a67db..3946dbe3a 100644 --- a/charts/gluu/gluu/charts/casa/README.md +++ b/charts/gluu/gluu/charts/casa/README.md @@ -1,6 +1,6 @@ # casa -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. @@ -27,6 +27,7 @@ Kubernetes: `>=v1.21.0-0` |-----|------|---------|-------------| | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | fullnameOverride | string | `""` | | @@ -36,7 +37,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | | livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | diff --git a/charts/gluu/gluu/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/charts/casa/templates/deployment.yaml index 185693f5c..55c1e62fd 100644 --- a/charts/gluu/gluu/charts/casa/templates/deployment.yaml +++ b/charts/gluu/gluu/charts/casa/templates/deployment.yaml @@ -53,15 +53,20 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" env: {{- include "casa.usr-envs" . | indent 12 }} - {{- include "casa.usr-secret-envs" . | indent 12 }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} command: - /bin/sh - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} /app/scripts/entrypoint.sh - {{- end }} + {{- end}} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: {{ .Values.service.name }} @@ -72,7 +77,7 @@ spec: containerPort: {{ .Values.global.cnPrometheusPort }} {{- end }} envFrom: - - configMapRef: + - configMapRef: name: {{ .Release.Name }}-config-cm {{ if .Values.global.usrEnvs.secret }} - secretRef: @@ -83,7 +88,7 @@ spec: name: {{ .Release.Name }}-global-user-custom-envs {{- end }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 12 }} +{{- toYaml .Values.lifecycle | nindent 12 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} @@ -115,6 +120,22 @@ spec: mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} @@ -164,12 +185,34 @@ spec: secret: secretName: {{ .Release.Name }}-cb-crt {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "casa.fullname" . }}-updatelbip configMap: name: {{ .Release.Name }}-updatelbip {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} {{- if not .Values.global.isFqdnRegistered }} hostAliases: - ip: {{ .Values.global.lbIp }} diff --git a/charts/gluu/gluu/charts/casa/values.yaml b/charts/gluu/gluu/charts/casa/values.yaml index f9e3245f9..417c5bea0 100644 --- a/charts/gluu/gluu/charts/casa/values.yaml +++ b/charts/gluu/gluu/charts/casa/values.yaml @@ -27,7 +27,7 @@ image: # -- Image to use for deploying. repository: janssenproject/casa # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -102,4 +102,6 @@ securityContext: {} # -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken -additionalAnnotations: { } \ No newline at end of file +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml index 669d1f0b7..69a0761f4 100644 --- a/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml +++ b/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: 5.0.0 description: Istio Gateway -home: https://gluu.org/docs/gluu-server/ +home: https://docs.gluu.org/ icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - istio @@ -14,6 +14,6 @@ maintainers: name: cn-istio-ingress sources: - https://gluu.org/docs/gluu-server/ -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/cn-istio-ingress type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/charts/cn-istio-ingress/README.md index a3db54485..3ea9ede11 100644 --- a/charts/gluu/gluu/charts/cn-istio-ingress/README.md +++ b/charts/gluu/gluu/charts/cn-istio-ingress/README.md @@ -1,10 +1,10 @@ # cn-istio-ingress -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Istio Gateway -**Homepage:** +**Homepage:** ## Maintainers @@ -15,7 +15,7 @@ Istio Gateway ## Source Code * -* +* ## Requirements diff --git a/charts/gluu/gluu/charts/config-api/Chart.yaml b/charts/gluu/gluu/charts/config-api/Chart.yaml index f1e67918f..10c76f839 100644 --- a/charts/gluu/gluu/charts/config-api/Chart.yaml +++ b/charts/gluu/gluu/charts/config-api/Chart.yaml @@ -3,7 +3,7 @@ appVersion: 5.0.0 description: Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - configuration @@ -17,6 +17,6 @@ name: config-api sources: - https://github.com/JanssenProject/jans/jans-config-api - https://github.com/JanssenProject/jans/docker-jans-config-api -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config-api type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/config-api/README.md b/charts/gluu/gluu/charts/config-api/README.md index 1593e906c..6edbe2d1a 100644 --- a/charts/gluu/gluu/charts/config-api/README.md +++ b/charts/gluu/gluu/charts/config-api/README.md @@ -1,10 +1,10 @@ # config-api -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) -**Homepage:** +**Homepage:** ## Maintainers @@ -16,7 +16,7 @@ Jans Config Api endpoints can be used to configure jans-auth-server, which is an * * -* +* ## Requirements @@ -29,6 +29,7 @@ Kubernetes: `>=v1.21.0-0` | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | | affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | fullnameOverride | string | `""` | | @@ -38,7 +39,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | diff --git a/charts/gluu/gluu/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/charts/config-api/templates/deployment.yaml index b6e221ab2..350dc909f 100644 --- a/charts/gluu/gluu/charts/config-api/templates/deployment.yaml +++ b/charts/gluu/gluu/charts/config-api/templates/deployment.yaml @@ -51,14 +51,19 @@ spec: runAsUser: 1000 runAsNonRoot: true imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} command: - /bin/sh - - -c + - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} /app/scripts/entrypoint.sh - {{- end }} + {{- end}} ports: - containerPort: 9444 - containerPort: 8074 @@ -74,7 +79,7 @@ spec: readinessProbe: {{- toYaml .Values.readinessProbe | nindent 12 }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 12 }} +{{- toYaml .Values.lifecycle | nindent 12 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} @@ -102,7 +107,23 @@ spec: mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "config-api.name" . }}-updatelbip mountPath: /scripts @@ -152,16 +173,37 @@ spec: secret: secretName: {{ .Release.Name }}-cb-crt {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "config-api.name" . }}-updatelbip configMap: name: {{ .Release.Name }}-updatelbip {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} {{- if not .Values.global.isFqdnRegistered }} hostAliases: - ip: {{ .Values.global.lbIp }} hostnames: - {{ .Values.global.fqdn }} {{- end }} - diff --git a/charts/gluu/gluu/charts/config-api/values.yaml b/charts/gluu/gluu/charts/config-api/values.yaml index 5fad1d3c6..42454ace7 100644 --- a/charts/gluu/gluu/charts/config-api/values.yaml +++ b/charts/gluu/gluu/charts/config-api/values.yaml @@ -33,7 +33,7 @@ image: # -- Image to use for deploying. repository: janssenproject/config-api # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -100,3 +100,7 @@ lifecycle: {} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/config/Chart.yaml b/charts/gluu/gluu/charts/config/Chart.yaml index 0ba32040d..5ed960221 100644 --- a/charts/gluu/gluu/charts/config/Chart.yaml +++ b/charts/gluu/gluu/charts/config/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 5.0.0 description: Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. -home: https://gluu.org/docs/gluu-server/reference/container-configs/ +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - configuration @@ -16,6 +16,6 @@ name: config sources: - https://gluu.org/docs/gluu-server/reference/container-configs/ - https://github.com/JanssenProject/jans/docker-jans-configurator -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/config/README.md b/charts/gluu/gluu/charts/config/README.md index dc3567f94..6376da4b6 100644 --- a/charts/gluu/gluu/charts/config/README.md +++ b/charts/gluu/gluu/charts/config/README.md @@ -1,10 +1,10 @@ # config -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. -**Homepage:** +**Homepage:** ## Maintainers @@ -16,7 +16,7 @@ Configuration parameters for setup and initial configuration secret and config l * * -* +* ## Requirements @@ -54,6 +54,8 @@ Kubernetes: `>=v1.21.0-0` | configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | | configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | | configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | | configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | | configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | | configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | @@ -73,14 +75,16 @@ Kubernetes: `>=v1.21.0-0` | configmap.containerMetadataName | string | `"kubernetes"` | | | configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | | countryCode | string | `"US"` | Country code. Used for certificate creation. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | | fullNameOverride | string | `""` | | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | | lifecycle | object | `{}` | | | migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | | migration.enabled | bool | `false` | Boolean flag to enable migration from CE | diff --git a/charts/gluu/gluu/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/charts/config/templates/configmaps.yaml index fc15f42b6..101d4bbce 100644 --- a/charts/gluu/gluu/charts/config/templates/configmaps.yaml +++ b/charts/gluu/gluu/charts/config/templates/configmaps.yaml @@ -45,7 +45,7 @@ data: {{- end }} {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} # [aws_envs] Envs related to using AWS - {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} {{- end }} CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} @@ -146,10 +146,6 @@ data: CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} {{- end }} # Auto enable installation of some services - CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} - {{- if .Values.global.oxshibboleth.enabled }} - CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} - {{- end }} {{ if eq .Values.configmap.cnCacheType "REDIS" }} CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} @@ -211,7 +207,7 @@ data: {{- end }} {{- if .Values.global.casa.enabled }} # CASA - GLUU_CASA_APP_LOGGERS: {{ .Values.global.casa + CN_CASA_APP_LOGGERS: {{ .Values.global.casa | toJson | replace "casaLogTarget" "casa_log_target" | replace "casaLogLevel" "casa_log_level" @@ -223,6 +219,15 @@ data: {{- end }} # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature CN_DUO_ENABLED: "false" + CN_SQL_PASSWORD_FILE: {{ .Values.global.cnSqlPasswordFile }} + CN_COUCHBASE_PASSWORD_FILE: {{ .Values.global.cnCouchbasePasswordFile }} + CN_COUCHBASE_SUPERUSER_PASSWORD_FILE: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + CN_LDAP_PASSWORD_FILE: {{ .Values.global.cnLdapPasswordFile }} + CN_LDAP_TRUSTSTORE_PASSWORD_FILE: {{ .Values.global.cnLdapTruststorePasswordFile }} + CN_LDAP_CERT_FILE: {{ .Values.global.cnLdapCertFile }} + CN_LDAP_KEY_FILE: {{ .Values.global.cnLdapKeyFile }} + CN_LDAP_CACERT_FILE: {{ .Values.global.cnLdapCacertFile }} + CN_LDAP_TRUSTSTORE_FILE: {{ .Values.global.cnLdapTruststoreFile }} --- apiVersion: v1 @@ -230,6 +235,9 @@ data: tls_generator.py: |- from kubernetes import config, client import logging + import base64 + + from jans.pycloudlib import get_manager log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' logging.basicConfig(format=log_format, level=logging.INFO) @@ -286,12 +294,20 @@ data: :param namespace: :return: ssl cert and key from gluu secrets """ - ssl_cert = None - ssl_key = None - if core_cli.read_namespaced_secret(secret_name, namespace): - ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] - ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + def b64encode(value): + return base64.b64encode(value.encode()).decode() + manager = get_manager() + + # returns empty string if not found + ssl_cert = manager.secret.get("ssl_cert") + if ssl_cert: + ssl_cert = b64encode(ssl_cert) + + # returns empty string if not found + ssl_key = manager.secret.get("ssl_key") + if ssl_key: + ssl_key = b64encode(ssl_key) return ssl_cert, ssl_key @@ -307,7 +323,7 @@ data: namespace = {{.Values.global.istio.namespace | quote}} {{- end}} - if cert and key: + if cert or key: patch_or_create_namespaced_secret(name=name, namespace=namespace, literal="tls.crt", @@ -316,7 +332,11 @@ data: second_literal="tls.key", value_of_second_literal=key) else: - logger.error("No certificate or key was found in secrets.") + logger.error( + "No certificate or key was found in secrets." + "This can happen when the ssl certificate for the domain is able to be pulled." + "In that scenario the ssl_cert will be pulled from the domain provided" + ) if __name__ == "__main__": main() @@ -430,4 +450,4 @@ metadata: {{- if .Values.additionalAnnotations }} annotations: {{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/gluu/gluu/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/charts/config/templates/load-init-config.yml index 2a503fd2b..53236bad0 100644 --- a/charts/gluu/gluu/charts/config/templates/load-init-config.yml +++ b/charts/gluu/gluu/charts/config/templates/load-init-config.yml @@ -66,6 +66,28 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} containers: - name: {{ include "config.name" . }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -76,7 +98,7 @@ spec: {{- include "config.usr-envs" . | indent 12 }} {{- include "config.usr-secret-envs" . | indent 12 }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} +{{- toYaml .Values.lifecycle | nindent 10 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} @@ -103,6 +125,21 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} envFrom: - configMapRef: name: {{ .Release.Name }}-config-cm @@ -123,12 +160,14 @@ spec: - /bin/sh - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} {{- if .Values.migration.enabled }} - /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} && /usr/bin/python3 /scripts/tls_generator.py {{- else }} - /app/scripts/entrypoint.sh load + /app/scripts/entrypoint.sh load && /usr/bin/python3 /scripts/tls_generator.py {{- end }} - /usr/bin/python3 /scripts/tls_generator.py {{- if .Values.global.istio.enabled }} curl -X POST http://localhost:15020/quitquitquit {{- end }} diff --git a/charts/gluu/gluu/charts/config/templates/secrets.yaml b/charts/gluu/gluu/charts/config/templates/secrets.yaml index dab9a6dc8..d6e4c86fa 100644 --- a/charts/gluu/gluu/charts/config/templates/secrets.yaml +++ b/charts/gluu/gluu/charts/config/templates/secrets.yaml @@ -123,5 +123,84 @@ metadata: {{ toYaml .Values.additionalAnnotations | indent 4 }} {{- end }} data: - password: {{ .Values.ldapPassword | b64enc }} + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + ldap_password: {{ .Values.ldapPassword | b64enc }} + ldap_truststore_password: {{ .Values.ldapTruststorePassword | b64enc }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-certkey + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + opendj.crt: |- +{{ .Values.configmap.cnLdapCrt | indent 4 }} + opendj.key: |- +{{ .Values.configmap.cnLdapKey | indent 4 }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-sql-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + sql_password: {{ .Values.configmap.cnSqldbUserPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + couchbase_password: {{ .Values.configmap.cnCouchbasePassword | b64enc }} + couchbase_superuser_password: {{ .Values.configmap.cnCouchbaseSuperUserPassword | b64enc }} {{- end}} diff --git a/charts/gluu/gluu/charts/config/values.yaml b/charts/gluu/gluu/charts/config/values.yaml index 76717b2e5..666668ff3 100644 --- a/charts/gluu/gluu/charts/config/values.yaml +++ b/charts/gluu/gluu/charts/config/values.yaml @@ -114,6 +114,10 @@ configmap: cnSecretKubernetesSecret: cn # -- Loadbalancer address for AWS if the FQDN is not registered. lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= # -- Country code. Used for certificate creation. countryCode: US # -- Email address of the administrator usually. Used for certificate creation. @@ -122,11 +126,13 @@ image: # -- Image to use for deploying. repository: janssenproject/configurator # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- LDAP admin password if OpennDJ is used for persistence. ldapPassword: P@ssw0rds +# -- LDAP truststore password if OpenDJ is used for persistence +ldapTruststorePassword: changeit # -- Organization name. Used for certificate creation. orgName: Gluu # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. @@ -177,3 +183,7 @@ fullNameOverride: "" additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/fido2/Chart.yaml b/charts/gluu/gluu/charts/fido2/Chart.yaml index 03c2c9ca8..b404b519b 100644 --- a/charts/gluu/gluu/charts/fido2/Chart.yaml +++ b/charts/gluu/gluu/charts/fido2/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 5.0.0 description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. -home: https://gluu.org/docs/gluu-server/ +home: https://docs.gluu.org/ icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - fido2 @@ -17,6 +17,6 @@ sources: - https://gluu.org/docs/gluu-server/ - https://github.com/JanssenProject/jans/jans-fido2 - https://github.com/JanssenProject/jans/docker-jans-fido2 -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/fido2 type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/fido2/README.md b/charts/gluu/gluu/charts/fido2/README.md index c6d9b0fed..ff6c7bccd 100644 --- a/charts/gluu/gluu/charts/fido2/README.md +++ b/charts/gluu/gluu/charts/fido2/README.md @@ -1,10 +1,10 @@ # fido2 -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. -**Homepage:** +**Homepage:** ## Maintainers @@ -17,7 +17,7 @@ FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging comm * * * -* +* ## Requirements @@ -29,6 +29,7 @@ Kubernetes: `>=v1.21.0-0` |-----|------|---------|-------------| | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -37,7 +38,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | | livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | diff --git a/charts/gluu/gluu/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/charts/fido2/templates/deployment.yml index 95b4ef77d..c3d0ded19 100644 --- a/charts/gluu/gluu/charts/fido2/templates/deployment.yml +++ b/charts/gluu/gluu/charts/fido2/templates/deployment.yml @@ -51,12 +51,17 @@ spec: env: {{- include "fido2.usr-envs" . | indent 12 }} {{- include "fido2.usr-secret-envs" . | indent 12 }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} command: - /bin/sh - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} /app/scripts/entrypoint.sh {{- end}} ports: @@ -78,7 +83,7 @@ spec: name: {{ .Release.Name }}-global-user-custom-envs {{- end }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} +{{- toYaml .Values.lifecycle | nindent 10 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} @@ -111,6 +116,22 @@ spec: mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 10 }} @@ -163,14 +184,35 @@ spec: {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - - name: cb-crt + - name: cb-crt secret: secretName: {{ .Release.Name }}-cb-crt {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "fido2.fullname" . }}-updatelbip configMap: name: {{ .Release.Name }}-updatelbip {{- end }} - \ No newline at end of file + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/charts/fido2/values.yaml b/charts/gluu/gluu/charts/fido2/values.yaml index d1f9cd6cf..b619be81a 100644 --- a/charts/gluu/gluu/charts/fido2/values.yaml +++ b/charts/gluu/gluu/charts/fido2/values.yaml @@ -29,7 +29,7 @@ image: # -- Image to use for deploying. repository: janssenproject/fido2 # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -89,3 +89,7 @@ lifecycle: {} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml index a764686e6..cad3f402f 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml +++ b/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: 5.0.0 description: Nginx ingress definitions chart -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - nginx @@ -15,6 +15,6 @@ name: nginx-ingress sources: - https://github.com/kubernetes/ingress-nginx - https://kubernetes.io/docs/concepts/services-networking/ingress/ -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/nginx-ingress type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/nginx-ingress/README.md b/charts/gluu/gluu/charts/nginx-ingress/README.md index 0c1e34877..c0b0d7af3 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/README.md +++ b/charts/gluu/gluu/charts/nginx-ingress/README.md @@ -1,10 +1,10 @@ # nginx-ingress -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Nginx ingress definitions chart -**Homepage:** +**Homepage:** ## Maintainers @@ -16,7 +16,7 @@ Nginx ingress definitions chart * * -* +* ## Requirements diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/charts/nginx-ingress/templates/casa-ingress.yaml index f21ae0afe..165348c07 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/templates/casa-ingress.yaml +++ b/charts/gluu/gluu/charts/nginx-ingress/templates/casa-ingress.yaml @@ -25,6 +25,7 @@ metadata: {{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} {{- end }} spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} {{- if .Values.ingress.tls }} tls: {{- range .Values.ingress.tls }} @@ -51,4 +52,4 @@ spec: number: 8080 {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml index ddd01115c..4f84bd254 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml +++ b/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml @@ -669,4 +669,3 @@ spec: {{- end }} {{- end }} {{- end }} - diff --git a/charts/gluu/gluu/charts/opendj/Chart.yaml b/charts/gluu/gluu/charts/opendj/Chart.yaml index 521192d88..d676398df 100644 --- a/charts/gluu/gluu/charts/opendj/Chart.yaml +++ b/charts/gluu/gluu/charts/opendj/Chart.yaml @@ -4,7 +4,7 @@ description: OpenDJ is a directory server which implements a wide range of Light Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - LDAP @@ -17,6 +17,6 @@ maintainers: name: opendj sources: - https://github.com/GluuFederation/docker-opendj -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/opendj type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/opendj/README.md b/charts/gluu/gluu/charts/opendj/README.md index faa7a675b..b8b4527e1 100644 --- a/charts/gluu/gluu/charts/opendj/README.md +++ b/charts/gluu/gluu/charts/opendj/README.md @@ -1,10 +1,10 @@ # opendj -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. -**Homepage:** +**Homepage:** ## Maintainers @@ -15,7 +15,7 @@ OpenDJ is a directory server which implements a wide range of Lightweight Direct ## Source Code * -* +* ## Requirements @@ -27,6 +27,7 @@ Kubernetes: `>=v1.21.0-0` |-----|------|---------|-------------| | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | fullnameOverride | string | `""` | | diff --git a/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml index 930d6f067..7483be66c 100644 --- a/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml +++ b/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml @@ -65,7 +65,7 @@ spec: set_java_args() { # not sure if we can omit `-server` safely local java_args="-server" - java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${CN_MAX_RAM_PERCENTAGE} ${CN_JAVA_OPTIONS}" # set the env var so it is loaded by `start-ds` script export OPENDJ_JAVA_ARGS=${java_args} } @@ -76,14 +76,9 @@ spec: mkdir -p /opt/opendj/locks - export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') - python3 /app/scripts/wait.py + python3 /app/scripts/bootstrap.py - if [ ! -f /deploy/touched ]; then - python3 /app/scripts/entrypoint.py - touch /deploy/touched - fi # run OpenDJ server set_java_args exec /opt/opendj/bin/start-ds -N & @@ -91,5 +86,25 @@ spec: RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + volumeMounts: + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password restartPolicy: Never -{{- end }} \ No newline at end of file + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey +{{- end }} diff --git a/charts/gluu/gluu/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/charts/opendj/templates/statefulset.yaml index 989a156b2..a44a60e21 100644 --- a/charts/gluu/gluu/charts/opendj/templates/statefulset.yaml +++ b/charts/gluu/gluu/charts/opendj/templates/statefulset.yaml @@ -35,13 +35,23 @@ spec: fsGroup: 1000 containers: - name: {{ include "opendj.name" $ }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} imagePullPolicy: {{ $.Values.image.pullPolicy }} image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" env: {{- include "opendj.usr-envs" $ | indent 12 }} {{- include "opendj.usr-secret-envs" $ | indent 12 }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} +{{- toYaml .Values.lifecycle | nindent 10 }} envFrom: - configMapRef: name: {{ $.Release.Name }}-config-cm @@ -67,6 +77,18 @@ spec: {{- with $.Values.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password livenessProbe: {{- toYaml $.Values.livenessProbe | nindent 10 }} readinessProbe: @@ -79,6 +101,13 @@ spec: resources: {{- toYaml $.Values.resources | nindent 10 }} {{- end }} + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey volumeClaimTemplates: - metadata: name: opendj-volume diff --git a/charts/gluu/gluu/charts/opendj/values.yaml b/charts/gluu/gluu/charts/opendj/values.yaml index 8fec7b733..6efb0d9c6 100644 --- a/charts/gluu/gluu/charts/opendj/values.yaml +++ b/charts/gluu/gluu/charts/opendj/values.yaml @@ -135,4 +135,8 @@ openDjVolumeMounts: # -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken -additionalAnnotations: { } \ No newline at end of file +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxpassport/.helmignore b/charts/gluu/gluu/charts/oxpassport/.helmignore deleted file mode 100644 index f0c131944..000000000 --- a/charts/gluu/gluu/charts/oxpassport/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/gluu/gluu/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/charts/oxpassport/Chart.yaml deleted file mode 100644 index cb361ec80..000000000 --- a/charts/gluu/gluu/charts/oxpassport/Chart.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v2 -appVersion: 5.0.0 -description: Gluu interface to Passport.js to support social login and inbound identity. -home: https://gluu.org/docs/gluu-server -icon: https://gluu.org/docs/gluu-server/favicon.ico -keywords: -- Passport.js -- Inbound Identity -- Social login -kubeVersion: '>=v1.21.0-0' -maintainers: -- email: support@gluu.org - name: Mohammad Abudayyeh - url: https://github.com/moabu -name: oxpassport -sources: -- https://github.com/GluuFederation/gluu-passport -- https://github.com/GluuFederation/docker-oxpassport -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport -type: application -version: 5.0.23 diff --git a/charts/gluu/gluu/charts/oxpassport/README.md b/charts/gluu/gluu/charts/oxpassport/README.md deleted file mode 100644 index 76ba3a11d..000000000 --- a/charts/gluu/gluu/charts/oxpassport/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# oxpassport - -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) - -Gluu interface to Passport.js to support social login and inbound identity. - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Mohammad Abudayyeh | | | - -## Source Code - -* -* -* - -## Requirements - -Kubernetes: `>=v1.21.0-0` - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | -| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | -| affinity | object | `{}` | | -| dnsConfig | object | `{}` | Add custom dns config | -| dnsPolicy | string | `""` | Add custom dns policy | -| fullnameOverride | string | `""` | | -| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | -| hpa.behavior | object | `{}` | Scaling Policies | -| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | -| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | -| image.pullSecrets | list | `[]` | Image Pull Secrets | -| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | -| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | -| lifecycle | object | `{}` | | -| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | -| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | -| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | -| replicas | int | `1` | Service replica number | -| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | -| resources.limits.cpu | string | `"700m"` | CPU limit. | -| resources.limits.memory | string | `"900Mi"` | Memory limit. | -| resources.requests.cpu | string | `"700m"` | CPU request. | -| resources.requests.memory | string | `"900Mi"` | Memory request. | -| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | -| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | -| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | -| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | -| tolerations | list | `[]` | | -| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | -| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | -| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | -| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | -| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/charts/oxpassport/templates/_helpers.tpl deleted file mode 100644 index 1f9d4b746..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/_helpers.tpl +++ /dev/null @@ -1,98 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "oxpassport.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "oxpassport.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "oxpassport.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - Common labels -*/}} -{{- define "oxpassport.labels" -}} -app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} -helm.sh/chart: {{ include "oxpassport.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Create user custom defined envs -*/}} -{{- define "oxpassport.usr-envs"}} -{{- range $key, $val := .Values.usrEnvs.normal }} -- name: {{ $key }} - value: {{ $val | quote }} -{{- end }} -{{- end }} - -{{/* -Create user custom defined secret envs -*/}} -{{- define "oxpassport.usr-secret-envs"}} -{{- range $key, $val := .Values.usrEnvs.secret }} -- name: {{ $key }} - valueFrom: - secretKeyRef: - name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs - key: {{ $key | quote }} -{{- end }} -{{- end }} - -{{/* -Create topologySpreadConstraints lists -*/}} -{{- define "oxpassport.topology-spread-constraints"}} -{{- range $key, $val := .Values.topologySpreadConstraints }} -- maxSkew: {{ $val.maxSkew }} - {{- if $val.minDomains }} - minDomains: {{ $val.minDomains }} # optional; beta since v1.25 - {{- end}} - {{- if $val.topologyKey }} - topologyKey: {{ $val.topologyKey }} - {{- end}} - {{- if $val.whenUnsatisfiable }} - whenUnsatisfiable: {{ $val.whenUnsatisfiable }} - {{- end}} - labelSelector: - matchLabels: - app: {{ $.Release.Name }}-{{ include "oxpassport.name" $ }} - {{- if $val.matchLabelKeys }} - matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 - {{- end}} - {{- if $val.nodeAffinityPolicy }} - nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 - {{- end}} - {{- if $val.nodeTaintsPolicy }} - nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 - {{- end}} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/charts/oxpassport/templates/deployment.yaml deleted file mode 100644 index 8ab9d9a2f..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/deployment.yaml +++ /dev/null @@ -1,183 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "oxpassport.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "oxpassport.labels" . | indent 4}} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicas }} - selector: - matchLabels: - app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} - release: {{ .Release.Name }} - {{- if .Values.global.istio.ingress }} - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - {{- end }} - spec: - {{- with .Values.image.pullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - dnsPolicy: {{ .Values.dnsPolicy | quote }} - {{- with .Values.dnsConfig }} - dnsConfig: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- include "oxpassport.topology-spread-constraints" . | indent 8 }} - {{- end }} - containers: - - name: {{ include "oxpassport.name" . }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - env: - - name: PASSPORT_LOG_LEVEL - value: "info" - {{- include "oxpassport.usr-envs" . | indent 12 }} - {{- include "oxpassport.usr-secret-envs" . | indent 12 }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - command: - - /bin/sh - - -c - - | - /usr/bin/python3 /scripts/updatelbip.py & - /app/scripts/entrypoint.sh - {{- end }} - ports: - - name: {{ .Values.service.name }} - containerPort: {{ .Values.service.port }} - protocol: TCP - envFrom: - - configMapRef: - name: {{ .Release.Name }}-config-cm - {{ if .Values.global.usrEnvs.secret }} - - secretRef: - name: {{ .Release.Name }}-global-user-custom-envs - {{- end }} - {{ if .Values.global.usrEnvs.normal }} - - configMapRef: - name: {{ .Release.Name }}-global-user-custom-envs - {{- end }} - lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} - volumeMounts: - {{- with .Values.volumeMounts }} -{{- toYaml . | nindent 10 }} - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} - - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} - name: aws-shared-credential-file - subPath: aws_shared_credential_file - - mountPath: {{ .Values.global.cnAwsConfigFile }} - name: aws-config-file - subPath: aws_config_file - - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} - name: aws-secrets-replica-regions - subPath: aws_secrets_replica_regions - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} - - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} - name: google-sa - subPath: google-credentials.json - {{- end }} - - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - - name: {{ include "oxpassport.name" . }}-updatelbip - mountPath: /scripts - {{- end }} - {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - - {{- if not .Values.global.istio.enabled }} - - name: cb-crt - mountPath: "/etc/certs/couchbase.crt" - subPath: couchbase.crt - {{- end }} - {{- end }} - livenessProbe: -{{- toYaml .Values.livenessProbe | nindent 10 }} - readinessProbe: -{{- toYaml .Values.readinessProbe | nindent 10 }} - {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} - resources: {} - {{- else if .Values.global.cloud.testEnviroment }} - resources: {} - {{- else }} - resources: -{{- toYaml .Values.resources | nindent 10 }} - {{- end }} - {{- if not .Values.global.isFqdnRegistered }} - hostAliases: - - ip: {{ .Values.global.lbIp }} - hostnames: - - {{ .Values.global.fqdn }} - {{- end }} - volumes: - {{- with .Values.volumes }} -{{- toYaml . | nindent 8 }} - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} - - name: aws-shared-credential-file - secret: - secretName: {{ .Release.Name }}-aws-config-creds - items: - - key: aws_shared_credential_file - path: aws_shared_credential_file - - name: aws-config-file - secret: - secretName: {{ .Release.Name }}-aws-config-creds - items: - - key: aws_config_file - path: aws_config_file - - name: aws-secrets-replica-regions - secret: - secretName: {{ .Release.Name }}-aws-config-creds - items: - - key: aws_secrets_replica_regions - path: aws_secrets_replica_regions - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} - - name: google-sa - secret: - secretName: {{ .Release.Name }}-google-sa - {{- end }} - - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - - name: {{ include "oxpassport.name" . }}-updatelbip - configMap: - name: {{ .Release.Name }}-updatelbip - {{- end }} - {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - - {{- if not .Values.global.istio.enabled }} - - name: cb-crt - secret: - secretName: {{ .Release.Name }}-cb-crt - {{- end }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/charts/gluu/gluu/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/charts/oxpassport/templates/hpa.yaml deleted file mode 100644 index 0764e19e3..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/hpa.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{ if .Values.hpa.enabled -}} -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "oxpassport.fullname" . }} - labels: -{{ include "oxpassport.labels" . | indent 4}} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "oxpassport.fullname" . }} - minReplicas: {{ .Values.hpa.minReplicas }} - maxReplicas: {{ .Values.hpa.maxReplicas }} - {{- if .Values.hpa.targetCPUUtilizationPercentage }} - targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} - {{- else if .Values.hpa.metrics }} - metrics: - {{- with .Values.hpa.metrics }} -{{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - {{- if .Values.hpa.behavior }} - behavior: - {{- with .Values.hpa.behavior }} -{{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-destination-rules.yaml deleted file mode 100644 index 238c976d1..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-destination-rules.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.global.istio.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: {{ .Release.Name }}-oxpassport-mtls - namespace: {{.Release.Namespace}} - labels: -{{ include "oxpassport.labels" . | indent 4}} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local - trafficPolicy: - tls: - mode: ISTIO_MUTUAL -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-pdb.yaml b/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-pdb.yaml deleted file mode 100644 index 8ebcdc717..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-pdb.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{ if .Values.pdb.enabled -}} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "oxpassport.fullname" . }} -spec: - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - selector: - matchLabels: - app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-virtual-services.yaml deleted file mode 100644 index 6c2416b84..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/oxpassport-virtual-services.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.global.istio.ingress }} -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: {{ .Release.Name }}-istio-passport - namespace: {{.Release.Namespace}} - labels: -{{ include "oxpassport.labels" . | indent 4}} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - hosts: - - {{ .Values.global.fqdn }} -{{- if .Values.global.istio.gateways }} - gateways: -{{ toYaml .Values.global.istio.gateways | indent 2 }} -{{- else }} - gateways: - - {{ .Release.Name }}-global-gtw -{{- end }} - http: - - name: {{ .Release.Name }}-istio-passport - match: - - uri: - prefix: "/passport" - route: - - destination: - host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local - port: - number: 8090 - weight: 100 -{{- end }} diff --git a/charts/gluu/gluu/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/charts/oxpassport/templates/service.yaml deleted file mode 100644 index b4fda3285..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/service.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.global.oxpassport.oxPassportServiceName }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "oxpassport.labels" . | indent 4}} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - {{- if .Values.global.alb.ingress }} - type: NodePort - {{- end }} - ports: - - port: {{ .Values.service.port }} - name: {{ .Values.service.name }} - selector: - app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} - release: {{ .Release.Name }} - sessionAffinity: {{ .Values.service.sessionAffinity }} - {{- with .Values.service.sessionAffinityConfig }} - sessionAffinityConfig: -{{ toYaml . | indent 4 }} - {{- end }} diff --git a/charts/gluu/gluu/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/charts/oxpassport/templates/user-custom-secret-envs.yaml deleted file mode 100644 index 47ed7cd16..000000000 --- a/charts/gluu/gluu/charts/oxpassport/templates/user-custom-secret-envs.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Values.usrEnvs.secret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs - labels: -{{ include "oxpassport.labels" . | indent 4}} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -type: Opaque -data: - {{- range $key, $val := .Values.usrEnvs.secret }} - {{ $key }}: {{ $val | b64enc }} - {{- end}} -{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxpassport/values.yaml b/charts/gluu/gluu/charts/oxpassport/values.yaml deleted file mode 100644 index b7b06d82d..000000000 --- a/charts/gluu/gluu/charts/oxpassport/values.yaml +++ /dev/null @@ -1,103 +0,0 @@ - -# -- Gluu interface to Passport.js to support social login and inbound identity. -# -- Configure the HorizontalPodAutoscaler -hpa: - enabled: true - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 50 - # -- metrics if targetCPUUtilizationPercentage is not set - metrics: [] - # -- Scaling Policies - behavior: {} -# -- Add custom normal and secret envs to the service -usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} -# -- Add custom dns policy -dnsPolicy: "" -# -- Add custom dns config -dnsConfig: {} -image: - # -- Image pullPolicy to use for deploying. - pullPolicy: IfNotPresent - # -- Image to use for deploying. - repository: gluufederation/oxpassport - # -- Image tag to use for deploying. - tag: 5.0.0-12 - # -- Image Pull Secrets - pullSecrets: [ ] -# -- Service replica number -replicas: 1 -# -- Resource specs. -resources: - limits: - # -- CPU limit. - cpu: 700m - # -- Memory limit. - memory: 900Mi - requests: - # -- CPU request. - cpu: 700m - # -- Memory request. - memory: 900Mi -service: - # -- Port of the oxPassport service. Please keep it as default. - port: 8090 - # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. - name: http-passport - # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP - sessionAffinity: None - # -- the maximum session sticky time if sessionAffinity is ClientIP - sessionAffinityConfig: - clientIP: - timeoutSeconds: 10800 - -# -- Configure the liveness healthcheck for oxPassport if needed. -livenessProbe: - httpGet: - # -- http liveness probe endpoint - path: /passport/health-check - port: http-passport - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 20 -# -- Configure the readiness healthcheck for the oxPassport if needed. -readinessProbe: - httpGet: - # -- http readiness probe endpoint - path: /passport/health-check - port: http-passport - initialDelaySeconds: 25 - periodSeconds: 25 - timeoutSeconds: 5 - failureThreshold: 20 -# -- Configure any additional volumes that need to be attached to the pod -volumes: [] -# -- Configure any additional volumesMounts that need to be attached to the containers -volumeMounts: [] -# Actions on lifecycle events such as postStart and preStop -# Example -# lifecycle: -# postStart: -# exec: -# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] -lifecycle: {} -nameOverride: "" -fullnameOverride: "" - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} -additionalLabels: { } -# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken -additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/charts/oxshibboleth/.helmignore deleted file mode 100644 index f0c131944..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/gluu/gluu/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/charts/oxshibboleth/Chart.yaml deleted file mode 100644 index 77d450327..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v2 -appVersion: 5.0.0 -description: Shibboleth project for the Gluu Server's SAML IDP functionality. -home: https://gluu.org/docs/gluu-server -icon: https://gluu.org/docs/gluu-server/favicon.ico -keywords: -- SAML -- Shibboleth -kubeVersion: '>=v1.21.0-0' -maintainers: -- email: support@gluu.org - name: Mohammad Abudayyeh - url: https://github.com/moabu -name: oxshibboleth -sources: -- https://github.com/GluuFederation/oxShibboleth -- https://github.com/GluuFederation/docker-oxshibboleth -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth -type: application -version: 5.0.23 diff --git a/charts/gluu/gluu/charts/oxshibboleth/README.md b/charts/gluu/gluu/charts/oxshibboleth/README.md deleted file mode 100644 index a3f0f8ee0..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/README.md +++ /dev/null @@ -1,68 +0,0 @@ -# oxshibboleth - -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) - -Shibboleth project for the Gluu Server's SAML IDP functionality. - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Mohammad Abudayyeh | | | - -## Source Code - -* -* -* - -## Requirements - -Kubernetes: `>=v1.21.0-0` - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | -| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | -| affinity | object | `{}` | | -| dnsConfig | object | `{}` | Add custom dns config | -| dnsPolicy | string | `""` | Add custom dns policy | -| fullnameOverride | string | `""` | | -| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | -| hpa.behavior | object | `{}` | Scaling Policies | -| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | -| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | -| image.pullSecrets | list | `[]` | Image Pull Secrets | -| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | -| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | -| lifecycle | object | `{}` | | -| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | -| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | -| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | -| replicas | int | `1` | Service replica number. | -| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | -| resources.limits.cpu | string | `"1000m"` | CPU limit. | -| resources.limits.memory | string | `"1000Mi"` | Memory limit. | -| resources.requests.cpu | string | `"1000m"` | CPU request. | -| resources.requests.memory | string | `"1000Mi"` | Memory request. | -| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | -| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | -| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | -| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | -| service.targetPort | int | `8080` | | -| tolerations | list | `[]` | | -| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | -| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | -| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | -| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | -| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/charts/oxshibboleth/templates/_helpers.tpl deleted file mode 100644 index a9a1a94b7..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/_helpers.tpl +++ /dev/null @@ -1,144 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "oxshibboleth.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "oxshibboleth.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "oxshibboleth.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - Common labels -*/}} -{{- define "oxshibboleth.labels" -}} -app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} -helm.sh/chart: {{ include "oxshibboleth.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Create user custom defined envs -*/}} -{{- define "oxshibboleth.usr-envs"}} -{{- range $key, $val := .Values.usrEnvs.normal }} -- name: {{ $key }} - value: {{ $val | quote }} -{{- end }} -{{- end }} - -{{/* -Create user custom defined secret envs -*/}} -{{- define "oxshibboleth.usr-secret-envs"}} -{{- range $key, $val := .Values.usrEnvs.secret }} -- name: {{ $key }} - valueFrom: - secretKeyRef: - name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs - key: {{ $key | quote }} -{{- end }} -{{- end }} - -{{/* -Create GLUU_JAVA_OPTIONS ENV for passing detailed logs -*/}} -{{- define "oxshibboleth.detailedLogs"}} -{{ $ldap := "" }} -{{ $messages := "" }} -{{ $encryption := "" }} -{{ $opensaml := "" }} -{{ $props := "" }} -{{ $httpclient := "" }} -{{ $spring := "" }} -{{ $container := "" }} -{{ $xmlsec := "" }} - -{{- if .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} -{{ $ldap = printf "-Didp.loglevel.ldap=%s " .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} -{{ $messages = printf "-Didp.loglevel.messages=%s " .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} -{{ $encryption = printf "-Didp.loglevel.encryption=%s " .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} -{{ $opensaml = printf "-Didp.loglevel.opensaml=%s " .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.propsLogLevel }} -{{ $props = printf "-Didp.loglevel.props=%s " .Values.global.oxshibboleth.appLoggers.propsLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} -{{ $httpclient = printf "-Didp.loglevel.httpclient=%s " .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.springLogLevel }} -{{ $spring = printf "-Didp.loglevel.spring=%s " .Values.global.oxshibboleth.appLoggers.springLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.containerLogLevel }} -{{ $container = printf "-Didp.loglevel.container=%s " .Values.global.oxshibboleth.appLoggers.containerLogLevel }} -{{- end}} -{{- if .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} -{{ $xmlsec = printf "-Didp.loglevel.xmlsec=%s " .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} -{{- end}} - -{{ $detailLogs := printf "%s%s%s%s%s%s%s%s%s" $ldap $messages $encryption $opensaml $props $httpclient $spring $container $xmlsec }} -{{ $detailLogs | trimSuffix " " | quote }} -{{- end }} - -{{/* -Create topologySpreadConstraints lists -*/}} -{{- define "oxshibboleth.topology-spread-constraints"}} -{{- range $key, $val := .Values.topologySpreadConstraints }} -- maxSkew: {{ $val.maxSkew }} - {{- if $val.minDomains }} - minDomains: {{ $val.minDomains }} # optional; beta since v1.25 - {{- end}} - {{- if $val.topologyKey }} - topologyKey: {{ $val.topologyKey }} - {{- end}} - {{- if $val.whenUnsatisfiable }} - whenUnsatisfiable: {{ $val.whenUnsatisfiable }} - {{- end}} - labelSelector: - matchLabels: - app: {{ $.Release.Name }}-{{ include "oxshibboleth.name" $ }} - {{- if $val.matchLabelKeys }} - matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 - {{- end}} - {{- if $val.nodeAffinityPolicy }} - nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 - {{- end}} - {{- if $val.nodeTaintsPolicy }} - nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 - {{- end}} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/charts/oxshibboleth/templates/hpa.yaml deleted file mode 100644 index 3d4c0597f..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/hpa.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{ if .Values.hpa.enabled -}} -apiVersion: autoscaling/v1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "oxshibboleth.fullname" . }} - labels: - APP_NAME: oxshibboleth -{{ include "oxshibboleth.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: StatefulSet - name: {{ include "oxshibboleth.fullname" . }} - minReplicas: {{ .Values.hpa.minReplicas }} - maxReplicas: {{ .Values.hpa.maxReplicas }} - {{- if .Values.hpa.targetCPUUtilizationPercentage }} - targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} - {{- else if .Values.hpa.metrics }} - metrics: - {{- with .Values.hpa.metrics }} -{{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - {{- if .Values.hpa.behavior }} - behavior: - {{- with .Values.hpa.behavior }} -{{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml deleted file mode 100644 index 8478504b6..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.global.istio.enabled }} -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: {{ .Release.Name }}-oxshibboleth-mtls - namespace: {{ .Release.Namespace }} - labels: - APP_NAME: oxshibboleth -{{ include "oxshibboleth.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local - trafficPolicy: - tls: - mode: ISTIO_MUTUAL -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml b/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml deleted file mode 100644 index a8c99410c..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{ if .Values.pdb.enabled -}} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "oxshibboleth.fullname" . }} -spec: - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - selector: - matchLabels: - app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} -{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml deleted file mode 100644 index 5f89fa5c2..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.global.istio.ingress }} -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: {{ .Release.Name }}-istio-oxshibbioleth - namespace: {{ .Release.Namespace }} - labels: - APP_NAME: oxshibboleth -{{ include "oxshibboleth.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - hosts: - - {{ .Values.global.fqdn }} - gateways: - - {{ .Release.Name }}-global-gtw - http: - - name: {{ .Release.Name }}-istio-oxshibbioleth - match: - - uri: - prefix: /idp - route: - - destination: - host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local - port: - number: 8080 - weight: 100 -{{- end }} diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/charts/oxshibboleth/templates/service.yaml deleted file mode 100644 index 478177475..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/service.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} - namespace: {{ .Release.Namespace }} - labels: - APP_NAME: oxshibboleth -{{ include "oxshibboleth.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - {{- if .Values.global.alb.ingress }} - type: NodePort - {{- else }} - clusterIP: None - {{- end }} - ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - name: {{ .Values.service.name }} - selector: - app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} - release: {{ .Release.Name }} - sessionAffinity: {{ .Values.service.sessionAffinity }} - {{- with .Values.service.sessionAffinityConfig }} - sessionAffinityConfig: -{{ toYaml . | indent 4 }} - {{- end }} diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/charts/oxshibboleth/templates/statefulset.yaml deleted file mode 100644 index 17bb8379e..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/statefulset.yaml +++ /dev/null @@ -1,171 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "oxshibboleth.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - APP_NAME: oxshibboleth -{{ include "oxshibboleth.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -spec: - serviceName: oxshibboleth - replicas: {{ .Values.replicas }} - selector: - matchLabels: - app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - APP_NAME: oxshibboleth - app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} - release: {{ .Release.Name }} - {{- if .Values.global.istio.ingress }} - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "true" - {{- end }} - spec: - {{- with .Values.image.pullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - dnsPolicy: {{ .Values.dnsPolicy | quote }} - {{- with .Values.dnsConfig }} - dnsConfig: -{{ toYaml . | indent 8 }} - {{- end }} - {{- if .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- include "oxshibboleth.topology-spread-constraints" . | indent 8 }} - {{- end }} - containers: - - name: {{ include "oxshibboleth.name" . }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - env: - {{- include "oxshibboleth.usr-envs" . | indent 12 }} - {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} - - name: GLUU_JAVA_OPTIONS - value: {{ include "oxshibboleth.detailedLogs" . | trim }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - command: - - /bin/sh - - -c - - | - /usr/bin/python3 /scripts/updatelbip.py & - /app/scripts/entrypoint.sh - {{- end }} - ports: - - name: {{ .Values.service.name }} - containerPort: {{ .Values.service.port }} - protocol: TCP - envFrom: - - configMapRef: - name: {{ .Release.Name }}-config-cm - {{ if .Values.global.usrEnvs.secret }} - - secretRef: - name: {{ .Release.Name }}-global-user-custom-envs - {{- end }} - {{ if .Values.global.usrEnvs.normal }} - - configMapRef: - name: {{ .Release.Name }}-global-user-custom-envs - {{- end }} - lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} - volumeMounts: - {{- with .Values.volumeMounts }} -{{- toYaml . | nindent 12 }} - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} - - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} - name: aws-shared-credential-file - subPath: aws_shared_credential_file - - mountPath: {{ .Values.global.cnAwsConfigFile }} - name: aws-config-file - subPath: aws_config_file - - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} - name: aws-secrets-replica-regions - subPath: aws_secrets_replica_regions - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} - - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} - name: google-sa - subPath: google-credentials.json - {{- end }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - - name: {{ include "oxshibboleth.fullname" .}}-updatelbip - mountPath: /scripts - {{- end }} - {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - {{- if not .Values.global.istio.enabled }} - - name: cb-crt - mountPath: "/etc/certs/couchbase.crt" - subPath: couchbase.crt - {{- end }} - {{- end }} - livenessProbe: -{{- toYaml .Values.livenessProbe | nindent 10 }} - readinessProbe: -{{- toYaml .Values.readinessProbe | nindent 10 }} - {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} - resources: {} - {{- else if .Values.global.cloud.testEnviroment }} - resources: {} - {{- else }} - resources: -{{- toYaml .Values.resources | nindent 10 }} - {{- end }} - {{- if not .Values.global.isFqdnRegistered }} - hostAliases: - - ip: {{ .Values.global.lbIp }} - hostnames: - - {{ .Values.global.fqdn }} - {{- end }} - volumes: - {{- with .Values.volumes }} -{{- toYaml . | nindent 8 }} - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} - - name: aws-shared-credential-file - secret: - secretName: {{ .Release.Name }}-aws-config-creds - items: - - key: aws_shared_credential_file - path: aws_shared_credential_file - - name: aws-config-file - secret: - secretName: {{ .Release.Name }}-aws-config-creds - items: - - key: aws_config_file - path: aws_config_file - - name: aws-secrets-replica-regions - secret: - secretName: {{ .Release.Name }}-aws-config-creds - items: - - key: aws_secrets_replica_regions - path: aws_secrets_replica_regions - {{- end }} - {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} - - name: google-sa - secret: - secretName: {{ .Release.Name }}-google-sa - {{- end }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - - name: {{ include "oxshibboleth.fullname" .}}-updatelbip - configMap: - name: {{ .Release.Name }}-updatelbip - {{- end }} - {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - - {{- if not .Values.global.istio.enabled }} - - name: cb-crt - secret: - secretName: {{ .Release.Name }}-cb-crt - {{- end }} - {{- end }} diff --git a/charts/gluu/gluu/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/charts/oxshibboleth/templates/user-custom-secret-envs.yaml deleted file mode 100644 index fd6e4e0aa..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/templates/user-custom-secret-envs.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Values.usrEnvs.secret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs - labels: - APP_NAME: oxshibboleth -{{ include "oxshibboleth.labels" . | indent 4 }} -{{- if .Values.additionalLabels }} -{{ toYaml .Values.additionalLabels | indent 4 }} -{{- end }} -{{- if .Values.additionalAnnotations }} - annotations: -{{ toYaml .Values.additionalAnnotations | indent 4 }} -{{- end }} -type: Opaque -data: - {{- range $key, $val := .Values.usrEnvs.secret }} - {{ $key }}: {{ $val | b64enc }} - {{- end}} -{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/charts/oxshibboleth/values.yaml deleted file mode 100644 index 224291fdc..000000000 --- a/charts/gluu/gluu/charts/oxshibboleth/values.yaml +++ /dev/null @@ -1,102 +0,0 @@ - -# -- Shibboleth project for the Gluu Server's SAML IDP functionality. -# -- Configure the HorizontalPodAutoscaler -hpa: - enabled: true - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 50 - # -- metrics if targetCPUUtilizationPercentage is not set - metrics: [] - # -- Scaling Policies - behavior: {} -# -- Add custom normal and secret envs to the service -usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} -# -- Add custom dns policy -dnsPolicy: "" -# -- Add custom dns config -dnsConfig: {} -image: - # -- Image pullPolicy to use for deploying. - pullPolicy: IfNotPresent - # -- Image to use for deploying. - repository: gluufederation/oxshibboleth - # -- Image tag to use for deploying. - tag: 5.0.0-12 - # -- Image Pull Secrets - pullSecrets: [ ] -# -- Service replica number. -replicas: 1 -# -- Resource specs. -resources: - limits: - # -- CPU limit. - cpu: 1000m - # -- Memory limit. - memory: 1000Mi - requests: - # -- CPU request. - cpu: 1000m - # -- Memory request. - memory: 1000Mi -service: - # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. - port: 8080 - targetPort: 8080 - # -- Port of the oxShibboleth service. Please keep it as default. - name: http-oxshib - # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP - sessionAffinity: None - # -- the maximum session sticky time if sessionAffinity is ClientIP - sessionAffinityConfig: - clientIP: - timeoutSeconds: 10800 - -# -- Configure the liveness healthcheck for the oxShibboleth if needed. -livenessProbe: - httpGet: - # -- http liveness probe endpoint - path: /idp - port: http-oxshib - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 -# -- Configure the readiness healthcheck for the oxshibboleth if needed. -readinessProbe: - httpGet: - # -- http liveness probe endpoint - path: /idp - port: http-oxshib - initialDelaySeconds: 25 - periodSeconds: 25 - timeoutSeconds: 5 -# -- Configure any additional volumes that need to be attached to the pod -volumes: [] -# -- Configure any additional volumesMounts that need to be attached to the containers -volumeMounts: [] -# Actions on lifecycle events such as postStart and preStop -# Example -# lifecycle: -# postStart: -# exec: -# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] -lifecycle: {} -nameOverride: "" -fullnameOverride: "" - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} -additionalLabels: { } -# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken -additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/charts/persistence/Chart.yaml b/charts/gluu/gluu/charts/persistence/Chart.yaml index 6981090f7..015c23506 100644 --- a/charts/gluu/gluu/charts/persistence/Chart.yaml +++ b/charts/gluu/gluu/charts/persistence/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: 5.0.0 description: Job to generate data and initial config for Gluu Server persistence layer. -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - persistence prep @@ -13,6 +13,6 @@ maintainers: name: persistence sources: - https://github.com/JanssenProject/jans/docker-jans-persistence-loader -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/persistence type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/persistence/README.md b/charts/gluu/gluu/charts/persistence/README.md index 9485c50f4..d1667696f 100644 --- a/charts/gluu/gluu/charts/persistence/README.md +++ b/charts/gluu/gluu/charts/persistence/README.md @@ -1,10 +1,10 @@ # persistence -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) Job to generate data and initial config for Gluu Server persistence layer. -**Homepage:** +**Homepage:** ## Maintainers @@ -15,7 +15,7 @@ Job to generate data and initial config for Gluu Server persistence layer. ## Source Code * -* +* ## Requirements @@ -27,13 +27,14 @@ Kubernetes: `>=v1.21.0-0` |-----|------|---------|-------------| | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | imagePullSecrets | list | `[]` | | | lifecycle | object | `{}` | | | nameOverride | string | `""` | | diff --git a/charts/gluu/gluu/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/charts/persistence/templates/jobs.yml index 151d0e2ab..80f8b592f 100644 --- a/charts/gluu/gluu/charts/persistence/templates/jobs.yml +++ b/charts/gluu/gluu/charts/persistence/templates/jobs.yml @@ -41,7 +41,7 @@ spec: env: {{- include "persistence.usr-envs" . | indent 12 }} {{- include "persistence.usr-secret-envs" . | indent 12 }} - {{- if .Values.global.istio.enabled }} + {{- if or ( .Values.global.istio.enabled ) ( .Values.customScripts )}} command: - tini - -g @@ -49,8 +49,13 @@ spec: - /bin/sh - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 12}} + {{- end }} /app/scripts/entrypoint.sh + {{- if .Values.global.istio.enabled }} curl -X POST http://localhost:15020/quitquitquit + {{- end }} {{- end }} envFrom: - configMapRef: @@ -64,7 +69,7 @@ spec: name: {{ .Release.Name }}-global-user-custom-envs {{- end }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} +{{- toYaml .Values.lifecycle | nindent 10 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} @@ -89,6 +94,22 @@ spec: - name: cb-crt mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + subPath: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password {{- end }} resources: {{- toYaml .Values.resources | nindent 10 }} @@ -122,7 +143,28 @@ spec: secretName: {{ .Release.Name }}-google-sa {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - - name: cb-crt + - name: cb-crt secret: secretName: {{ .Release.Name }}-cb-crt + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + - key: couchbase_password + path: couchbase_password + - key: couchbase_superuser_password + path: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password {{- end }} diff --git a/charts/gluu/gluu/charts/persistence/values.yaml b/charts/gluu/gluu/charts/persistence/values.yaml index 322caf2ee..cc2b290bc 100644 --- a/charts/gluu/gluu/charts/persistence/values.yaml +++ b/charts/gluu/gluu/charts/persistence/values.yaml @@ -18,7 +18,7 @@ image: # -- Image to use for deploying. repository: janssenproject/persistence # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Resource specs. @@ -51,4 +51,8 @@ fullnameOverride: "" # -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken -additionalAnnotations: { } \ No newline at end of file +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/charts/scim/Chart.yaml b/charts/gluu/gluu/charts/scim/Chart.yaml index 625a34b7d..0fffa412e 100644 --- a/charts/gluu/gluu/charts/scim/Chart.yaml +++ b/charts/gluu/gluu/charts/scim/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 appVersion: 5.0.0 description: System for Cross-domain Identity Management (SCIM) version 2.0 -home: https://gluu.org/docs/gluu-server +home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico keywords: - SCIM @@ -15,6 +15,6 @@ name: scim sources: - https://github.com/JanssenProject/jans/jans-scim - https://github.com/JanssenProject/jans/docker-jans-scim -- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/scim type: application -version: 5.0.23 +version: 5.0.24 diff --git a/charts/gluu/gluu/charts/scim/README.md b/charts/gluu/gluu/charts/scim/README.md index 9e9ce08a9..7155c569c 100644 --- a/charts/gluu/gluu/charts/scim/README.md +++ b/charts/gluu/gluu/charts/scim/README.md @@ -1,10 +1,10 @@ # scim -![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) System for Cross-domain Identity Management (SCIM) version 2.0 -**Homepage:** +**Homepage:** ## Maintainers @@ -16,7 +16,7 @@ System for Cross-domain Identity Management (SCIM) version 2.0 * * -* +* ## Requirements @@ -28,6 +28,7 @@ Kubernetes: `>=v1.21.0-0` |-----|------|---------|-------------| | additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | | additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | | dnsConfig | object | `{}` | Add custom dns config | | dnsPolicy | string | `""` | Add custom dns policy | | hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | @@ -36,7 +37,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | -| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | | livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | diff --git a/charts/gluu/gluu/charts/scim/templates/deployment.yml b/charts/gluu/gluu/charts/scim/templates/deployment.yml index 7e1022a95..8bb3605eb 100644 --- a/charts/gluu/gluu/charts/scim/templates/deployment.yml +++ b/charts/gluu/gluu/charts/scim/templates/deployment.yml @@ -51,12 +51,17 @@ spec: env: {{- include "scim.usr-envs" . | indent 12 }} {{- include "scim.usr-secret-envs" . | indent 12 }} - {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} command: - /bin/sh - -c - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} /app/scripts/entrypoint.sh {{- end}} {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} @@ -86,7 +91,7 @@ spec: name: {{ .Release.Name }}-global-user-custom-envs {{- end }} lifecycle: -{{- toYaml .Values.lifecycle | nindent 10 }} +{{- toYaml .Values.lifecycle | nindent 10 }} volumeMounts: {{- with .Values.volumeMounts }} {{- toYaml . | nindent 10 }} @@ -117,6 +122,22 @@ spec: mountPath: "/etc/certs/couchbase.crt" subPath: couchbase.crt {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password {{- end }} livenessProbe: {{- toYaml .Values.livenessProbe | nindent 10 }} @@ -161,14 +182,35 @@ spec: {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - - name: cb-crt + - name: cb-crt secret: secretName: {{ .Release.Name }}-cb-crt {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "scim.fullname" . }}-updatelbip configMap: name: {{ .Release.Name }}-updatelbip {{- end }} - \ No newline at end of file + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/charts/scim/values.yaml b/charts/gluu/gluu/charts/scim/values.yaml index 3c730edfc..946b87396 100644 --- a/charts/gluu/gluu/charts/scim/values.yaml +++ b/charts/gluu/gluu/charts/scim/values.yaml @@ -28,7 +28,7 @@ image: # -- Image to use for deploying. repository: janssenproject/scim # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -87,4 +87,8 @@ lifecycle: {} # -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} additionalLabels: { } # -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken -additionalAnnotations: { } \ No newline at end of file +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/openbanking-values.yaml b/charts/gluu/gluu/openbanking-values.yaml index 32957c91c..1a3c60882 100644 --- a/charts/gluu/gluu/openbanking-values.yaml +++ b/charts/gluu/gluu/openbanking-values.yaml @@ -28,7 +28,7 @@ auth-server: # -- Image to use for deploying. repository: janssenproject/auth-server # -- Image tag to use for deploying. - tag: 1.0.19_dev + tag: 1.0.20-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -167,7 +167,7 @@ config: # -- Image to use for deploying. repository: janssenproject/configurator # -- Image tag to use for deploying. - tag: 1.0.19_dev + tag: 1.0.20-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Organization name. Used for certificate creation. @@ -231,7 +231,7 @@ config-api: # -- Image to use for deploying. repository: janssenproject/config-api # -- Image tag to use for deploying. - tag: 1.0.19_dev + tag: 1.0.20-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -505,16 +505,6 @@ global: enabled: false # -- Name of the OpenDJ service. Please keep it as default. ldapServiceName: opendj - oxpassport: - # -- Name of the oxPassport service. Please keep it as default. - oxPassportServiceName: oxpassport - # -- Boolean flag to enable/disable passport chart - enabled: false - oxshibboleth: - # -- Name of the oxShibboleth service. Please keep it as default. - oxShibbolethServiceName: oxshibboleth - # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. - enabled: false # -- Gluu distributions supported are: default|openbanking. distribution: openbanking persistence: @@ -674,7 +664,7 @@ persistence: # -- Image to use for deploying. repository: janssenproject/persistence-loader # -- Image tag to use for deploying. - tag: 1.0.19_dev + tag: 1.0.20-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Resource specs. diff --git a/charts/gluu/gluu/values.schema.json b/charts/gluu/gluu/values.schema.json index 11b96aa7c..2bef4ca26 100644 --- a/charts/gluu/gluu/values.schema.json +++ b/charts/gluu/gluu/values.schema.json @@ -220,6 +220,16 @@ "lbAddr":{ "description":"Loadbalancer address for AWS if the FQDN is not registered.", "$ref":"#/definitions/url-pattern" + }, + "cnLdapCrt": { + "description": "OpenDJ certificate string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnLdapKey": { + "description": "OpenDJ key string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" } } }, @@ -811,15 +821,6 @@ } } }, - "oxshibboleth":{ - "type":"object", - "properties":{ - "enabled":{ - "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", - "type":"boolean" - } - } - }, "distribution":{ "description":"Gluu distributions supported are: default|openbanking.", "type":"string", @@ -834,20 +835,6 @@ } } }, - "oxpassport": { - "type": "object", - "properties": { - "enabled": { - "description": "Boolean flag to enable/disable the oxpassport chart.", - "type": "boolean" - }, - "oxPassportServiceName":{ - "description":"Name of the oxPassport service. Please keep it as default.", - "type":"string", - "pattern":"^[a-z0-9-]+$" - } - } - }, "scim":{ "type":"object", "properties":{ @@ -981,6 +968,51 @@ "type":"string" } } + }, + "cnSqlPasswordFile": { + "description": "The location of file contains password for the SQL user config.configmap.cnSqlDbUser. The file path must end with sql_password.", + "type": "string", + "pattern": ".*sql_password\\b.*" + }, + "cnCouchbasePasswordFile": { + "description": "The location of the Couchbase user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password.", + "type": "string", + "pattern": ".*couchbase_password\\b.*" + }, + "cnCouchbaseSuperuserPasswordFile": { + "description": "The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type": "string", + "pattern": ".*couchbase_superuser_password\\b.*" + }, + "cnLdapPasswordFile": { + "description": "The location of the OpenDJ user password. The file path must end with ldap_password.", + "type": "string", + "pattern": ".*ldap_password\\b.*" + }, + "cnLdapTruststorePasswordFile": { + "description": "The location of the OpenDJ truststore password file. The file path must end with ldap_truststore_password.", + "type": "string", + "pattern": ".*ldap_truststore_password\\b.*" + }, + "cnLdapCertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.crt.", + "type": "string", + "pattern": ".*opendj.crt\\b.*" + }, + "cnLdapKeyFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.key.", + "type": "string", + "pattern": ".*opendj.key\\b.*" + }, + "cnLdapCacertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.pem.", + "type": "string", + "pattern": ".*opendj.pem\\b.*" + }, + "cnLdapTruststoreFile": { + "description": "The location of the OpenDJ truststore file. The file path must end with opendj.pkcs12.", + "type": "string", + "pattern": ".*opendj.pkcs12\\b.*" } } }, @@ -998,20 +1030,6 @@ } }, - "oxpassport":{ - "description":"Gluu interface to Passport.js to support social login and inbound identity.", - "type":"object", - "properties":{ - - } - }, - "oxshibboleth":{ - "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", - "type":"object", - "properties":{ - - } - }, "persistence":{ "description":"Job to generate data and intial config for Gluu Server persistence layer.", "type":"object", @@ -1052,12 +1070,6 @@ { "$ref":"#/definitions/opendj-enabled" }, - { - "$ref":"#/definitions/oxpassport-enabled" - }, - { - "$ref":"#/definitions/oxshibboleth-enabled" - }, { "$ref":"#/definitions/persistence-enabled" }, @@ -2306,308 +2318,6 @@ }, "else":true }, - "oxpassport-enabled":{ - "if":{ - "properties":{ - "global":{ - "properties":{ - "oxpassport":{ - "properties":{ - "enabled":{ - "const":"true" - } - } - } - } - } - } - }, - "then":{ - "properties":{ - "oxpassport":{ - "required":[ - "image", - "replicas", - "resources", - "service" - ], - "type":"object", - "properties":{ - "hpa":{ - "description":"Configure the HorizontalPodAutoscaler", - "type":"object", - "properties":{ - "enabled":{ - "type":"boolean" - }, - "minReplicas":{ - "type":"integer" - }, - "maxReplicas":{ - "type":"integer" - }, - "targetCPUUtilizationPercentage":{ - "type":"integer" - }, - "metrics":{ - "description":"metrics if targetCPUUtilizationPercentage is not set", - "type":"array" - }, - "behavior":{ - "description":"Scaling Policies", - "type":"object" - } - } - }, - "usrEnvs":{ - "description":"Add custom normal and secret envs to the service", - "type":"object", - "properties":{ - "normal":{ - "description":"Add custom normal envs to the service", - "type":"object" - }, - "secret":{ - "description":"Add custom secret envs to the service", - "type":"object" - } - } - }, - "dnsPolicy":{ - "description":"Add custom dns policy", - "type":"string", - "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" - }, - "dnsConfig":{ - "description":"Add custom dns config", - "type":"object" - }, - "image":{ - "type":"object", - "properties":{ - "pullPolicy":{ - "description":"Image pullPolicy to use for deploying.", - "type":"string", - "pattern":"^(Always|Never|IfNotPresent)$" - }, - "repository":{ - "description":"Image to use for deploying", - "type":"string" - }, - "tag":{ - "description":"Image tag to use for deploying.", - "type":"string", - "pattern":"^[a-z0-9-_.]+$" - } - } - }, - "replicas":{ - "description":"Service replica number.", - "type":"integer" - }, - "resources":{ - "description":"Resource specs.", - "type":"object", - "properties":{ - "limits":{ - "type":"object", - "properties":{ - "cpu":{ - "description":"CPU limit.", - "type":"string", - "pattern":"^[0-9m]+$" - }, - "memory":{ - "description":"Memory limit.", - "type":"string", - "pattern":"^[0-9Mi]+$" - } - } - }, - "requests":{ - "type":"object", - "properties":{ - "cpu":{ - "description":"CPU request.", - "type":"string", - "pattern":"^[0-9m]+$" - }, - "memory":{ - "description":"Memory request.", - "type":"string", - "pattern":"^[0-9Mi]+$" - } - } - } - } - }, - "service":{ - "type":"object", - "properties":{ - "oxPassportServiceName":{ - "description":"Name of the oxPassport service. Please keep it as default.", - "type":"string", - "pattern":"^[a-z0-9-]+$" - } - } - } - } - } - } - }, - "else":true - }, - "oxshibboleth-enabled":{ - "if":{ - "properties":{ - "global":{ - "properties":{ - "oxshibboleth":{ - "properties":{ - "enabled":{ - "const":"true" - } - } - } - } - } - } - }, - "then":{ - "properties":{ - "oxshibboleth":{ - "required":[ - "image", - "replicas", - "resources", - "service" - ], - "type":"object", - "properties":{ - "hpa":{ - "description":"Configure the HorizontalPodAutoscaler", - "type":"object", - "properties":{ - "enabled":{ - "type":"boolean" - }, - "minReplicas":{ - "type":"integer" - }, - "maxReplicas":{ - "type":"integer" - }, - "targetCPUUtilizationPercentage":{ - "type":"integer" - }, - "metrics":{ - "description":"metrics if targetCPUUtilizationPercentage is not set", - "type":"array" - }, - "behavior":{ - "description":"Scaling Policies", - "type":"object" - } - } - }, - "usrEnvs":{ - "description":"Add custom normal and secret envs to the service", - "type":"object", - "properties":{ - "normal":{ - "description":"Add custom normal envs to the service", - "type":"object" - }, - "secret":{ - "description":"Add custom secret envs to the service", - "type":"object" - } - } - }, - "dnsPolicy":{ - "description":"Add custom dns policy", - "type":"string", - "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" - }, - "dnsConfig":{ - "description":"Add custom dns config", - "type":"object" - }, - "image":{ - "type":"object", - "properties":{ - "pullPolicy":{ - "description":"Image pullPolicy to use for deploying.", - "type":"string", - "pattern":"^(Always|Never|IfNotPresent)$" - }, - "repository":{ - "description":"Image to use for deploying", - "type":"string" - }, - "tag":{ - "description":"Image tag to use for deploying.", - "type":"string", - "pattern":"^[a-z0-9-_.]+$" - } - } - }, - "replicas":{ - "description":"Service replica number.", - "type":"integer" - }, - "resources":{ - "description":"Resource specs.", - "type":"object", - "properties":{ - "limits":{ - "type":"object", - "properties":{ - "cpu":{ - "description":"CPU limit.", - "type":"string", - "pattern":"^[0-9m]+$" - }, - "memory":{ - "description":"Memory limit.", - "type":"string", - "pattern":"^[0-9Mi]+$" - } - } - }, - "requests":{ - "type":"object", - "properties":{ - "cpu":{ - "description":"CPU request.", - "type":"string", - "pattern":"^[0-9m]+$" - }, - "memory":{ - "description":"Memory request.", - "type":"string", - "pattern":"^[0-9Mi]+$" - } - } - } - } - }, - "service":{ - "type":"object", - "properties":{ - "oxShibbolethServiceName":{ - "description":"Name of the oxShibboleth service. Please keep it as default.", - "type":"string", - "pattern":"^[a-z0-9-]+$" - } - } - } - } - } - } - }, - "else":true - }, "persistence-enabled":{ "if":{ "properties":{ @@ -2869,4 +2579,4 @@ "else":true } } -} \ No newline at end of file +} diff --git a/charts/gluu/gluu/values.yaml b/charts/gluu/gluu/values.yaml index f536c10a2..d187fc6b6 100644 --- a/charts/gluu/gluu/values.yaml +++ b/charts/gluu/gluu/values.yaml @@ -106,7 +106,7 @@ admin-ui: # -- Image to use for deploying. repository: ghcr.io/gluufederation/flex/admin-ui # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -154,6 +154,9 @@ admin-ui: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh # -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-server: # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API @@ -203,7 +206,7 @@ auth-server: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/auth-server # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -256,6 +259,10 @@ auth-server: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] # -- Responsible for regenerating auth-keys per x hours auth-server-key-rotation: # -- Add custom normal and secret envs to the service @@ -276,7 +283,7 @@ auth-server-key-rotation: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/certmanager # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Auth server key rotation keys life in hours @@ -308,6 +315,10 @@ auth-server-key-rotation: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] # -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. casa: # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API @@ -357,7 +368,7 @@ casa: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/casa # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -378,7 +389,7 @@ casa: livenessProbe: httpGet: # -- http liveness probe endpoint - path: /casa/health-check + path: /jans-casa/health-check port: http-casa initialDelaySeconds: 25 periodSeconds: 25 @@ -387,7 +398,7 @@ casa: readinessProbe: httpGet: # -- http readiness probe endpoint - path: /casa/health-check + path: /jans-casa/health-check port: http-casa initialDelaySeconds: 30 periodSeconds: 30 @@ -408,6 +419,9 @@ casa: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh # -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. config: # -- Add custom normal and secret envs to the service. @@ -527,6 +541,10 @@ config: cnSecretKubernetesSecret: cn # -- Load balancer address for AWS if the FQDN is not registered. lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= # -- Country code. Used for certificate creation. countryCode: US # -- Email address of the administrator usually. Used for certificate creation. @@ -535,11 +553,13 @@ config: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/configurator # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- LDAP admin password if OpenDJ is used for persistence. ldapPassword: P@ssw0rds + # -- LDAP truststore password if OpenDJ is used for persistence + ldapTruststorePassword: changeit # -- Organization name. Used for certificate creation. orgName: Gluu # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. @@ -587,6 +607,9 @@ config: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh # -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). config-api: # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API @@ -636,7 +659,7 @@ config-api: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/config-api # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -686,6 +709,9 @@ config-api: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh # -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. fido2: # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API @@ -735,7 +761,7 @@ fido2: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/fido2 # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -790,6 +816,9 @@ fido2: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh # -- Parameters used globally across all services helm charts. global: # -- Add custom normal and secret envs to the service. @@ -880,7 +909,7 @@ global: authServerProtectedRegister: false auth-server-key-rotation: # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. - enabled: false + enabled: true # -- Volume storage type if using AWS volumes. awsStorageType: io1 # -- Volume storage type if using Azure disks. @@ -1058,47 +1087,6 @@ global: enabled: false # -- Name of the OpenDJ service. Please keep it as default. ldapServiceName: opendj - oxpassport: - # -- Name of the oxPassport service. Please keep it as default. - oxPassportServiceName: oxpassport - # -- Boolean flag to enable/disable passport chart - enabled: false - oxshibboleth: - # -- Name of the oxShibboleth service. Please keep it as default. - oxShibbolethServiceName: oxshibboleth - # -- Boolean flag to enable/disable the oxShibbboleth chart. - enabled: false - # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. - # log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" - # Targets are "STDOUT" and "FILE" - appLoggers: - # -- idp-process.log target - idpLogTarget: "STDOUT" - # -- idp-process.log level - idpLogLevel: "INFO" - # -- idp-script.log target - scriptLogTarget: "FILE" - # -- idp-script.log level - scriptLogLevel: "INFO" - # -- idp-audit.log target - auditStatsLogTarget: "FILE" - # -- idp-audit.log level - auditStatsLogLevel: "INFO" - # -- idp-consent-audit.log target - consentAuditLogTarget: "FILE" - # -- idp-consent-audit.log level - consentAuditLogLevel: "INFO" - # -- https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration - # The below are very noisy logs and are better left untouched - ldapLogLevel: "" - messagesLogLevel: "" - encryptionLogLevel: "" - opensamlLogLevel: "" - propsLogLevel: "" - httpclientLogLevel: "" - springLogLevel: "" - containerLogLevel: "" - xmlsecLogLevel: "" # -- Gluu distributions supported are: default|openbanking. distribution: default persistence: @@ -1155,6 +1143,24 @@ global: provisioner: microk8s.io/hostpath reclaimPolicy: Retain volumeBindingMode: WaitForFirstConsumer + # -- Path to SQL password file + cnSqlPasswordFile: /etc/jans/conf/sql_password + # -- Path to Couchbase password file + cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password + # -- Path to Couchbase superuser password file + cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password + # -- Path to LDAP password file + cnLdapPasswordFile: /etc/jans/conf/ldap_password + # -- Path to LDAP truststore password file + cnLdapTruststorePasswordFile: /etc/jans/conf/ldap_truststore_password + # -- Path to OpenDJ cert file + cnLdapCertFile: /etc/certs/opendj.crt + # -- Path to OpenDJ key file + cnLdapKeyFile: /etc/certs/opendj.key + # -- Path to OpenDJ CA cert file + cnLdapCacertFile: /etc/certs/opendj.pem + # -- Path to OpenDJ truststore file + cnLdapTruststoreFile: /etc/certs/opendj.pkcs12 # -- Nginx ingress definitions chart nginx-ingress: @@ -1392,214 +1398,10 @@ opendj: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } -# -- Gluu interface to Passport.js to support social login and inbound identity. -oxpassport: - # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API - # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ - topologySpreadConstraints: {} - # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. - # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart - #tsc1: - # maxSkew: 1 - # minDomains: 1 # optional; beta since v1.25 - # topologyKey: kubernetes.io/hostname - # whenUnsatisfiable: DoNotSchedule - # matchLabelKeys: [] # optional; alpha since v1.25 - # nodeAffinityPolicy: [] # optional; alpha since v1.25 - # nodeTaintsPolicy: [] # optional; alpha since v1.25 - #tsc2: - #maxSkew: 1 - # -- Configure the PodDisruptionBudget - pdb: - enabled: true - maxUnavailable: "90%" - # -- Configure the HorizontalPodAutoscaler - hpa: - enabled: true - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 50 - # -- metrics if targetCPUUtilizationPercentage is not set - metrics: [] - # -- Scaling Policies - behavior: {} - # -- Add custom normal and secret envs to the service - usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} - image: - # -- Image pullPolicy to use for deploying. - pullPolicy: IfNotPresent - # -- Image to use for deploying. - repository: gluufederation/oxpassport - # -- Image tag to use for deploying. - tag: 5.0.0-12 - # -- Image Pull Secrets - pullSecrets: [ ] - # -- Service replica number - replicas: 1 - # -- Resource specs. - resources: - limits: - # -- CPU limit. - cpu: 700m - # -- Memory limit. - memory: 900Mi - requests: - # -- CPU request. - cpu: 700m - # -- Memory request. - memory: 900Mi - # -- Configure the liveness healthcheck for oxPassport if needed. - livenessProbe: - httpGet: - # -- http liveness probe endpoint - path: /passport/health-check - port: http-passport - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 20 - # -- Configure the readiness healthcheck for the oxPassport if needed. - readinessProbe: - httpGet: - # -- http readiness probe endpoint - path: /passport/health-check - port: http-passport - initialDelaySeconds: 25 - periodSeconds: 25 - timeoutSeconds: 5 - failureThreshold: 20 - # -- Configure any additional volumes that need to be attached to the pod - volumes: [] - # -- Configure any additional volumesMounts that need to be attached to the containers - volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: { } -# -- Shibboleth project for the Gluu Server's SAML IDP functionality. -oxshibboleth: - # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API - # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ - topologySpreadConstraints: {} - # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. - # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart - #tsc1: - # maxSkew: 1 - # minDomains: 1 # optional; beta since v1.25 - # topologyKey: kubernetes.io/hostname - # whenUnsatisfiable: DoNotSchedule - # matchLabelKeys: [] # optional; alpha since v1.25 - # nodeAffinityPolicy: [] # optional; alpha since v1.25 - # nodeTaintsPolicy: [] # optional; alpha since v1.25 - #tsc2: - #maxSkew: 1 - # -- Configure the PodDisruptionBudget - pdb: - enabled: true - maxUnavailable: 1 - # -- Configure the HorizontalPodAutoscaler - hpa: - enabled: true - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 50 - # -- metrics if targetCPUUtilizationPercentage is not set - metrics: [] - # -- Scaling Policies - behavior: {} - # -- Add custom normal and secret envs to the service - usrEnvs: - # -- Add custom normal envs to the service - # variable1: value1 - normal: {} - # -- Add custom secret envs to the service - # variable1: value1 - secret: {} - # -- Add custom dns policy - dnsPolicy: "" - # -- Add custom dns config - dnsConfig: {} - image: - # -- Image pullPolicy to use for deploying. - pullPolicy: IfNotPresent - # -- Image to use for deploying. - repository: gluufederation/oxshibboleth - # -- Image tag to use for deploying. - tag: 5.0.0-12 - # -- Image Pull Secrets - pullSecrets: [ ] - # -- Service replica number. - replicas: 1 - # -- Resource specs. - resources: - limits: - # -- CPU limit. - cpu: 1000m - # -- Memory limit. - memory: 1000Mi - requests: - # -- CPU request. - cpu: 1000m - # -- Memory request. - memory: 1000Mi - # -- Configure the liveness healthcheck for oxshibboleth if needed. - # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py - livenessProbe: - # -- Executes the python3 healthcheck. - exec: - command: - - python3 - - /app/scripts/healthcheck.py - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 20 - # -- Configure the readiness healthcheck for the casa if needed. - readinessProbe: - # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py - # -- Executes the python3 healthcheck. - exec: - command: - - python3 - - /app/scripts/healthcheck.py - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 20 - # -- Configure any additional volumes that need to be attached to the pod - volumes: [] - # -- Configure any additional volumesMounts that need to be attached to the containers - volumeMounts: [] - # Actions on lifecycle events such as postStart and preStop - # Example - # lifecycle: - # postStart: - # exec: - # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] - lifecycle: {} - - # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} - additionalLabels: { } - # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} - additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] # -- Job to generate data and initial config for Gluu Server persistence layer. persistence: # -- Add custom normal and secret envs to the service @@ -1620,7 +1422,7 @@ persistence: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/persistence-loader # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Resource specs. @@ -1651,6 +1453,10 @@ persistence: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] # -- System for Cross-domain Identity Management (SCIM) version 2.0 scim: # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API @@ -1700,7 +1506,7 @@ scim: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/scim # -- Image tag to use for deploying. - tag: 1.0.19-1 + tag: 1.0.21-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -1754,3 +1560,7 @@ scim: additionalLabels: { } # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/Chart.yaml index ca517e02d..44c31d73b 100644 --- a/charts/haproxy/haproxy/Chart.yaml +++ b/charts/haproxy/haproxy/Chart.yaml @@ -1,6 +1,6 @@ annotations: artifacthub.io/changes: | - - Increase CRD job cleanup TTL to 120s (#213) + - Remove unneeded initContainers from CRD job (#215) catalog.cattle.io/certified: partner catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller catalog.cattle.io/kube-version: '>=1.22.0-0' @@ -21,4 +21,4 @@ name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress type: application -version: 1.35.3 +version: 1.35.5 diff --git a/charts/haproxy/haproxy/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/templates/controller-crdjob.yaml index c1f9a3c6a..daf231dfd 100644 --- a/charts/haproxy/haproxy/templates/controller-crdjob.yaml +++ b/charts/haproxy/haproxy/templates/controller-crdjob.yaml @@ -25,6 +25,9 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded spec: {{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} ttlSecondsAfterFinished: 120 @@ -87,10 +90,6 @@ spec: type: RuntimeDefault {{- end }} {{- end }} - {{- with.Values.controller.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} {{- with .Values.controller.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/harbor/harbor/Chart.yaml b/charts/harbor/harbor/Chart.yaml index 1203998e1..c2acd24b2 100644 --- a/charts/harbor/harbor/Chart.yaml +++ b/charts/harbor/harbor/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.20-0' catalog.cattle.io/release-name: harbor apiVersion: v1 -appVersion: 2.9.1 +appVersion: 2.10.0 description: An open source trusted cloud native registry that stores, signs, and scans content home: https://goharbor.io @@ -24,4 +24,4 @@ name: harbor sources: - https://github.com/goharbor/harbor - https://github.com/goharbor/harbor-helm -version: 1.13.1 +version: 1.14.0 diff --git a/charts/harbor/harbor/README.md b/charts/harbor/harbor/README.md index f30598cc0..c69f54c03 100644 --- a/charts/harbor/harbor/README.md +++ b/charts/harbor/harbor/README.md @@ -75,7 +75,7 @@ helm uninstall my-release The following table lists the configurable parameters of the Harbor chart and the default values. -| Parameter | Description | Default | +| Parameter | Description | Default | | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | **Expose** | | | | `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | @@ -209,6 +209,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `portal.affinity` | Node/Pod affinities | `{}` | | `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | | `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | | `portal.priorityClassName` | The priority class to run the pod as | | | **Core** | | | | `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | diff --git a/charts/harbor/harbor/templates/_helpers.tpl b/charts/harbor/harbor/templates/_helpers.tpl index 6ee24fee8..8fce623db 100644 --- a/charts/harbor/harbor/templates/_helpers.tpl +++ b/charts/harbor/harbor/templates/_helpers.tpl @@ -39,6 +39,13 @@ release: {{ .Release.Name }} app: "{{ template "harbor.name" . }}" {{- end -}} +{{/* Helper for printing values from existing secrets*/}} +{{- define "harbor.secretKeyHelper" -}} + {{- if and (not (empty .data)) (hasKey .data .key) }} + {{- index .data .key | b64dec -}} + {{- end -}} +{{- end -}} + {{- define "harbor.autoGenCert" -}} {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} {{- printf "true" -}} @@ -89,7 +96,12 @@ app: "{{ template "harbor.name" . }}" {{- define "harbor.database.rawPassword" -}} {{- if eq .Values.database.type "internal" -}} - {{- .Values.database.internal.password -}} + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}} + {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} + {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}} + {{- else -}} + {{- .Values.database.internal.password -}} + {{- end -}} {{- else -}} {{- .Values.database.external.password -}} {{- end -}} diff --git a/charts/harbor/harbor/templates/core/core-cm.yaml b/charts/harbor/harbor/templates/core/core-cm.yaml index 7d284c899..65237eb00 100644 --- a/charts/harbor/harbor/templates/core/core-cm.yaml +++ b/charts/harbor/harbor/templates/core/core-cm.yaml @@ -67,8 +67,8 @@ data: {{- end }} {{- template "harbor.traceEnvsForCore" . }} - {{- if .Values.core.artifactPullAsyncFlushDuration | quote }} - ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration }} + {{- if .Values.core.artifactPullAsyncFlushDuration }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }} {{- end }} {{- if .Values.core.gdpr}} diff --git a/charts/harbor/harbor/templates/core/core-dpl.yaml b/charts/harbor/harbor/templates/core/core-dpl.yaml index 8d202498d..9a92b45a4 100644 --- a/charts/harbor/harbor/templates/core/core-dpl.yaml +++ b/charts/harbor/harbor/templates/core/core-dpl.yaml @@ -92,13 +92,17 @@ spec: - name: CORE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.core" . }} + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} key: secret - name: JOBSERVICE_SECRET valueFrom: secretKeyRef: - name: "{{ template "harbor.jobservice" . }}" + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} key: JOBSERVICE_SECRET + {{- end }} {{- if .Values.existingSecretAdminPassword }} - name: HARBOR_ADMIN_PASSWORD valueFrom: @@ -130,6 +134,13 @@ spec: name: {{ .Values.registry.credentials.existingSecret }} key: REGISTRY_PASSWD {{- end }} + {{- if .Values.core.existingXsrfSecret }} + - name: CSRF_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.core.existingXsrfSecret }} + key: {{ .Values.core.existingXsrfSecretKey }} + {{- end }} {{- with .Values.core.extraEnvVars }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/charts/harbor/harbor/templates/core/core-secret.yaml b/charts/harbor/harbor/templates/core/core-secret.yaml index 23b352b47..62a41fce8 100644 --- a/charts/harbor/harbor/templates/core/core-secret.yaml +++ b/charts/harbor/harbor/templates/core/core-secret.yaml @@ -1,3 +1,4 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }} apiVersion: v1 kind: Secret metadata: @@ -9,7 +10,9 @@ data: {{- if not .Values.existingSecretSecretKey }} secretKey: {{ .Values.secretKey | b64enc | quote }} {{- end }} - secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.core.existingSecret }} + secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} {{- if not .Values.core.secretName }} {{- $ca := genCA "harbor-token-ca" 365 }} tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} @@ -24,7 +27,9 @@ data: {{- if not .Values.registry.credentials.existingSecret }} REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} {{- end }} - CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} + {{- if not .Values.core.existingXsrfSecret }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} + {{- end }} {{- if .Values.core.configureUserSettings }} CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} {{- end }} diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml index 32df97db7..e39e77e6e 100644 --- a/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml +++ b/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml @@ -87,8 +87,15 @@ spec: - name: CORE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.core" . }} + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} key: secret + {{- if .Values.jobservice.existingSecret }} + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- end }} {{- if .Values.internalTLS.enabled }} - name: INTERNAL_TLS_ENABLED value: "true" diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/templates/jobservice/jobservice-secrets.yaml index 3dfa6bd5e..eeb00bde0 100644 --- a/charts/harbor/harbor/templates/jobservice/jobservice-secrets.yaml +++ b/charts/harbor/harbor/templates/jobservice/jobservice-secrets.yaml @@ -1,3 +1,4 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }} apiVersion: v1 kind: Secret metadata: @@ -6,7 +7,9 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.jobservice.existingSecret }} + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} {{- if not .Values.registry.credentials.existingSecret }} REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} {{- end }} diff --git a/charts/harbor/harbor/templates/nginx/service.yaml b/charts/harbor/harbor/templates/nginx/service.yaml index 12021bfd1..205a805ea 100644 --- a/charts/harbor/harbor/templates/nginx/service.yaml +++ b/charts/harbor/harbor/templates/nginx/service.yaml @@ -13,6 +13,9 @@ metadata: {{- end }} spec: type: ClusterIP + {{- if .Values.expose.clusterIP.staticClusterIP }} + clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }} + {{- end }} ports: - name: http port: {{ $clusterIP.ports.httpPort }} diff --git a/charts/harbor/harbor/templates/portal/service.yaml b/charts/harbor/harbor/templates/portal/service.yaml index ff4eda435..d00026da4 100644 --- a/charts/harbor/harbor/templates/portal/service.yaml +++ b/charts/harbor/harbor/templates/portal/service.yaml @@ -4,6 +4,10 @@ metadata: name: "{{ template "harbor.portal" . }}" labels: {{ include "harbor.labels" . | indent 4 }} +{{- with .Values.portal.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} spec: {{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} type: NodePort diff --git a/charts/harbor/harbor/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/templates/registry/registry-dpl.yaml index b9c97ff89..dc4a83347 100644 --- a/charts/harbor/harbor/templates/registry/registry-dpl.yaml +++ b/charts/harbor/harbor/templates/registry/registry-dpl.yaml @@ -95,6 +95,13 @@ spec: name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} {{- end }} env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} {{- if has "registry" .Values.proxy.components }} - name: HTTP_PROXY value: "{{ .Values.proxy.httpProxy }}" @@ -127,6 +134,33 @@ spec: name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} key: AZURE_STORAGE_ACCESS_KEY {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} {{- with .Values.registry.registry.extraEnvVars }} {{- toYaml . | nindent 8 }} {{- end }} @@ -200,16 +234,27 @@ spec: name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} {{- end }} env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} - name: CORE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.core" . }} + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} key: secret - name: JOBSERVICE_SECRET valueFrom: secretKeyRef: - name: {{ template "harbor.jobservice" . }} + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} key: JOBSERVICE_SECRET + {{- end }} {{- if has "registry" .Values.proxy.components }} - name: HTTP_PROXY value: "{{ .Values.proxy.httpProxy }}" @@ -242,6 +287,33 @@ spec: name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} key: AZURE_STORAGE_ACCESS_KEY {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} {{- with .Values.registry.controller.extraEnvVars }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/harbor/harbor/templates/registry/registry-secret.yaml b/charts/harbor/harbor/templates/registry/registry-secret.yaml index 529462906..e853a9cbe 100644 --- a/charts/harbor/harbor/templates/registry/registry-secret.yaml +++ b/charts/harbor/harbor/templates/registry/registry-secret.yaml @@ -1,3 +1,4 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }} apiVersion: v1 kind: Secret metadata: @@ -6,7 +7,9 @@ metadata: {{ include "harbor.labels" . | indent 4 }} type: Opaque data: - REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.registry.existingSecret }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} {{- if not .Values.redis.external.existingSecret }} REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} {{- end }} @@ -23,7 +26,7 @@ data: {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} {{- end }} - {{- else if eq $type "swift" }} + {{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }} REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} {{- if $storage.swift.secretkey }} REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} @@ -31,7 +34,7 @@ data: {{- if $storage.swift.accesskey }} REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} {{- end }} - {{- else if eq $type "oss" }} + {{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }} REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} {{- end }} {{- if not .Values.registry.credentials.existingSecret }} diff --git a/charts/harbor/harbor/values.yaml b/charts/harbor/harbor/values.yaml index 3da298bc4..4edd63fa8 100644 --- a/charts/harbor/harbor/values.yaml +++ b/charts/harbor/harbor/values.yaml @@ -54,6 +54,8 @@ expose: clusterIP: # The name of ClusterIP service name: harbor + # The ip address of the ClusterIP service (leave empty for acquiring dynamic ip) + staticClusterIP: "" # Annotations on the ClusterIP service annotations: {} ports: @@ -291,6 +293,8 @@ persistence: username: username password: password container: containername + # keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY + existingSecret: "" #region: fr #tenant: tenantname #tenantid: tenantid @@ -311,6 +315,8 @@ persistence: accesskeysecret: accesskeysecret region: regionname bucket: bucketname + # key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + existingSecret: "" #endpoint: endpoint #internal: false #encrypt: false @@ -379,7 +385,7 @@ enableMigrateHelmHook: false nginx: image: repository: goharbor/nginx-photon - tag: v2.9.1 + tag: v2.10.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -410,7 +416,7 @@ nginx: portal: image: repository: goharbor/harbor-portal - tag: v2.9.1 + tag: v2.10.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -435,13 +441,15 @@ portal: podAnnotations: {} ## Additional deployment labels podLabels: {} + ## Additional service annotations + serviceAnnotations: {} ## The priority class to run the pod as priorityClassName: core: image: repository: goharbor/harbor-core - tag: v2.9.1 + tag: v2.10.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -483,10 +491,13 @@ core: # the scenario of high concurrent pushing to same project, no improvment for other scenes. quotaUpdateProvider: db # Or redis # Secret is used when core server communicates with other components. - # If a secret key is not specified, Helm will generate one. + # If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret # Must be a string of 16 chars. secret: "" # Fill in the name of a kubernetes secret if you want to use your own + # If using existingSecret, the key must be secret + existingSecret: "" + # Fill the name of a kubernetes secret if you want to use your own # TLS certificate and private key for token encryption/decryption. # The secret must contain keys named: # "tls.key" - the private key @@ -501,6 +512,10 @@ core: tokenCert: | # The XSRF key. Will be generated automatically if it isn't specified xsrfKey: "" + # If using existingSecret, the key is defined by core.existingXsrfSecretKey + existingXsrfSecret: "" + # If using existingSecret, the key + existingXsrfSecretKey: CSRF_KEY ## The priority class to run the pod as priorityClassName: # The time duration for async update artifact pull_time and repository @@ -513,7 +528,7 @@ core: jobservice: image: repository: goharbor/harbor-jobservice - tag: v2.9.1 + tag: v2.10.0 replicas: 1 revisionHistoryLimit: 10 # set the service account to be used, default if left empty @@ -559,6 +574,10 @@ jobservice: # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the job service secret + existingSecretKey: JOBSERVICE_SECRET ## The priority class to run the pod as priorityClassName: @@ -570,7 +589,7 @@ registry: registry: image: repository: goharbor/registry-photon - tag: v2.9.1 + tag: v2.10.0 # resources: # requests: # memory: 256Mi @@ -579,7 +598,7 @@ registry: controller: image: repository: goharbor/harbor-registryctl - tag: v2.9.1 + tag: v2.10.0 # resources: # requests: @@ -609,6 +628,10 @@ registry: # If a secret key is not specified, Helm will generate one. # Must be a string of 16 chars. secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the registry service secret + existingSecretKey: REGISTRY_HTTP_SECRET # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. relativeurls: false credentials: @@ -618,6 +641,7 @@ registry: existingSecret: "" # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + htpasswdString: "" middleware: enabled: false type: cloudFront @@ -645,7 +669,7 @@ trivy: # repository the repository for Trivy adapter image repository: goharbor/trivy-adapter-photon # tag the tag for Trivy adapter image - tag: v2.9.1 + tag: v2.10.0 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -731,7 +755,7 @@ database: automountServiceAccountToken: false image: repository: goharbor/harbor-db - tag: v2.9.1 + tag: v2.10.0 # The initial superuser password for internal database password: "changeit" # The size limit for Shared memory, pgSQL use it for shared_buffer @@ -804,7 +828,7 @@ redis: automountServiceAccountToken: false image: repository: goharbor/redis-photon - tag: v2.9.1 + tag: v2.10.0 # resources: # requests: # memory: 256Mi @@ -868,7 +892,7 @@ exporter: automountServiceAccountToken: false image: repository: goharbor/harbor-exporter - tag: v2.9.1 + tag: v2.10.0 nodeSelector: {} tolerations: [] affinity: {} diff --git a/charts/hashicorp/consul/Chart.yaml b/charts/hashicorp/consul/Chart.yaml index 9ed51669d..58acd9ad0 100644 --- a/charts/hashicorp/consul/Chart.yaml +++ b/charts/hashicorp/consul/Chart.yaml @@ -1,11 +1,11 @@ annotations: artifacthub.io/images: | - name: consul - image: hashicorp/consul:1.17.0 + image: hashicorp/consul:1.17.1 - name: consul-k8s-control-plane - image: hashicorp/consul-k8s-control-plane:1.3.0 + image: hashicorp/consul-k8s-control-plane:1.3.1 - name: consul-dataplane - image: hashicorp/consul-dataplane:1.3.0 + image: hashicorp/consul-dataplane:1.3.1 - name: envoy image: envoyproxy/envoy:v1.25.11 artifacthub.io/license: MPL-2.0 @@ -25,7 +25,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: consul apiVersion: v2 -appVersion: 1.17.0 +appVersion: 1.17.1 description: Official HashiCorp Consul Chart home: https://www.consul.io icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png @@ -34,4 +34,4 @@ name: consul sources: - https://github.com/hashicorp/consul - https://github.com/hashicorp/consul-k8s -version: 1.3.0 +version: 1.3.1 diff --git a/charts/hashicorp/consul/templates/_helpers.tpl b/charts/hashicorp/consul/templates/_helpers.tpl index 5f0683992..809d965a6 100644 --- a/charts/hashicorp/consul/templates/_helpers.tpl +++ b/charts/hashicorp/consul/templates/_helpers.tpl @@ -145,7 +145,7 @@ substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The out is passed to consul as a -config-file param on command line. */}} {{- define "consul.extraconfig" -}} - cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json @@ -415,7 +415,7 @@ Usage: {{ template "consul.validateCloudSecretKeys" . }} {{/* -Fails if temeletryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. - telemetryCollector.cloud.clientId.secretName - telemetryCollector.cloud.clientSecret.secretName - global.cloud.resourceId.secretName @@ -424,11 +424,11 @@ Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} */}} {{- define "consul.validateTelemetryCollectorCloud" -}} -{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} -{{fail "When telemetryCollector.cloud.clientId.secretName is set, global.cloud.resourceId.secretName, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set."}} {{- end }} -{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} -{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, global.cloud.resourceId.secretName,telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set."}} {{- end }} {{- end }} @@ -441,14 +441,33 @@ Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} {{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} {{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} {{- end }} -{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} -{{fail "When telemetryCollector has clientId and clientSecret global.cloud.resourceId.secretName must be set"}} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} {{- end }} -{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} -{{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} {{- end }} {{- end -}} +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + {{/* Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. - global.peering.enabled diff --git a/charts/hashicorp/consul/templates/client-config-configmap.yaml b/charts/hashicorp/consul/templates/client-config-configmap.yaml index d91a4d21b..cab2c7c04 100644 --- a/charts/hashicorp/consul/templates/client-config-configmap.yaml +++ b/charts/hashicorp/consul/templates/client-config-configmap.yaml @@ -25,13 +25,10 @@ data: "log_level": "{{ .Values.client.logLevel | upper }}" {{- end }} } - extra-from-values.json: |- -{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} central-config.json: |- { "enable_central_service_config": true } - {{- if .Values.connectInject.enabled }} {{/* We set check_update_interval to 0s so that check output is immediately viewable in the UI. */}} diff --git a/charts/hashicorp/consul/templates/client-daemonset.yaml b/charts/hashicorp/consul/templates/client-daemonset.yaml index e7dd83ef2..dd0454b10 100644 --- a/charts/hashicorp/consul/templates/client-daemonset.yaml +++ b/charts/hashicorp/consul/templates/client-daemonset.yaml @@ -87,7 +87,7 @@ spec: {{- end }} "consul.hashicorp.com/connect-inject": "false" "consul.hashicorp.com/mesh-inject": "false" - "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/client-config-configmap.yaml") . | sha256sum }} + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} {{- if .Values.client.annotations }} {{- tpl .Values.client.annotations . | nindent 8 }} {{- end }} @@ -142,6 +142,9 @@ spec: - name: consul-data emptyDir: medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config {{- if .Values.global.tls.enabled }} {{- if not .Values.global.secretsBackend.vault.enabled }} - name: consul-ca-cert @@ -390,7 +393,7 @@ spec: {{- range $value := .Values.global.recursors }} -recursor={{ quote $value }} \ {{- end }} - -config-file=/consul/extra-config/extra-from-values.json \ + -config-dir=/consul/extra-config \ -domain={{ .Values.global.domain }} volumeMounts: - name: data @@ -399,6 +402,8 @@ spec: mountPath: /consul/config - name: extra-config mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config - mountPath: /consul/login name: consul-data readOnly: true diff --git a/charts/hashicorp/consul/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 000000000..a379157f5 --- /dev/null +++ b/charts/hashicorp/consul/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml index 53f894035..2fafae7df 100644 --- a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml +++ b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml @@ -6,6 +6,9 @@ {{ template "consul.validateVaultWebhookCertConfiguration" . }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} {{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} {{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} {{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} diff --git a/charts/hashicorp/consul/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/templates/crd-servicerouters.yaml index 72690c60e..c4e06d05b 100644 --- a/charts/hashicorp/consul/templates/crd-servicerouters.yaml +++ b/charts/hashicorp/consul/templates/crd-servicerouters.yaml @@ -148,6 +148,13 @@ spec: any existing header values of the same name. type: object type: object + retryOn: + description: RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. + items: + type: string + type: array retryOnConnectFailure: description: RetryOnConnectFailure allows for connection failure errors to trigger a retry. diff --git a/charts/hashicorp/consul/templates/server-config-configmap.yaml b/charts/hashicorp/consul/templates/server-config-configmap.yaml index 9ebfbd257..8cd726f44 100644 --- a/charts/hashicorp/consul/templates/server-config-configmap.yaml +++ b/charts/hashicorp/consul/templates/server-config-configmap.yaml @@ -95,8 +95,6 @@ data: {{- end }} {{- end }} {{- end }} - extra-from-values.json: |- -{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} {{- if .Values.global.acls.manageSystemACLs }} acl-config.json: |- { diff --git a/charts/hashicorp/consul/templates/server-statefulset.yaml b/charts/hashicorp/consul/templates/server-statefulset.yaml index d2785369c..5c76a1238 100644 --- a/charts/hashicorp/consul/templates/server-statefulset.yaml +++ b/charts/hashicorp/consul/templates/server-statefulset.yaml @@ -44,6 +44,9 @@ spec: rollingUpdate: partition: {{ .Values.server.updatePartition }} {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} selector: matchLabels: app: {{ template "consul.name" . }} @@ -116,7 +119,7 @@ spec: {{- end }} "consul.hashicorp.com/connect-inject": "false" "consul.hashicorp.com/mesh-inject": "false" - "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} {{- if .Values.server.annotations }} {{- tpl .Values.server.annotations . | nindent 8 }} {{- end }} @@ -156,6 +159,9 @@ spec: name: {{ template "consul.fullname" . }}-server-config - name: extra-config emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} - name: consul-ca-cert secret: @@ -420,8 +426,7 @@ spec: -config-dir=/consul/userconfig/{{ .name }} \ {{- end }} {{- end }} - -config-file=/consul/extra-config/extra-from-values.json \ - -config-file=/consul/extra-config/locality.json \ + -config-dir=/consul/extra-config \ {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" {{- end }} @@ -435,6 +440,8 @@ spec: mountPath: /consul/config - name: extra-config mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} - name: consul-ca-cert mountPath: /consul/tls/ca/ diff --git a/charts/hashicorp/consul/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 000000000..a42d6d09f --- /dev/null +++ b/charts/hashicorp/consul/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml index 396cc147a..d36034b29 100644 --- a/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml +++ b/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml @@ -5,6 +5,7 @@ {{ template "consul.validateCloudSecretKeys" . }} {{ template "consul.validateTelemetryCollectorCloud" . }} {{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} apiVersion: apps/v1 kind: Deployment metadata: @@ -34,6 +35,8 @@ spec: # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The # endpoints controller would then sync the endpoint into Consul "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar # to gateways "consul.hashicorp.com/connect-service-port": "metricsserver" @@ -93,36 +96,51 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - {{- if .Values.global.acls.manageSystemACLs }} - - name: CONSUL_LOGIN_AUTH_METHOD - value: {{ template "consul.fullname" . }}-k8s-auth-method - - name: CONSUL_LOGIN_META - value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" - {{- end }} - name: CONSUL_NODE_NAME value: $(NODE_NAME)-virtual {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} - name: CONSUL_NAMESPACE - value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} - {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} - name: CONSUL_LOGIN_NAMESPACE - value: "default" + value: default {{- else }} - name: CONSUL_LOGIN_NAMESPACE - value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} {{- end }} {{- end }} command: - /bin/sh - -ec - |- - consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + consul-k8s-control-plane connect-init \ -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ -service-account-name="consul-telemetry-collector" \ - -service-name="" \ - -proxy-id-file="/consul/connect-inject/proxyid" + -service-name="" image: {{ .Values.global.imageK8S }} imagePullPolicy: IfNotPresent @@ -165,13 +183,32 @@ spec: # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. - # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} {{- if .Values.telemetryCollector.cloud.clientId.secretName }} - name: HCP_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} {{- end }} {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} - name: HCP_CLIENT_SECRET @@ -179,14 +216,13 @@ spec: secretKeyRef: name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} - {{- end}} - {{- if .Values.global.cloud.resourceId.secretName }} - - name: HCP_RESOURCE_ID + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.resourceId.secretName }} - key: {{ .Values.global.cloud.resourceId.secretKey }} - {{- end }} + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} {{- if .Values.global.cloud.authUrl.secretName }} - name: HCP_AUTH_URL valueFrom: @@ -227,7 +263,7 @@ spec: consul-telemetry-collector agent \ {{- if .Values.telemetryCollector.customExporterConfig }} - -config-file-path /consul/config/config.json \ + -config-file-path /consul/config/config.json \ {{ end }} volumeMounts: {{- if .Values.telemetryCollector.customExporterConfig }} @@ -285,24 +321,30 @@ spec: - -credential-type=login - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace {{- if .Values.global.enableConsulNamespaces }} - {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} - - -login-namespace="default" + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} {{- else }} - - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} {{- end }} {{- end }} + # service and login partition {{- if .Values.global.adminPartitions.enabled }} - - foo + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} - -login-partition={{ .Values.global.adminPartitions.name }} {{- end }} {{- end }} - {{- if .Values.global.enableConsulNamespaces }} - - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} - {{- end }} - {{- if .Values.global.adminPartitions.enabled }} - - -service-partition={{ .Values.global.adminPartitions.name }} - {{- end }} + # telemetry {{- if .Values.global.metrics.enabled }} - -telemetry-prom-scrape-path=/metrics {{- end }} diff --git a/charts/hashicorp/consul/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/templates/telemetry-collector-v2-deployment.yaml index a88277f3b..d8c94e7ec 100644 --- a/charts/hashicorp/consul/templates/telemetry-collector-v2-deployment.yaml +++ b/charts/hashicorp/consul/templates/telemetry-collector-v2-deployment.yaml @@ -5,6 +5,7 @@ {{ template "consul.validateCloudSecretKeys" . }} {{ template "consul.validateTelemetryCollectorCloud" . }} {{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} apiVersion: apps/v1 kind: Deployment metadata: @@ -87,22 +88,34 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + # acl login info {{- if .Values.global.acls.manageSystemACLs }} - name: CONSUL_LOGIN_AUTH_METHOD value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} - name: CONSUL_LOGIN_META value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" {{- end }} - {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} - name: CONSUL_NAMESPACE - value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} - {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} - name: CONSUL_LOGIN_NAMESPACE value: "default" {{- else }} - name: CONSUL_LOGIN_NAMESPACE - value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} {{- end }} {{- end }} command: @@ -154,13 +167,32 @@ spec: # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. - # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} {{- if .Values.telemetryCollector.cloud.clientId.secretName }} - name: HCP_CLIENT_ID valueFrom: secretKeyRef: name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} {{- end }} {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} - name: HCP_CLIENT_SECRET @@ -168,14 +200,13 @@ spec: secretKeyRef: name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} - {{- end}} - {{- if .Values.global.cloud.resourceId.secretName }} - - name: HCP_RESOURCE_ID + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ .Values.global.cloud.resourceId.secretName }} - key: {{ .Values.global.cloud.resourceId.secretKey }} - {{- end }} + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} {{- if .Values.global.cloud.authUrl.secretName }} - name: HCP_AUTH_URL valueFrom: @@ -273,24 +304,30 @@ spec: - -credential-type=login - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace {{- if .Values.global.enableConsulNamespaces }} - {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} - - -login-namespace="default" + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} {{- else }} - - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} {{- end }} {{- end }} + # service and login partition {{- if .Values.global.adminPartitions.enabled }} - - foo + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} - -login-partition={{ .Values.global.adminPartitions.name }} {{- end }} {{- end }} - {{- if .Values.global.enableConsulNamespaces }} - - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} - {{- end }} - {{- if .Values.global.adminPartitions.enabled }} - - -service-partition={{ .Values.global.adminPartitions.name }} - {{- end }} + # telemetry {{- if .Values.global.metrics.enabled }} - -telemetry-prom-scrape-path=/metrics {{- end }} diff --git a/charts/hashicorp/consul/values.yaml b/charts/hashicorp/consul/values.yaml index 3d295cf25..80245654a 100644 --- a/charts/hashicorp/consul/values.yaml +++ b/charts/hashicorp/consul/values.yaml @@ -66,7 +66,7 @@ global: # image: "hashicorp/consul-enterprise:1.10.0-ent" # ``` # @default: hashicorp/consul: - image: hashicorp/consul:1.17.0 + image: hashicorp/consul:1.17.1 # Array of objects containing image pull secret names that will be applied to each service account. # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. @@ -86,7 +86,7 @@ global: # image that is used for functionality such as catalog sync. # This can be overridden per component. # @default: hashicorp/consul-k8s-control-plane: - imageK8S: hashicorp/consul-k8s-control-plane:1.3.0 + imageK8S: hashicorp/consul-k8s-control-plane:1.3.1 # The name of the datacenter that the agents should # register as. This can't be changed once the Consul cluster is up and running @@ -114,7 +114,7 @@ global: # secretKey should be in the form of "key". secretsBackend: vault: - # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. vaultNamespace: "" @@ -457,7 +457,7 @@ global: # @type: string secretKey: null - # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. # This should be a YAML map corresponding to a Kubernetes # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) # object. @@ -558,7 +558,7 @@ global: # If enabled, this datacenter will be federation-capable. Only federation # via mesh gateways is supported. # Mesh gateways and servers will be configured to allow federation. - # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of # `meshGateway.enabled` or `externalServers.enabled` to be true. # Requires Consul 1.8+. enabled: false @@ -588,7 +588,7 @@ global: # from the one used by the Consul Service Mesh. # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). # - # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and # `externalServers.k8sAuthMethodHost` should be set to the same value. # # You can retrieve this value from your `kubeconfig` by running: @@ -639,7 +639,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: hashicorp/consul-dataplane:1.3.0 + imageConsulDataplane: hashicorp/consul-dataplane:1.3.1 # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. @@ -652,14 +652,19 @@ global: # the API before cancelling the request. consulAPITimeout: 5s - # Enables installing an HCP Consul self-managed cluster. + # Enables installing an HCP Consul Central self-managed cluster. # Requires Consul v1.14+. cloud: - # If true, the Helm chart will enable the installation of an HCP Consul - # self-managed cluster. + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. enabled: false - # The name of the Kubernetes secret that holds the HCP resource id. + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster # This is required when global.cloud.enabled is true. resourceId: # The name of the Kubernetes secret that holds the resource id. @@ -669,7 +674,8 @@ global: # @type: string secretKey: null - # The name of the Kubernetes secret that holds the HCP cloud client id. + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. # This is required when global.cloud.enabled is true. clientId: # The name of the Kubernetes secret that holds the client id. @@ -679,7 +685,8 @@ global: # @type: string secretKey: null - # The name of the Kubernetes secret that holds the HCP cloud client secret. + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. # This is required when global.cloud.enabled is true. clientSecret: # The name of the Kubernetes secret that holds the client secret. @@ -689,8 +696,7 @@ global: # @type: string secretKey: null - # The name of the Kubernetes secret that holds the HCP cloud client id. - # This is optional when global.cloud.enabled is true. + # The hostname of HCP's API. This setting is used for internal testing and validation. apiHost: # The name of the Kubernetes secret that holds the api hostname. # @type: string @@ -699,8 +705,7 @@ global: # @type: string secretKey: null - # The name of the Kubernetes secret that holds the HCP cloud authorization url. - # This is optional when global.cloud.enabled is true. + # The URL of HCP's auth API. This setting is used for internal testing and validation. authUrl: # The name of the Kubernetes secret that holds the authorization url. # @type: string @@ -709,8 +714,7 @@ global: # @type: string secretKey: null - # The name of the Kubernetes secret that holds the HCP cloud scada address. - # This is optional when global.cloud.enabled is true. + # The address of HCP's scada service. This setting is used for internal testing and validation. scadaAddress: # The name of the Kubernetes secret that holds the scada address. # @type: string @@ -745,7 +749,7 @@ global: # ] # ``` # @type: array - trustedCAs: [ ] + trustedCAs: [] # Consul feature flags that will be enabled across components. # Supported feature flags: @@ -762,8 +766,7 @@ global: # experiments: [ "resource-apis" ] # ``` # @type: array - experiments: [ ] - + experiments: [] # Server, when enabled, configures a server cluster to run. This should # be disabled if you plan on connecting to a Consul cluster external to @@ -882,11 +885,26 @@ server: # @type: string storageClass: null + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true # _will not_ automatically secure pod communication, this # setting will only enable usage of the feature. Consul will automatically initialize # a new CA and set of certificates. Additional service mesh settings can be configured - # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). connect: true serviceAccount: @@ -1256,7 +1274,7 @@ server: # @type: string caCert: null - # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing # and configure a sink and filters for their audit logs. Please refer to # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation # for further information. @@ -1265,7 +1283,7 @@ server: # global.acls.manageSystemACLs must be enabled to use this feature. enabled: false - # A single entry of the sink object provides configuration for the destination to which Consul + # A single entry of the sink object provides configuration for the destination to which Consul # will log auditing events. # # Example: @@ -1280,7 +1298,7 @@ server: # rotate_duration: 24h # rotate_max_files: 15 # rotate_bytes: 25165824 - # + # # ``` # # The sink object supports the following keys: @@ -1392,7 +1410,7 @@ externalServers: # This address must be reachable from the Consul servers. # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). # - # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and # `externalServers.k8sAuthMethodHost` should be set to the same value. # # You could retrieve this value from your `kubeconfig` by running: @@ -2185,7 +2203,7 @@ connectInject: # If this setting is false, you will need to install the Gateway API CRDs manually. manageExternalCRDs: true - # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService # will be installed. manageNonStandardCRDs: false @@ -2672,16 +2690,16 @@ connectInject: # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` # @type: map lifecycle: - # @type: boolean - defaultEnabled: true - # @type: boolean - defaultEnableShutdownDrainListeners: true - # @type: integer - defaultShutdownGracePeriodSeconds: 30 - # @type: integer - defaultGracefulPort: 20600 - # @type: string - defaultGracefulShutdownPath: "/graceful_shutdown" + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" # The resource settings for the Connect injected init container. If null, the resources # won't be set for the initContainer. The defaults are optimized for developer instances of @@ -3081,8 +3099,8 @@ ingressGateways: # Gateways is a list of gateway objects. The only required field for # each is `name`, though they can also contain any of the fields in - # `defaults`. You must provide a unique name for each ingress gateway. These names - # must be unique across different namespaces. + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. # Values defined here override the defaults, except in the case of annotations where both will be applied. # @type: array gateways: @@ -3476,7 +3494,7 @@ telemetryCollector: customExporterConfig: null service: - # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line # string. # # ```yaml @@ -3502,11 +3520,51 @@ telemetryCollector: annotations: null cloud: - clientId: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or managed clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul-managed clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string secretKey: null - clientSecret: + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string secretKey: null initContainer: @@ -3523,9 +3581,9 @@ telemetryCollector: # @type: string priorityClassName: "" - # A list of extra environment variables to set within the stateful set. + # A list of extra environment variables to set within the deployment. # These could be used to include proxy settings required for cloud auto-join # feature, in case kubernetes cluster is behind egress http proxies. Additionally, # it could be used to configure custom consul parameters. # @type: map - extraEnvironmentVars: { } + extraEnvironmentVars: {} diff --git a/charts/instana/instana-agent/Chart.yaml b/charts/instana/instana-agent/Chart.yaml index c51a7db28..511e40209 100644 --- a/charts/instana/instana-agent/Chart.yaml +++ b/charts/instana/instana-agent/Chart.yaml @@ -9,7 +9,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: instana-agent apiVersion: v2 -appVersion: 1.259.0 +appVersion: 1.262.0 description: Instana Agent for Kubernetes home: https://www.instana.com/ icon: https://agents.instana.io/helm/stan-logo-2020.png @@ -23,4 +23,4 @@ maintainers: name: instana-agent sources: - https://github.com/instana/instana-agent-docker -version: 1.2.65 +version: 1.2.66 diff --git a/charts/instana/instana-agent/README.md b/charts/instana/instana-agent/README.md index b865dfe17..3673baf6e 100644 --- a/charts/instana/instana-agent/README.md +++ b/charts/instana/instana-agent/README.md @@ -113,7 +113,7 @@ The following table lists the configurable parameters of the Instana chart and t | `agent.pod.limits.cpu` | Container cpu limits in cpu cores | `1.5` | | `agent.pod.limits.memory` | Container memory limits in MiB | `768Mi` | | `agent.pod.requests.cpu` | Container cpu requests in cpu cores | `0.5` | -| `agent.pod.requests.memory` | Container memory requests in MiB | `512Mi` | +| `agent.pod.requests.memory` | Container memory requests in MiB | `768Mi` | | `agent.pod.tolerations` | Tolerations for pod assignment | `[]` | | `agent.pod.affinity` | Affinity for pod assignment | `{}` | | `agent.env` | Additional environment variables for the agent | `{}` | @@ -343,6 +343,10 @@ zones: ## Changelog +### 1.2.66 + +* Allign the default Memory requests to 768Mi for the Agent container. + ### 1.2.65 * Ensure we have appropriate SCC when running with new K8s sensor. diff --git a/charts/instana/instana-agent/templates/_helpers.tpl b/charts/instana/instana-agent/templates/_helpers.tpl index 69664cdd4..6f866ecfd 100644 --- a/charts/instana/instana-agent/templates/_helpers.tpl +++ b/charts/instana/instana-agent/templates/_helpers.tpl @@ -125,7 +125,7 @@ Generates the dockerconfig for the credentials to pull from containers.instana.i Output limits or defaults */}} {{- define "instana-agent.resources" -}} -{{- $memory := default "512Mi" .memory -}} +{{- $memory := default "768Mi" .memory -}} {{- $cpu := default 0.5 .cpu -}} memory: "{{ dict "memory" $memory | include "ensureMemoryMeasurement" }}" cpu: {{ $cpu }} diff --git a/charts/instana/instana-agent/values.yaml b/charts/instana/instana-agent/values.yaml index b1d7ec40b..98e1244ba 100644 --- a/charts/instana/instana-agent/values.yaml +++ b/charts/instana/instana-agent/values.yaml @@ -88,7 +88,7 @@ agent: # regardless of the kubernetes.deployment.enabled setting requests: # agent.pod.requests.memory is the requested memory allocation in MiB for the agent pods. - memory: 512Mi + memory: 768Mi # agent.pod.requests.cpu are the requested CPU units allocation for the agent pods. cpu: 0.5 limits: diff --git a/charts/intel/intel-device-plugins-operator/Chart.yaml b/charts/intel/intel-device-plugins-operator/Chart.yaml index b0640d955..3fe1d219b 100644 --- a/charts/intel/intel-device-plugins-operator/Chart.yaml +++ b/charts/intel/intel-device-plugins-operator/Chart.yaml @@ -4,9 +4,9 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: intel-device-plugins-operator apiVersion: v2 -appVersion: 0.28.0 +appVersion: 0.29.0 description: A Helm chart for Intel Device Plugins Operator for Kubernetes icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 name: intel-device-plugins-operator type: application -version: 0.28.0 +version: 0.29.0 diff --git a/charts/intel/intel-device-plugins-operator/LICENSE b/charts/intel/intel-device-plugins-operator/LICENSE index 70291acff..9aa5290eb 100644 --- a/charts/intel/intel-device-plugins-operator/LICENSE +++ b/charts/intel/intel-device-plugins-operator/LICENSE @@ -1,4 +1,4 @@ -Copyright 2022 Intel Corporation +Copyright 2023 Intel Corporation SPDX-License-Identifier: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/charts/intel/intel-device-plugins-operator/templates/operator.yaml b/charts/intel/intel-device-plugins-operator/templates/operator.yaml index 1bc7e1c3c..205ddbdb1 100644 --- a/charts/intel/intel-device-plugins-operator/templates/operator.yaml +++ b/charts/intel/intel-device-plugins-operator/templates/operator.yaml @@ -449,12 +449,7 @@ spec: name: webhook-server protocol: TCP resources: - limits: - cpu: 100m - memory: 120Mi - requests: - cpu: 100m - memory: 100Mi + {{- toYaml .Values.resources | nindent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -681,7 +676,6 @@ webhooks: - v1 operations: - CREATE - - UPDATE resources: - pods sideEffects: None @@ -691,7 +685,7 @@ webhooks: service: name: inteldeviceplugins-webhook-service namespace: {{ .Release.Namespace | quote }} - path: /pods-sgx + path: /mutate--v1-pod failurePolicy: Ignore name: sgx.mutator.webhooks.intel.com reinvocationPolicy: IfNeeded @@ -702,7 +696,6 @@ webhooks: - v1 operations: - CREATE - - UPDATE resources: - pods sideEffects: None diff --git a/charts/intel/intel-device-plugins-operator/values.yaml b/charts/intel/intel-device-plugins-operator/values.yaml index fbbecc667..ddfbe23e3 100644 --- a/charts/intel/intel-device-plugins-operator/values.yaml +++ b/charts/intel/intel-device-plugins-operator/values.yaml @@ -11,10 +11,18 @@ kubeRbacProxy: image: hub: gcr.io hubRepo: kubebuilder - tag: v0.14.1 + tag: v0.15.0 pullPolicy: IfNotPresent privateRegistry: registryUrl: "" registryUser: "" registrySecret: "" + +resources: + limits: + cpu: 100m + memory: 120Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/charts/intel/intel-device-plugins-qat/Chart.yaml b/charts/intel/intel-device-plugins-qat/Chart.yaml index a69e06060..040511e22 100644 --- a/charts/intel/intel-device-plugins-qat/Chart.yaml +++ b/charts/intel/intel-device-plugins-qat/Chart.yaml @@ -4,9 +4,9 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: intel-device-plugins-qat apiVersion: v2 -appVersion: 0.28.0 +appVersion: 0.29.0 description: A Helm chart for Intel QAT Device Plugin icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 name: intel-device-plugins-qat type: application -version: 0.28.0 +version: 0.29.0 diff --git a/charts/intel/intel-device-plugins-qat/LICENSE b/charts/intel/intel-device-plugins-qat/LICENSE index 70291acff..9aa5290eb 100644 --- a/charts/intel/intel-device-plugins-qat/LICENSE +++ b/charts/intel/intel-device-plugins-qat/LICENSE @@ -1,4 +1,4 @@ -Copyright 2022 Intel Corporation +Copyright 2023 Intel Corporation SPDX-License-Identifier: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/charts/intel/intel-device-plugins-qat/templates/qat.yaml b/charts/intel/intel-device-plugins-qat/templates/qat.yaml index e69966bd3..a807f22ab 100644 --- a/charts/intel/intel-device-plugins-qat/templates/qat.yaml +++ b/charts/intel/intel-device-plugins-qat/templates/qat.yaml @@ -39,4 +39,13 @@ spec: - feature: kernel.loadedmodule matchExpressions: intel_qat: {op: Exists} + matchAny: + - matchFeatures: + - feature: kernel.loadedmodule + matchExpressions: + vfio_pci: {op: Exists} + - matchFeatures: + - feature: kernel.enabledmodule + matchExpressions: + vfio-pci: {op: Exists} {{ end }} diff --git a/charts/intel/intel-device-plugins-sgx/Chart.yaml b/charts/intel/intel-device-plugins-sgx/Chart.yaml index 8d0107dde..50e63780b 100644 --- a/charts/intel/intel-device-plugins-sgx/Chart.yaml +++ b/charts/intel/intel-device-plugins-sgx/Chart.yaml @@ -4,9 +4,9 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: intel-device-plugins-sgx apiVersion: v2 -appVersion: 0.28.0 +appVersion: 0.29.0 description: A Helm chart for Intel SGX Device Plugin icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 name: intel-device-plugins-sgx type: application -version: 0.28.0 +version: 0.29.0 diff --git a/charts/intel/intel-device-plugins-sgx/LICENSE b/charts/intel/intel-device-plugins-sgx/LICENSE index 70291acff..9aa5290eb 100644 --- a/charts/intel/intel-device-plugins-sgx/LICENSE +++ b/charts/intel/intel-device-plugins-sgx/LICENSE @@ -1,4 +1,4 @@ -Copyright 2022 Intel Corporation +Copyright 2023 Intel Corporation SPDX-License-Identifier: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/charts/jenkins/jenkins/CHANGELOG.md b/charts/jenkins/jenkins/CHANGELOG.md index f745d2fc0..4e5c1d477 100644 --- a/charts/jenkins/jenkins/CHANGELOG.md +++ b/charts/jenkins/jenkins/CHANGELOG.md @@ -12,6 +12,27 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 4.11.2 + +Fixed documentation for controller.initScripts. + +## 4.11.1 + +Updated helm-unittest and made unittests compatible. + +## 4.11.0 + +Add multi-cloud support. + +## 4.10.0 + +Bumped Jenkins inbound agent from 3107.v665000b_51092-15 to 3192.v713e3b_039fb_e-5. + +## 4.9.2 + +Update Jenkins image and appVersion to jenkins lts release version 2.426.2 + + Notes about [Artifact Hub](https://artifacthub.io/packages/helm/jenkinsci/jenkins?modal=changelog) changelog processing: - Remove empty lines - Keep only ASCII characters (no emojis) diff --git a/charts/jenkins/jenkins/Chart.yaml b/charts/jenkins/jenkins/Chart.yaml index 561405282..bf3e7b854 100644 --- a/charts/jenkins/jenkins/Chart.yaml +++ b/charts/jenkins/jenkins/Chart.yaml @@ -1,14 +1,14 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Restore artifact hub notes location in CHANGELOG.md + - Fixed documentation for controller.initScripts. artifacthub.io/images: | - name: jenkins - image: jenkins/jenkins:2.426.1-jdk17 + image: jenkins/jenkins:2.426.2-jdk17 - name: k8s-sidecar image: kiwigrid/k8s-sidecar:1.24.4 - name: inbound-agent - image: jenkins/inbound-agent:3107.v665000b_51092-15 + image: jenkins/inbound-agent:3192.v713e3b_039fb_e-5 - name: backup image: maorfr/kube-tasks:0.2.0 artifacthub.io/license: Apache-2.0 @@ -24,7 +24,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.14-0' catalog.cattle.io/release-name: jenkins apiVersion: v2 -appVersion: 2.426.1 +appVersion: 2.426.2 description: Jenkins - Build great things at any scale! The leading open source automation server, Jenkins provides over 1800 plugins to support building, deploying and automating any project. @@ -51,4 +51,4 @@ sources: - https://github.com/jenkinsci/docker-inbound-agent - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin -version: 4.9.1 +version: 4.11.2 diff --git a/charts/jenkins/jenkins/VALUES_SUMMARY.md b/charts/jenkins/jenkins/VALUES_SUMMARY.md index ad332e5cd..11671ee2f 100644 --- a/charts/jenkins/jenkins/VALUES_SUMMARY.md +++ b/charts/jenkins/jenkins/VALUES_SUMMARY.md @@ -40,173 +40,173 @@ The following tables list the configurable parameters of the Jenkins chart and t #### Jenkins Configuration Files & Scripts -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.initScripts` | List of Jenkins init scripts | `[]` | -| `controller.initConfigMap` | Pre-existing init scripts | Not set | +| Parameter | Description | Default | +|----------------------------|------------------------------|---------| +| `controller.initScripts` | List of Jenkins init scripts | `{}` | +| `controller.initConfigMap` | Pre-existing init scripts | Not set | #### Jenkins Global Security -| Parameter | Description | Default | -| --------------------------------- | ---------------------------------------- | ----------------------------------------- | -| `controller.adminSecret` | Create secret for admin user | `true` | -| `controller.disableRememberMe` | Disable use of remember me | `false` | -| `controller.enableRawHtmlMarkupFormatter` | Enable HTML parsing using | false | -| `controller.markupFormatter` | Yaml of the markup formatter to use | `plainText` | -| `controller.disabledAgentProtocols` | Disabled agent protocols | `JNLP-connect JNLP2-connect` | -| `controller.csrf.defaultCrumbIssuer.enabled` | Enable the default CSRF Crumb issuer | `true` | -| `controller.csrf.defaultCrumbIssuer.proxyCompatability` | Enable proxy compatibility | `true` | +| Parameter | Description | Default | +|---------------------------------------------------------|--------------------------------------|------------------------------| +| `controller.adminSecret` | Create secret for admin user | `true` | +| `controller.disableRememberMe` | Disable use of remember me | `false` | +| `controller.enableRawHtmlMarkupFormatter` | Enable HTML parsing using | false | +| `controller.markupFormatter` | Yaml of the markup formatter to use | `plainText` | +| `controller.disabledAgentProtocols` | Disabled agent protocols | `JNLP-connect JNLP2-connect` | +| `controller.csrf.defaultCrumbIssuer.enabled` | Enable the default CSRF Crumb issuer | `true` | +| `controller.csrf.defaultCrumbIssuer.proxyCompatability` | Enable proxy compatibility | `true` | #### Jenkins Global Settings -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.numExecutors` | Set Number of executors | 0 | -| `controller.executorMode` | Set executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE | NORMAL | -| `controller.customJenkinsLabels` | Append Jenkins labels to the controller | `[]` | -| `controller.jenkinsHome` | Custom Jenkins home path | `/var/jenkins_home` | -| `controller.jenkinsRef` | Custom Jenkins reference path | `/usr/share/jenkins/ref` | -| `controller.jenkinsAdminEmail` | Email address for the administrator of the Jenkins instance | Not set | -| `controller.jenkinsUrl` | Set Jenkins URL if you are not using the ingress definitions provided by the chart | Not set | -| `controller.jenkinsUrlProtocol` | Set protocol for Jenkins URL | Set to `https` if `controller.ingress.tls`, `http` otherwise | -| `controller.jenkinsUriPrefix` | Root Uri Jenkins will be served on | Not set | -| `controller.jenkinsOpts` | Append to `JENKINS_OPTS` env var | Not set | -| `controller.javaOpts` | Append to `JAVA_OPTS` env var | Not set | +| Parameter | Description | Default | +|----------------------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------| +| `controller.numExecutors` | Set Number of executors | 0 | +| `controller.executorMode` | Set executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE | NORMAL | +| `controller.customJenkinsLabels` | Append Jenkins labels to the controller | `[]` | +| `controller.jenkinsHome` | Custom Jenkins home path | `/var/jenkins_home` | +| `controller.jenkinsRef` | Custom Jenkins reference path | `/usr/share/jenkins/ref` | +| `controller.jenkinsAdminEmail` | Email address for the administrator of the Jenkins instance | Not set | +| `controller.jenkinsUrl` | Set Jenkins URL if you are not using the ingress definitions provided by the chart | Not set | +| `controller.jenkinsUrlProtocol` | Set protocol for Jenkins URL | Set to `https` if `controller.ingress.tls`, `http` otherwise | +| `controller.jenkinsUriPrefix` | Root Uri Jenkins will be served on | Not set | +| `controller.jenkinsOpts` | Append to `JENKINS_OPTS` env var | Not set | +| `controller.javaOpts` | Append to `JAVA_OPTS` env var | Not set | #### Jenkins In-Process Script Approval -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.scriptApproval` | List of groovy functions to approve | `[]` | +| Parameter | Description | Default | +|-----------------------------|-------------------------------------|---------| +| `controller.scriptApproval` | List of groovy functions to approve | `[]` | #### Jenkins Plugins -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.installPlugins` | List of Jenkins plugins to install. If you don't want to install plugins set it to `false` | `kubernetes:1.31.3 workflow-aggregator:2.6 git:4.10.2 configuration-as-code:1414.v878271fc496f` | -| `controller.additionalPlugins` | List of Jenkins plugins to install in addition to those listed in controller.installPlugins | `[]` | -| `controller.initializeOnce` | Initialize only on first install. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true`. | `false` | -| `controller.overwritePlugins` | Overwrite installed plugins on start.| `false` | -| `controller.overwritePluginsFromImage` | Keep plugins that are already installed in the controller image.| `true` | -| `controller.installLatestPlugins` | Set to false to download the minimum required version of all dependencies. | `true` | -| `controller.installLatestSpecifiedPlugins` | Set to true to download latest dependencies of any plugin that is requested to have the latest version. | `false` | +| Parameter | Description | Default | +|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------| +| `controller.installPlugins` | List of Jenkins plugins to install. If you don't want to install plugins set it to `false` | `kubernetes:1.31.3 workflow-aggregator:2.6 git:4.10.2 configuration-as-code:1414.v878271fc496f` | +| `controller.additionalPlugins` | List of Jenkins plugins to install in addition to those listed in controller.installPlugins | `[]` | +| `controller.initializeOnce` | Initialize only on first install. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true`. | `false` | +| `controller.overwritePlugins` | Overwrite installed plugins on start. | `false` | +| `controller.overwritePluginsFromImage` | Keep plugins that are already installed in the controller image. | `true` | +| `controller.installLatestPlugins` | Set to false to download the minimum required version of all dependencies. | `true` | +| `controller.installLatestSpecifiedPlugins` | Set to true to download latest dependencies of any plugin that is requested to have the latest version. | `false` | #### Jenkins Agent Listener -| Parameter | Description | Default | -| -------------------------------------------- | ----------------------------------------------- | ------------ | -| `controller.agentListenerEnabled` | Create Agent listener service | `true` | -| `controller.agentListenerPort` | Listening port for agents | `50000` | -| `controller.agentListenerHostPort` | Host port to listen for agents | Not set | -| `controller.agentListenerNodePort` | Node port to listen for agents | Not set | -| `controller.agentListenerServiceType` | Defines how to expose the agentListener service | `ClusterIP` | -| `controller.agentListenerServiceAnnotations` | Annotations for the agentListener service | `{}` | -| `controller.agentListenerLoadBalancerIP` | Static IP for the agentListener LoadBalancer | Not set | -| `controller.agentListenerExternalTrafficPolicy` | [Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies) of for the agentListener service | Not set | -| `controller.agentListenerLoadBalancerSourceRanges` | Allowed inbound IP for the agentListener service | `0.0.0.0/0` | +| Parameter | Description | Default | +|----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|-------------| +| `controller.agentListenerEnabled` | Create Agent listener service | `true` | +| `controller.agentListenerPort` | Listening port for agents | `50000` | +| `controller.agentListenerHostPort` | Host port to listen for agents | Not set | +| `controller.agentListenerNodePort` | Node port to listen for agents | Not set | +| `controller.agentListenerServiceType` | Defines how to expose the agentListener service | `ClusterIP` | +| `controller.agentListenerServiceAnnotations` | Annotations for the agentListener service | `{}` | +| `controller.agentListenerLoadBalancerIP` | Static IP for the agentListener LoadBalancer | Not set | +| `controller.agentListenerExternalTrafficPolicy` | [Traffic Policy](https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies) of for the agentListener service | Not set | +| `controller.agentListenerLoadBalancerSourceRanges` | Allowed inbound IP for the agentListener service | `0.0.0.0/0` | #### Kubernetes StatefulSet & Service -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.image` | Controller image name | `jenkins/jenkins` | -| `controller.tagLabel` | Controller image tag label | `jdk17` | -| `controller.tag` | Controller image tag override | Not set | -| `controller.imagePullPolicy` | Controller image pull policy | `Always` | -| `controller.imagePullSecretName` | Controller image pull secret | Not set | -| `controller.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 50m, memory: 256Mi}, limits: {cpu: 2000m, memory: 4096Mi}}`| -| `controller.initContainerResources` | Resources allocation (Requests and Limits) for Init Container | Not set | -| `controller.initContainerEnvFrom` | Environment variable sources for Init Container | Not set | -| `controller.initContainerEnv` | Environment variables for Init Container | Not set | -| `controller.containerEnvFrom` | Environment variable sources for Jenkins Container | Not set | -| `controller.containerEnv` | Environment variables for Jenkins Container | Not set | -| `controller.usePodSecurityContext` | Enable pod security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` | -| `controller.runAsUser` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` | -| `controller.fsGroup` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` | -| `controller.podSecurityContextOverride` | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set | -| `controller.containerSecurityContext` | Allow to control securityContext for the jenkins container. | `{runAsUser: 1000, runAsGroup: 1000, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false}` | -| `controller.hostAliases` | Aliases for IPs in `/etc/hosts` | `[]` | -| `controller.serviceAnnotations` | Service annotations | `{}` | -| `controller.serviceType` | k8s service type | `ClusterIP` | -| `controller.clusterIP` | k8s service clusterIP | Not set | -| `controller.servicePort` | k8s service port | `8080` | -| `controller.targetPort` | k8s target port | `8080` | -| `controller.nodePort` | k8s node port | Not set | -| `controller.jmxPort` | Open a port, for JMX stats | Not set | -| `controller.extraPorts` | Open extra ports, for other uses | `[]` | -| `controller.loadBalancerSourceRanges` | Allowed inbound IP addresses | `0.0.0.0/0` | -| `controller.loadBalancerIP` | Optional fixed external IP | Not set | -| `controller.statefulSetLabels` | Custom StatefulSet labels | Not set | -| `controller.serviceLabels` | Custom Service labels | Not set | -| `controller.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set | -| `controller.nodeSelector` | Node labels for pod assignment | `{}` | -| `controller.affinity` | Affinity settings | `{}` | -| `controller.schedulerName` | Kubernetes scheduler name | Not set | -| `controller.terminationGracePeriodSeconds` | Set TerminationGracePeriodSeconds | Not set | -| `controller.terminationMessagePath` | Set the termination message path | Not set | -| `controller.terminationMessagePolicy` | Set the termination message policy | Not set | -| `controller.tolerations` | Toleration labels for pod assignment | `[]` | -| `controller.podAnnotations` | Annotations for controller pod | `{}` | -| `controller.statefulSetAnnotations` | Annotations for controller StatefulSet | `{}` | -| `controller.updateStrategy` | Update strategy for StatefulSet | `{}` | -| `controller.lifecycle` | Lifecycle specification for controller-container | Not set | -| `controller.priorityClassName` | The name of a `priorityClass` to apply to the controller pod | Not set | -| `controller.admin.existingSecret` | The name of an existing secret containing the admin credentials. | `""`| -| `controller.admin.userKey` | The key in the existing admin secret containing the username. | `jenkins-admin-user` | -| `controller.admin.passwordKey` | The key in the existing admin secret containing the password. | `jenkins-admin-password` | -| `controller.customInitContainers` | Custom init-container specification in raw-yaml format | Not set | -| `controller.sidecars.other` | Configures additional sidecar container(s) for Jenkins controller | `[]` | +| Parameter | Description | Default | +|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------| +| `controller.image` | Controller image name | `jenkins/jenkins` | +| `controller.tagLabel` | Controller image tag label | `jdk17` | +| `controller.tag` | Controller image tag override | Not set | +| `controller.imagePullPolicy` | Controller image pull policy | `Always` | +| `controller.imagePullSecretName` | Controller image pull secret | Not set | +| `controller.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 50m, memory: 256Mi}, limits: {cpu: 2000m, memory: 4096Mi}}` | +| `controller.initContainerResources` | Resources allocation (Requests and Limits) for Init Container | Not set | +| `controller.initContainerEnvFrom` | Environment variable sources for Init Container | Not set | +| `controller.initContainerEnv` | Environment variables for Init Container | Not set | +| `controller.containerEnvFrom` | Environment variable sources for Jenkins Container | Not set | +| `controller.containerEnv` | Environment variables for Jenkins Container | Not set | +| `controller.usePodSecurityContext` | Enable pod security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` | +| `controller.runAsUser` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. | `1000` | +| `controller.fsGroup` | Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` | +| `controller.podSecurityContextOverride` | Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set | +| `controller.containerSecurityContext` | Allow to control securityContext for the jenkins container. | `{runAsUser: 1000, runAsGroup: 1000, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false}` | +| `controller.hostAliases` | Aliases for IPs in `/etc/hosts` | `[]` | +| `controller.serviceAnnotations` | Service annotations | `{}` | +| `controller.serviceType` | k8s service type | `ClusterIP` | +| `controller.clusterIP` | k8s service clusterIP | Not set | +| `controller.servicePort` | k8s service port | `8080` | +| `controller.targetPort` | k8s target port | `8080` | +| `controller.nodePort` | k8s node port | Not set | +| `controller.jmxPort` | Open a port, for JMX stats | Not set | +| `controller.extraPorts` | Open extra ports, for other uses | `[]` | +| `controller.loadBalancerSourceRanges` | Allowed inbound IP addresses | `0.0.0.0/0` | +| `controller.loadBalancerIP` | Optional fixed external IP | Not set | +| `controller.statefulSetLabels` | Custom StatefulSet labels | Not set | +| `controller.serviceLabels` | Custom Service labels | Not set | +| `controller.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set | +| `controller.nodeSelector` | Node labels for pod assignment | `{}` | +| `controller.affinity` | Affinity settings | `{}` | +| `controller.schedulerName` | Kubernetes scheduler name | Not set | +| `controller.terminationGracePeriodSeconds` | Set TerminationGracePeriodSeconds | Not set | +| `controller.terminationMessagePath` | Set the termination message path | Not set | +| `controller.terminationMessagePolicy` | Set the termination message policy | Not set | +| `controller.tolerations` | Toleration labels for pod assignment | `[]` | +| `controller.podAnnotations` | Annotations for controller pod | `{}` | +| `controller.statefulSetAnnotations` | Annotations for controller StatefulSet | `{}` | +| `controller.updateStrategy` | Update strategy for StatefulSet | `{}` | +| `controller.lifecycle` | Lifecycle specification for controller-container | Not set | +| `controller.priorityClassName` | The name of a `priorityClass` to apply to the controller pod | Not set | +| `controller.admin.existingSecret` | The name of an existing secret containing the admin credentials. | `""` | +| `controller.admin.userKey` | The key in the existing admin secret containing the username. | `jenkins-admin-user` | +| `controller.admin.passwordKey` | The key in the existing admin secret containing the password. | `jenkins-admin-password` | +| `controller.customInitContainers` | Custom init-container specification in raw-yaml format | Not set | +| `controller.sidecars.other` | Configures additional sidecar container(s) for Jenkins controller | `[]` | #### Kubernetes Pod Disruption Budget -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.podDisruptionBudget.enabled` | Enable [Kubernetes Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) configuration from `controller.podDisruptionBudget` (see below) | `false` | -| `controller.podDisruptionBudget.apiVersion` | Policy API version | `policy/v1beta1` | -| `controller.podDisruptionBudget.maxUnavailable` | Number of pods that can be unavailable. Either an absolute number or a percentage. | Not set | +| Parameter | Description | Default | +|-------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------| +| `controller.podDisruptionBudget.enabled` | Enable [Kubernetes Pod Disruption Budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) configuration from `controller.podDisruptionBudget` (see below) | `false` | +| `controller.podDisruptionBudget.apiVersion` | Policy API version | `policy/v1beta1` | +| `controller.podDisruptionBudget.maxUnavailable` | Number of pods that can be unavailable. Either an absolute number or a percentage. | Not set | #### Kubernetes Health Probes -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.healthProbes` | Enable [Kubernetes Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes) configuration from `controller.probes` (see below) | `true` | -| `controller.probes.livenessProbe.timeoutSeconds` | Set the timeout for the liveness probe in seconds | `5` | -| `controller.probes.livenessProbe.periodSeconds` | Set the time interval (in seconds) between two liveness probes executions | `10` | -| `controller.probes.livenessProbe.failureThreshold` | Set the failure threshold for the liveness probe | `5` | -| `controller.probes.livenessProbe.initialDelaySeconds` | Set the initial delay for the liveness probe | Not set | -| `controller.probes.livenessProbe.httpGet.port` | Set the Pod's HTTP port to use for the liveness probe | `http` | -| `controller.probes.livenessProbe.httpGet.path` | Set the HTTP's path for the liveness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | -| `controller.probes.readinessProbe.timeoutSeconds` | Set the timeout for the readiness probe in seconds | `5` | -| `controller.probes.readinessProbe.periodSeconds` | Set the time interval (in seconds) between two readiness probes executions | `10` | -| `controller.probes.readinessProbe.failureThreshold` | Set the failure threshold for the readiness probe | `3` | -| `controller.probes.readinessProbe.initialDelaySeconds` | Set the initial delay for the readiness probe | Not set | -| `controller.probes.readinessProbe.httpGet.port` | Set the Pod's HTTP port to use for the readiness probe | `http` | -| `controller.probes.readinessProbe.httpGet.path` | Set the HTTP's path for the readiness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | -| `controller.probes.startupProbe.timeoutSeconds` | Set the timeout for the startup probe in seconds | `5` | -| `controller.probes.startupProbe.periodSeconds` | Set the time interval (in seconds) between two startup probes executions | `10` | -| `controller.probes.startupProbe.failureThreshold` | Set the failure threshold for the startup probe | `12` | -| `controller.probes.startupProbe.initialDelaySeconds` | Set the initial delay for the startup probe | Not set | -| `controller.probes.startupProbe.httpGet.port` | Set the Pod's HTTP port to use for the startup probe | `http` | -| `controller.probes.startupProbe.httpGet.path` | Set the HTTP's path for the startup probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | +| Parameter | Description | Default | +|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------| +| `controller.healthProbes` | Enable [Kubernetes Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes) configuration from `controller.probes` (see below) | `true` | +| `controller.probes.livenessProbe.timeoutSeconds` | Set the timeout for the liveness probe in seconds | `5` | +| `controller.probes.livenessProbe.periodSeconds` | Set the time interval (in seconds) between two liveness probes executions | `10` | +| `controller.probes.livenessProbe.failureThreshold` | Set the failure threshold for the liveness probe | `5` | +| `controller.probes.livenessProbe.initialDelaySeconds` | Set the initial delay for the liveness probe | Not set | +| `controller.probes.livenessProbe.httpGet.port` | Set the Pod's HTTP port to use for the liveness probe | `http` | +| `controller.probes.livenessProbe.httpGet.path` | Set the HTTP's path for the liveness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | +| `controller.probes.readinessProbe.timeoutSeconds` | Set the timeout for the readiness probe in seconds | `5` | +| `controller.probes.readinessProbe.periodSeconds` | Set the time interval (in seconds) between two readiness probes executions | `10` | +| `controller.probes.readinessProbe.failureThreshold` | Set the failure threshold for the readiness probe | `3` | +| `controller.probes.readinessProbe.initialDelaySeconds` | Set the initial delay for the readiness probe | Not set | +| `controller.probes.readinessProbe.httpGet.port` | Set the Pod's HTTP port to use for the readiness probe | `http` | +| `controller.probes.readinessProbe.httpGet.path` | Set the HTTP's path for the readiness probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | +| `controller.probes.startupProbe.timeoutSeconds` | Set the timeout for the startup probe in seconds | `5` | +| `controller.probes.startupProbe.periodSeconds` | Set the time interval (in seconds) between two startup probes executions | `10` | +| `controller.probes.startupProbe.failureThreshold` | Set the failure threshold for the startup probe | `12` | +| `controller.probes.startupProbe.initialDelaySeconds` | Set the initial delay for the startup probe | Not set | +| `controller.probes.startupProbe.httpGet.port` | Set the Pod's HTTP port to use for the startup probe | `http` | +| `controller.probes.startupProbe.httpGet.path` | Set the HTTP's path for the startup probe | `/login'` (or `${controller.jenkinsUriPrefix}/login` if `controller.jenkinsUriPrefix` is defined) | #### Kubernetes Ingress -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.ingress.enabled` | Enables ingress | `false` | -| `controller.ingress.apiVersion` | Ingress API version | `extensions/v1beta1` | -| `controller.ingress.hostName` | Ingress hostname | Not set | -| `controller.ingress.resourceRootUrl` | Hostname to serve assets from | Not set | -| `controller.ingress.annotations` | Ingress annotations | `{}` | -| `controller.ingress.labels` | Ingress labels | `{}` | -| `controller.ingress.path` | Ingress path | Not set | -| `controller.ingress.paths` | Override for the default Ingress paths | `[]` | -| `controller.ingress.tls` | Ingress TLS configuration | `[]` | +| Parameter | Description | Default | +|--------------------------------------|----------------------------------------|----------------------| +| `controller.ingress.enabled` | Enables ingress | `false` | +| `controller.ingress.apiVersion` | Ingress API version | `extensions/v1beta1` | +| `controller.ingress.hostName` | Ingress hostname | Not set | +| `controller.ingress.resourceRootUrl` | Hostname to serve assets from | Not set | +| `controller.ingress.annotations` | Ingress annotations | `{}` | +| `controller.ingress.labels` | Ingress labels | `{}` | +| `controller.ingress.path` | Ingress path | Not set | +| `controller.ingress.paths` | Override for the default Ingress paths | `[]` | +| `controller.ingress.tls` | Ingress TLS configuration | `[]` | #### GKE BackendConfig -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | +| Parameter | Description | Default | +|----------------------------------------|---------------------------|----------------------| | `controller.backendconfig.enabled` | Enables backendconfig | `false` | | `controller.backendconfig.apiVersion` | backendconfig API version | `extensions/v1beta1` | | `controller.backendconfig.name` | backendconfig name | Not set | @@ -216,158 +216,158 @@ The following tables list the configurable parameters of the Jenkins chart and t #### OpenShift Route -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.route.enabled` | Enables openshift route | `false` | -| `controller.route.annotations` | Route annotations | `{}` | -| `controller.route.labels` | Route labels | `{}` | -| `controller.route.path` | Route path | Not set | +| Parameter | Description | Default | +|--------------------------------|-------------------------|---------| +| `controller.route.enabled` | Enables openshift route | `false` | +| `controller.route.annotations` | Route annotations | `{}` | +| `controller.route.labels` | Route labels | `{}` | +| `controller.route.path` | Route path | Not set | #### Prometheus -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.prometheus.enabled` | Enables prometheus service monitor | `false` | -| `controller.prometheus.serviceMonitorAdditionalLabels` | Additional labels to add to the service monitor object | `{}` | -| `controller.prometheus.serviceMonitorNamespace` | Custom namespace for serviceMonitor | Not set (same ns where is Jenkins being deployed) | -| `controller.prometheus.scrapeInterval` | How often prometheus should scrape metrics | `60s` | -| `controller.prometheus.scrapeEndpoint` | The endpoint prometheus should get metrics from | `/prometheus` | -| `controller.prometheus.alertingrules` | Array of prometheus alerting rules | `[]` | -| `controller.prometheus.alertingRulesAdditionalLabels` | Additional labels to add to the prometheus rule object | `{}` | -| `controller.prometheus.prometheusRuleNamespace` | Custom namespace for PrometheusRule | `""` (same ns where Jenkins being deployed) | +| Parameter | Description | Default | +|--------------------------------------------------------|--------------------------------------------------------|---------------------------------------------------| +| `controller.prometheus.enabled` | Enables prometheus service monitor | `false` | +| `controller.prometheus.serviceMonitorAdditionalLabels` | Additional labels to add to the service monitor object | `{}` | +| `controller.prometheus.serviceMonitorNamespace` | Custom namespace for serviceMonitor | Not set (same ns where is Jenkins being deployed) | +| `controller.prometheus.scrapeInterval` | How often prometheus should scrape metrics | `60s` | +| `controller.prometheus.scrapeEndpoint` | The endpoint prometheus should get metrics from | `/prometheus` | +| `controller.prometheus.alertingrules` | Array of prometheus alerting rules | `[]` | +| `controller.prometheus.alertingRulesAdditionalLabels` | Additional labels to add to the prometheus rule object | `{}` | +| `controller.prometheus.prometheusRuleNamespace` | Custom namespace for PrometheusRule | `""` (same ns where Jenkins being deployed) | #### HTTPS Keystore -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `controller.httpsKeyStore.enable` | Enables HTTPS keystore on jenkins controller | `false` | -| `controller.httpsKeyStore.jenkinsHttpsJksSecretName` | Name of the secret that already has ssl keystore | `` | -| `controller.httpsKeyStore.jenkinsHttpsJksSecretKey` | Name of the key in the secret that already has ssl keystore | `jenkins-jks-file` | -| `controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName` | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `` | -| `controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey` | Name of the key in the secret that contains the JKS password | `https-jks-password` | -| `controller.httpsKeyStore.httpPort` | HTTP Port that Jenkins should listen on along with HTTPS, it also serves liveness and readiness probs port. When HTTPS keystore is enabled servicePort and targetPort will be used as HTTPS port | `8081` | -| `controller.httpsKeyStore.path` | Path of HTTPS keystore file | `/var/jenkins_keystore` | -| `controller.httpsKeyStore.fileName` | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `keystore.jks` | -| `controller.httpsKeyStore.password` | Jenkins keystore password | `password` | -| `controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded` | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | a self signed cert | +| Parameter | Description | Default | +|--------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| +| `controller.httpsKeyStore.enable` | Enables HTTPS keystore on jenkins controller | `false` | +| `controller.httpsKeyStore.jenkinsHttpsJksSecretName` | Name of the secret that already has ssl keystore | `` | +| `controller.httpsKeyStore.jenkinsHttpsJksSecretKey` | Name of the key in the secret that already has ssl keystore | `jenkins-jks-file` | +| `controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretName` | Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file | `` | +| `controller.httpsKeyStore.jenkinsHttpsJksPasswordSecretKey` | Name of the key in the secret that contains the JKS password | `https-jks-password` | +| `controller.httpsKeyStore.httpPort` | HTTP Port that Jenkins should listen on along with HTTPS, it also serves liveness and readiness probs port. When HTTPS keystore is enabled servicePort and targetPort will be used as HTTPS port | `8081` | +| `controller.httpsKeyStore.path` | Path of HTTPS keystore file | `/var/jenkins_keystore` | +| `controller.httpsKeyStore.fileName` | Jenkins keystore filename which will appear under controller.httpsKeyStore.path | `keystore.jks` | +| `controller.httpsKeyStore.password` | Jenkins keystore password | `password` | +| `controller.httpsKeyStore.jenkinsKeyStoreBase64Encoded` | Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here | a self signed cert | #### Kubernetes Secret -| Parameter | Description | Default | -|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ----------------------------------------- | -| `controller.adminUser` | Admin username (and password) created as a secret if adminSecret is true | `admin` | +| Parameter | Description | Default | +|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------| +| `controller.adminUser` | Admin username (and password) created as a secret if adminSecret is true | `admin` | | `controller.adminPassword` | Admin password (and user) created as a secret if adminSecret is true | Random value | -| `controller.existingSecret` | The name of an existing secret containing keys credentials. | `""`| -| `controller.additionalSecrets` | List of additional secrets to create and mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | -| `controller.additionalExistingSecrets` | List of additional existing secrets to mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | -| `controller.secretClaims` | List of `SecretClaim` resources to create | `[]` | +| `controller.existingSecret` | The name of an existing secret containing keys credentials. | `""` | +| `controller.additionalSecrets` | List of additional secrets to create and mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | +| `controller.additionalExistingSecrets` | List of additional existing secrets to mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | +| `controller.secretClaims` | List of `SecretClaim` resources to create | `[]` | #### Kubernetes NetworkPolicy -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` | -| `networkPolicy.apiVersion` | NetworkPolicy ApiVersion | `networking.k8s.io/v1` | -| `networkPolicy.internalAgents.allowed` | Allow internal agents (from the same cluster) to connect to controller. Agent pods would be filtered based on PodLabels. | `false` | -| `networkPolicy.internalAgents.podLabels` | A map of labels (keys/values) that agents pods must have to be able to connect to controller. | `{}` | -| `networkPolicy.internalAgents.namespaceLabels` | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller. | `{}` | -| `networkPolicy.externalAgents.ipCIDR` | The IP range from which external agents are allowed to connect to controller. | `` | -| `networkPolicy.externalAgents.except` | A list of IP sub-ranges to be excluded from the whitelisted IP range. | `[]` | +| Parameter | Description | Default | +|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|------------------------| +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` | +| `networkPolicy.apiVersion` | NetworkPolicy ApiVersion | `networking.k8s.io/v1` | +| `networkPolicy.internalAgents.allowed` | Allow internal agents (from the same cluster) to connect to controller. Agent pods would be filtered based on PodLabels. | `false` | +| `networkPolicy.internalAgents.podLabels` | A map of labels (keys/values) that agents pods must have to be able to connect to controller. | `{}` | +| `networkPolicy.internalAgents.namespaceLabels` | A map of labels (keys/values) that agents namespaces must have to be able to connect to controller. | `{}` | +| `networkPolicy.externalAgents.ipCIDR` | The IP range from which external agents are allowed to connect to controller. | `` | +| `networkPolicy.externalAgents.except` | A list of IP sub-ranges to be excluded from the whitelisted IP range. | `[]` | #### Kubernetes RBAC -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `rbac.create` | Whether RBAC resources are created | `true` | -| `rbac.readSecrets` | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | +| Parameter | Description | Default | +|--------------------|-------------------------------------------------------------------------------|---------| +| `rbac.create` | Whether RBAC resources are created | `true` | +| `rbac.readSecrets` | Whether the Jenkins service account should be able to read Kubernetes secrets | `false` | #### Kubernetes ServiceAccount - Controller -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `serviceAccount.name` | name of the ServiceAccount to be used by access-controlled resources | autogenerated | -| `serviceAccount.create` | Configures if a ServiceAccount with this name should be created | `true` | -| `serviceAccount.annotations` | Configures annotation for the ServiceAccount | `{}` | -| `serviceAccount.extraLabels` | Configures extra labels for the ServiceAccount | `{}` | -| `serviceAccount.imagePullSecretName` | Controller ServiceAccount image pull secret | Not set | +| Parameter | Description | Default | +|--------------------------------------|----------------------------------------------------------------------|---------------| +| `serviceAccount.name` | name of the ServiceAccount to be used by access-controlled resources | autogenerated | +| `serviceAccount.create` | Configures if a ServiceAccount with this name should be created | `true` | +| `serviceAccount.annotations` | Configures annotation for the ServiceAccount | `{}` | +| `serviceAccount.extraLabels` | Configures extra labels for the ServiceAccount | `{}` | +| `serviceAccount.imagePullSecretName` | Controller ServiceAccount image pull secret | Not set | #### Kubernetes ServiceAccount - Agent -| Parameter | Description | Default | -| --------------------------------- | ------------------------------------ | ----------------------------------------- | -| `serviceAccountAgent.name` | name of the agent ServiceAccount to be used by access-controlled resources | autogenerated | -| `serviceAccountAgent.create` | Configures if an agent ServiceAccount with this name should be created | `false` | -| `serviceAccountAgent.annotations` | Configures annotation for the agent ServiceAccount | `{}` | -| `serviceAccountAgent.extraLabels` | Configures extra labels for the agent ServiceAccount | `{}` | -| `serviceAccountAgent.imagePullSecretName` | Agent ServiceAccount image pull secret | Not set | +| Parameter | Description | Default | +|-------------------------------------------|----------------------------------------------------------------------------|---------------| +| `serviceAccountAgent.name` | name of the agent ServiceAccount to be used by access-controlled resources | autogenerated | +| `serviceAccountAgent.create` | Configures if an agent ServiceAccount with this name should be created | `false` | +| `serviceAccountAgent.annotations` | Configures annotation for the agent ServiceAccount | `{}` | +| `serviceAccountAgent.extraLabels` | Configures extra labels for the agent ServiceAccount | `{}` | +| `serviceAccountAgent.imagePullSecretName` | Agent ServiceAccount image pull secret | Not set | ### Jenkins Agent(s) -| Parameter | Description | Default | -| -------------------------- |------------------------------------------------------------------------------------------| ---------------------- | -| `agent.enabled` | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | -| `agent.namespace` | Namespace in which the Kubernetes agents should be launched | Not set | -| `agent.containerCap` | Maximum number of agent | 10 | -| `agent.defaultsProviderTemplate` | The name of the pod template to use for providing default values | Not set | -| `agent.jenkinsUrl` | Overrides the Kubernetes Jenkins URL | Not set | -| `agent.jenkinsTunnel` | Overrides the Kubernetes Jenkins tunnel | Not set | -| `agent.kubernetesConnectTimeout` | The connection timeout in seconds for connections to Kubernetes API. Minimum value is 5. | 5 | -| `agent.kubernetesReadTimeout` | The read timeout in seconds for connections to Kubernetes API. Minimum value is 15. | 15 | -| `agent.maxRequestsPerHostStr` | The maximum concurrent connections to Kubernetes API | 32 | -| `agent.retentionTimeout` | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | 5 | -| `agent.waitForPodSec` | Seconds to wait for pod to be running | 600 | -| `agent.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set | -| `agent.jnlpregistry` | Custom docker registry used for to get agent jnlp image | Not set | +| Parameter | Description | Default | +|----------------------------------|----------------------------------------------------------------------------------------------------------------------|---------| +| `agent.enabled` | Enable Kubernetes plugin jnlp-agent podTemplate | `true` | +| `agent.namespace` | Namespace in which the Kubernetes agents should be launched | Not set | +| `agent.containerCap` | Maximum number of agent | 10 | +| `agent.defaultsProviderTemplate` | The name of the pod template to use for providing default values | Not set | +| `agent.jenkinsUrl` | Overrides the Kubernetes Jenkins URL | Not set | +| `agent.jenkinsTunnel` | Overrides the Kubernetes Jenkins tunnel | Not set | +| `agent.kubernetesConnectTimeout` | The connection timeout in seconds for connections to Kubernetes API. Minimum value is 5. | 5 | +| `agent.kubernetesReadTimeout` | The read timeout in seconds for connections to Kubernetes API. Minimum value is 15. | 15 | +| `agent.maxRequestsPerHostStr` | The maximum concurrent connections to Kubernetes API | 32 | +| `agent.retentionTimeout` | Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated | 5 | +| `agent.waitForPodSec` | Seconds to wait for pod to be running | 600 | +| `agent.podLabels` | Custom Pod labels (an object with `label-key: label-value` pairs) | Not set | +| `agent.jnlpregistry` | Custom docker registry used for to get agent jnlp image | Not set | #### Pod Configuration -| Parameter | Description | Default | -| -------------------------- | ----------------------------------------------- | ---------------------- | -| `agent.websocket` | Enables agent communication via websockets | false | -| `agent.podName` | Agent Pod base name | Not set | -| `agent.customJenkinsLabels`| Append Jenkins labels to the agent | `[]` | -| `agent.envVars` | Environment variables for the agent Pod | `[]` | -| `agent.idleMinutes` | Allows the Pod to remain active for reuse | 0 | -| `agent.imagePullSecretName` | Agent image pull secret | Not set | -| `agent.hostNetworking` | Enabled agent to use hostnetwork | false | -| `agent.nodeSelector` | Node labels for pod assignment | `{}` | -| `agent.connectTimeout` | Timeout in seconds for an agent to be online | 100 | -| `agent.volumes` | Additional volumes | `[]` | -| `agent.workspaceVolume` | Workspace volume (defaults to EmptyDir) | `{}` | -| `agent.yamlTemplate` | The raw yaml of a Pod API Object to merge into the agent spec | Not set | -| `agent.yamlMergeStrategy` | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates | `override` | -| `agent.annotations` | Annotations to apply to the pod | `{}` | -| `agent.additionalContainers` | Add additional containers to the agents. | `[]` | +| Parameter | Description | Default | +|------------------------------|-----------------------------------------------------------------------------------------------|------------| +| `agent.websocket` | Enables agent communication via websockets | false | +| `agent.podName` | Agent Pod base name | Not set | +| `agent.customJenkinsLabels` | Append Jenkins labels to the agent | `[]` | +| `agent.envVars` | Environment variables for the agent Pod | `[]` | +| `agent.idleMinutes` | Allows the Pod to remain active for reuse | 0 | +| `agent.imagePullSecretName` | Agent image pull secret | Not set | +| `agent.hostNetworking` | Enabled agent to use hostnetwork | false | +| `agent.nodeSelector` | Node labels for pod assignment | `{}` | +| `agent.connectTimeout` | Timeout in seconds for an agent to be online | 100 | +| `agent.volumes` | Additional volumes | `[]` | +| `agent.workspaceVolume` | Workspace volume (defaults to EmptyDir) | `{}` | +| `agent.yamlTemplate` | The raw yaml of a Pod API Object to merge into the agent spec | Not set | +| `agent.yamlMergeStrategy` | Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates | `override` | +| `agent.annotations` | Annotations to apply to the pod | `{}` | +| `agent.additionalContainers` | Add additional containers to the agents. | `[]` | #### Side Container Configuration -| Parameter | Description | Default | -| -------------------------- | ----------------------------------------------- |--------------------------------------------------------------------------------| -| `agent.sideContainerName` | Side container name in agent | jnlp | -| `agent.image` | Agent image name | `jenkins/inbound-agent` | -| `agent.tag` | Agent image tag | `3107.v665000b_51092-5` | -| `agent.alwaysPullImage` | Always pull agent container image before build | `false` | -| `agent.privileged` | Agent privileged container | `false` | -| `agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 512m, memory: 512Mi}, limits: {cpu: 512m, memory: 512Mi}}` | -| `agent.runAsUser` | Configure container user | Not set | -| `agent.runAsGroup` | Configure container group | Not set | -| `agent.command` | Executed command when side container starts | Not set | -| `agent.args` | Arguments passed to executed command | `${computer.jnlpmac} ${computer.name}` | -| `agent.TTYEnabled` | Allocate pseudo tty to the side container | false | -| `agent.workingDir` | Configure working directory for default agent | `/home/jenkins/agent` | +| Parameter | Description | Default | +|---------------------------|------------------------------------------------|------------------------------------------------------------------------------| +| `agent.sideContainerName` | Side container name in agent | jnlp | +| `agent.image` | Agent image name | `jenkins/inbound-agent` | +| `agent.tag` | Agent image tag | `3192.v713e3b_039fb_e-5` | +| `agent.alwaysPullImage` | Always pull agent container image before build | `false` | +| `agent.privileged` | Agent privileged container | `false` | +| `agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 512m, memory: 512Mi}, limits: {cpu: 512m, memory: 512Mi}}` | +| `agent.runAsUser` | Configure container user | Not set | +| `agent.runAsGroup` | Configure container group | Not set | +| `agent.command` | Executed command when side container starts | Not set | +| `agent.args` | Arguments passed to executed command | `${computer.jnlpmac} ${computer.name}` | +| `agent.TTYEnabled` | Allocate pseudo tty to the side container | false | +| `agent.workingDir` | Configure working directory for default agent | `/home/jenkins/agent` | #### Other -| Parameter | Description | Default | -| -------------------------- | ----------------------------------------------- | ---------------------- | -| `agent.disableDefaultAgent` | Ignore the default Jenkins Agent configuration | false | -| `agent.podTemplates` | Configures extra pod templates for the default kubernetes cloud | `{}` | -| `additionalAgents` | Configure additional agents which inherit values from `agent` | `{}` | +| Parameter | Description | Default | +|-----------------------------|-----------------------------------------------------------------|---------| +| `agent.disableDefaultAgent` | Ignore the default Jenkins Agent configuration | false | +| `agent.podTemplates` | Configures extra pod templates for the default kubernetes cloud | `{}` | +| `additionalAgents` | Configure additional agents which inherit values from `agent` | `{}` | ### Persistence | Parameter | Description | Default | -| --------------------------- | -------------------------------------- | --------------- | +|-----------------------------|----------------------------------------|-----------------| | `persistence.enabled` | Enable the use of a Jenkins PVC | `true` | | `persistence.existingClaim` | Provide the name of a PVC | `nil` | | `persistence.storageClass` | Storage class for the PVC | `nil` | @@ -382,40 +382,40 @@ The following tables list the configurable parameters of the Jenkins chart and t ### Backup -| Parameter | Description | Default | -| ---------------------------------------- | ----------------------------------------------------------------- | --------------------------------- | -| `backup.enabled` | Enable the use of a backup CronJob | `false` | -| `backup.schedule` | Schedule to run jobs | `0 2 * * *` | -| `backup.labels` | Backup pod labels | `{}` | -| `backup.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `backup.serviceAccount.name` | name of the backup ServiceAccount | autogenerated | -| `backup.serviceAccount.annotations` | Backup pod annotations | `{}` | -| `backup.image.repo` | Backup image repository | `maorfr/kube-tasks` | -| `backup.image.tag` | Backup image tag | `0.2.0` | -| `backup.image.imagePullSecretName` | Backup image pull secret | Not set | -| `backup.extraArgs` | Additional arguments for kube-tasks | `[]` | -| `backup.existingSecret` | Environment variables to add to the cronjob container | `{}` | -| `backup.existingSecret.*` | Specify the secret name containing the AWS or GCP credentials | `jenkinsaws` | -| `backup.existingSecret.*.awsaccesskey` | `secretKeyRef.key` used for `AWS_ACCESS_KEY_ID` | `jenkins_aws_access_key` | -| `backup.existingSecret.*.awssecretkey` | `secretKeyRef.key` used for `AWS_SECRET_ACCESS_KEY` | `jenkins_aws_secret_key` | -| `backup.existingSecret.*.azstorageaccount`| `secretKeyRef.key` used for `AZURE_STORAGE_ACCOUNT` | `""` | -| `backup.existingSecret.*.azstoragekey` | `secretKeyRef.key` used for `AZURE_STORAGE_ACCESS_KEY` | `""` | -| `backup.existingSecret.*.gcpcredentials` | Mounts secret as volume and sets `GOOGLE_APPLICATION_CREDENTIALS` | `credentials.json` | -| `backup.env` | Backup environment variables | `[]` | -| `backup.resources` | Backup CPU/Memory resource requests/limits | Memory: `1Gi`, CPU: `1` | -| `backup.destination` | Destination to store backup artifacts | `s3://jenkins-data/backup` | -| `backup.onlyJobs` | Only backup the job folder | `false` | -| `backup.usePodSecurityContext` | Enable backup pod's security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` | -| `backup.runAsUser` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that jenkins runs with. | `1000` | -| `backup.fsGroup` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` | -| `backup.podSecurityContextOverride` | Completely overwrites the contents of the backup pod's security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set | -| `cronJob.apiVersion` | CronJob API version | 'batch/v1' | -| `awsSecurityGroupPolicies.enabled` | Enable the creation of SecurityGroupPolicy resources | `false` | -| `awsSecurityGroupPolicies.policies` | Security Group Policy definitions. `awsSecurityGroupPolicies.enabled` must be `true` | Not set | +| Parameter | Description | Default | +|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|----------------------------| +| `backup.enabled` | Enable the use of a backup CronJob | `false` | +| `backup.schedule` | Schedule to run jobs | `0 2 * * *` | +| `backup.labels` | Backup pod labels | `{}` | +| `backup.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `backup.serviceAccount.name` | name of the backup ServiceAccount | autogenerated | +| `backup.serviceAccount.annotations` | Backup pod annotations | `{}` | +| `backup.image.repo` | Backup image repository | `maorfr/kube-tasks` | +| `backup.image.tag` | Backup image tag | `0.2.0` | +| `backup.image.imagePullSecretName` | Backup image pull secret | Not set | +| `backup.extraArgs` | Additional arguments for kube-tasks | `[]` | +| `backup.existingSecret` | Environment variables to add to the cronjob container | `{}` | +| `backup.existingSecret.*` | Specify the secret name containing the AWS or GCP credentials | `jenkinsaws` | +| `backup.existingSecret.*.awsaccesskey` | `secretKeyRef.key` used for `AWS_ACCESS_KEY_ID` | `jenkins_aws_access_key` | +| `backup.existingSecret.*.awssecretkey` | `secretKeyRef.key` used for `AWS_SECRET_ACCESS_KEY` | `jenkins_aws_secret_key` | +| `backup.existingSecret.*.azstorageaccount` | `secretKeyRef.key` used for `AZURE_STORAGE_ACCOUNT` | `""` | +| `backup.existingSecret.*.azstoragekey` | `secretKeyRef.key` used for `AZURE_STORAGE_ACCESS_KEY` | `""` | +| `backup.existingSecret.*.gcpcredentials` | Mounts secret as volume and sets `GOOGLE_APPLICATION_CREDENTIALS` | `credentials.json` | +| `backup.env` | Backup environment variables | `[]` | +| `backup.resources` | Backup CPU/Memory resource requests/limits | Memory: `1Gi`, CPU: `1` | +| `backup.destination` | Destination to store backup artifacts | `s3://jenkins-data/backup` | +| `backup.onlyJobs` | Only backup the job folder | `false` | +| `backup.usePodSecurityContext` | Enable backup pod's security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` | +| `backup.runAsUser` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that jenkins runs with. | `1000` | +| `backup.fsGroup` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` | +| `backup.podSecurityContextOverride` | Completely overwrites the contents of the backup pod's security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set | +| `cronJob.apiVersion` | CronJob API version | 'batch/v1' | +| `awsSecurityGroupPolicies.enabled` | Enable the creation of SecurityGroupPolicy resources | `false` | +| `awsSecurityGroupPolicies.policies` | Security Group Policy definitions. `awsSecurityGroupPolicies.enabled` must be `true` | Not set | ### Helm Tests -| Parameter | Description | Default | -| --------------------- | --------------------------------- | --------------- | -| `helmtest.bats.image` | Image used to test the framework | `bats/bats` | -| `helmtest.bats.tag` | Test framework image tag override | `1.2.1` | +| Parameter | Description | Default | +|-----------------------|-----------------------------------|-------------| +| `helmtest.bats.image` | Image used to test the framework | `bats/bats` | +| `helmtest.bats.tag` | Test framework image tag override | `1.2.1` | diff --git a/charts/jenkins/jenkins/templates/_helpers.tpl b/charts/jenkins/jenkins/templates/_helpers.tpl index fd68ee726..6790904b2 100644 --- a/charts/jenkins/jenkins/templates/_helpers.tpl +++ b/charts/jenkins/jenkins/templates/_helpers.tpl @@ -170,6 +170,7 @@ jenkins: name: "{{ .Values.controller.cloudName }}" namespace: "{{ template "jenkins.agent.namespace" . }}" serverUrl: "{{ .Values.kubernetesURL }}" + credentialsId: "{{ .Values.credentialsId }}" {{- if .Values.agent.enabled }} podLabels: - key: "jenkins/{{ .Release.Name }}-{{ .Values.agent.componentName }}" @@ -206,6 +207,94 @@ jenkins: {{- end }} {{- end }} {{- end }} + {{- if .Values.additionalClouds }} + {{- /* save root */}} + {{- $oldRoot := deepCopy $ }} + {{- range $name, $additionalCloud := .Values.additionalClouds }} + {{- $newRoot := deepCopy $ }} + {{- /* clear additionalAgents from the copy if override set to `true` */}} + {{- if .additionalAgentsOverride }} + {{- $_ := set $newRoot.Values "additionalAgents" list}} + {{- end}} + {{- $newValues := merge $additionalCloud $newRoot.Values }} + {{- $_ := set $newRoot "Values" $newValues }} + {{- /* clear additionalClouds from the copy */}} + {{- $_ := set $newRoot.Values "additionalClouds" list }} + {{- with $newRoot}} + - kubernetes: + containerCapStr: "{{ .Values.agent.containerCap }}" + {{- if .Values.agent.jnlpregistry }} + jnlpregistry: "{{ .Values.agent.jnlpregistry }}" + {{- end }} + defaultsProviderTemplate: "{{ .Values.agent.defaultsProviderTemplate }}" + connectTimeout: "{{ .Values.agent.kubernetesConnectTimeout }}" + readTimeout: "{{ .Values.agent.kubernetesReadTimeout }}" + {{- if .Values.agent.directConnection }} + directConnection: true + {{- else }} + {{- if .Values.agent.jenkinsUrl }} + jenkinsUrl: "{{ tpl .Values.agent.jenkinsUrl . }}" + {{- else }} + jenkinsUrl: "http://{{ template "jenkins.fullname" . }}.{{ template "jenkins.namespace" . }}.svc.{{.Values.clusterZone}}:{{.Values.controller.servicePort}}{{ default "" .Values.controller.jenkinsUriPrefix }}" + {{- end }} + {{- if not .Values.agent.websocket }} + {{- if .Values.agent.jenkinsTunnel }} + jenkinsTunnel: "{{ tpl .Values.agent.jenkinsTunnel . }}" + {{- else }} + jenkinsTunnel: "{{ template "jenkins.fullname" . }}-agent.{{ template "jenkins.namespace" . }}.svc.{{.Values.clusterZone}}:{{ .Values.controller.agentListenerPort }}" + {{- end }} + {{- else }} + webSocket: true + {{- end }} + {{- end }} + maxRequestsPerHostStr: {{ .Values.agent.maxRequestsPerHostStr | quote }} + retentionTimeout: {{ .Values.agent.retentionTimeout | quote }} + waitForPodSec: {{ .Values.agent.waitForPodSec | quote }} + name: {{ $name | quote }} + namespace: "{{ template "jenkins.agent.namespace" . }}" + serverUrl: "{{ .Values.kubernetesURL }}" + credentialsId: "{{ .Values.credentialsId }}" + {{- if .Values.agent.enabled }} + podLabels: + - key: "jenkins/{{ .Release.Name }}-{{ .Values.agent.componentName }}" + value: "true" + {{- range $key, $val := .Values.agent.podLabels }} + - key: {{ $key | quote }} + value: {{ $val | quote }} + {{- end }} + templates: + {{- if not .Values.agent.disableDefaultAgent }} + {{- include "jenkins.casc.podTemplate" . | nindent 8 }} + {{- end }} + {{- if .Values.additionalAgents }} + {{- /* save .Values.agent */}} + {{- $agent := .Values.agent }} + {{- range $name, $additionalAgent := .Values.additionalAgents }} + {{- $additionalContainersEmpty := and (hasKey $additionalAgent "additionalContainers") (empty $additionalAgent.additionalContainers) }} + {{- /* merge original .Values.agent into additional agent to ensure it at least has the default values */}} + {{- $additionalAgent := merge $additionalAgent $agent }} + {{- /* clear list of additional containers in case it is configured empty for this agent (merge might have overwritten that) */}} + {{- if $additionalContainersEmpty }} + {{- $_ := set $additionalAgent "additionalContainers" list }} + {{- end }} + {{- /* set .Values.agent to $additionalAgent */}} + {{- $_ := set $.Values "agent" $additionalAgent }} + {{- include "jenkins.casc.podTemplate" $ | nindent 8 }} + {{- end }} + {{- /* restore .Values.agent */}} + {{- $_ := set .Values "agent" $agent }} + {{- end }} + {{- if .Values.agent.podTemplates }} + {{- range $key, $val := .Values.agent.podTemplates }} + {{- tpl $val $ | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- /* restore root */}} + {{- $_ := set $ "Values" $oldRoot.Values }} + {{- end }} {{- if .Values.controller.csrf.defaultCrumbIssuer.enabled }} crumbIssuer: standard: diff --git a/charts/jenkins/jenkins/values.yaml b/charts/jenkins/jenkins/values.yaml index 0dffad3aa..e9cfd9949 100644 --- a/charts/jenkins/jenkins/values.yaml +++ b/charts/jenkins/jenkins/values.yaml @@ -16,13 +16,16 @@ clusterZone: "cluster.local" # The URL of the Kubernetes API server kubernetesURL: "https://kubernetes.default" +# The Jenkins credentials to access the Kubernetes API server. For the the default cluster it is not needed. +credentialsId: + renderHelmLabels: true controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: "jenkins/jenkins" - # tag: "2.426.1-jdk17" + # tag: "2.426.2-jdk17" tagLabel: jdk17 imagePullPolicy: "Always" imagePullSecretName: @@ -280,8 +283,8 @@ controller: # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" # - "new groovy.json.JsonSlurperClassic" # List of groovy init scripts to be executed during Jenkins controller start - initScripts: [] - # - | + initScripts: {} + # test: |- # print 'adding global pipeline libraries, register properties, bootstrap jobs...' # 'name' is a name of an existing secret in same namespace as jenkins, @@ -636,7 +639,7 @@ agent: # private registry for agent image jnlpregistry: image: "jenkins/inbound-agent" - tag: "3107.v665000b_51092-15" + tag: "3192.v713e3b_039fb_e-5" workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" customJenkinsLabels: [] @@ -839,6 +842,27 @@ additionalAgents: {} # args: "cat" # TTYEnabled: true +# Here you can add additional clouds +# They inherit all values from the default cloud (including the main agent), so +# you only need to specify values which differ. If you want to override +# default additionalAgents with the additionalClouds.additionalAgents set +# additionalAgentsOverride to `true`. +additionalClouds: {} +# remote-cloud-1: +# kubernetesURL: https://api.remote-cloud.com +# additionalAgentsOverride: true +# additionalAgents: +# maven-2: +# podName: maven-2 +# customJenkinsLabels: maven +# # An example of overriding the jnlp container +# # sideContainerName: jnlp +# image: jenkins/jnlp-agent-maven +# tag: latest +# namespace: my-other-maven-namespace +# remote-cloud-2: +# kubernetesURL: https://api.remote-cloud.com + persistence: enabled: true ## A manually managed Persistent Volume and Claim diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index d3e8acd1a..9987e6dec 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.71.5] - Nov 15, 2023 +## [107.71.11] - Nov 15, 2023 * Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) * Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml * Fixed - Artifactory primary service condition diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index 37e79eb05..7f44c5d46 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.14.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.71.5 +appVersion: 7.71.11 dependencies: - condition: postgresql.enabled name: postgresql @@ -26,4 +26,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.71.5 +version: 107.71.11 diff --git a/charts/jfrog/artifactory-jcr/CHANGELOG.md b/charts/jfrog/artifactory-jcr/CHANGELOG.md index ae04ca06c..d1b60c7ee 100644 --- a/charts/jfrog/artifactory-jcr/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Container Registry Chart Changelog All changes to this chart will be documented in this file. -## [107.71.5] - Jul 20, 2023 +## [107.71.11] - Jul 20, 2023 * Disabled federation services when splitServicesToContainers=true ## [107.45.0] - Aug 25, 2022 diff --git a/charts/jfrog/artifactory-jcr/Chart.yaml b/charts/jfrog/artifactory-jcr/Chart.yaml index e9cf1667b..f34c71ac9 100644 --- a/charts/jfrog/artifactory-jcr/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/Chart.yaml @@ -4,11 +4,11 @@ annotations: catalog.cattle.io/kube-version: '>= 1.14.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.71.5 +appVersion: 7.71.11 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.71.5 + version: 107.71.11 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.71.5 +version: 107.71.11 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index e454ed0a4..67a048985 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,7 +1,7 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.71.5] - Oct 31, 2023 +## [107.71.11] - Oct 31, 2023 * Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) * Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml. diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index bafd4c95f..753e010e1 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.71.5 +appVersion: 7.71.11 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.71.5 +version: 107.71.11 diff --git a/charts/kong/kong/CHANGELOG.md b/charts/kong/kong/CHANGELOG.md index 37b8a0a82..fecec34c5 100644 --- a/charts/kong/kong/CHANGELOG.md +++ b/charts/kong/kong/CHANGELOG.md @@ -1,8 +1,46 @@ # Changelog -## Unreleased +## 2.33.3 -Nothing yet. +### Fixed + +* Add RBAC rules for get, list and watch operations on namespaces so that Gateway API + controllers in KIC can access using a cached controller-runtime client. + [#974](https://github.com/Kong/charts/pull/974) + +## 2.33.2 + +### Fixed + +* Fix a template bug related to the `affinity` field for migrations Pods. + [#972](https://github.com/Kong/charts/pull/972) + +## 2.33.1 + +### Fixed + +* Use changed `incubator.ingress-controller.konghq.com` API group name in `KongServiceFacade` + RBAC rules. Refer to [KIC#5302](https://github.com/Kong/kubernetes-ingress-controller/pull/5302) + for rename reasoning. + [#968](https://github.com/Kong/charts/pull/968) + +## 2.33.0 + +### Improvements + +* Only allow `None` ClusterIPs on ClusterIP-type Services. + [#961](https://github.com/Kong/charts/pull/961) + [#962](https://github.com/Kong/charts/pull/962) +* Bumped Kong version to 3.5. + [#957](https://github.com/Kong/charts/pull/957) +* Support for `affinity` configuration has been added to migration job templates. +* Display a warning message when Kong Manager is enabled and the Admin API is disabled. +* Validate Gateway API's `Gateway` and `HTTPRoute` resources in the controller's + admission webhook only when KIC version is 3.0 or higher. + [#954](https://github.com/Kong/charts/pull/954) +* Added controller's RBAC rules for `KongServiceFacade` CRD (installed only when + KongServiceFacade feature gate turned on and KIC version >= 3.1.0). + [#963](https://github.com/Kong/charts/pull/963) ## 2.32.0 diff --git a/charts/kong/kong/Chart.yaml b/charts/kong/kong/Chart.yaml index a246edc9b..c59a59fb6 100644 --- a/charts/kong/kong/Chart.yaml +++ b/charts/kong/kong/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: Kong Gateway catalog.cattle.io/release-name: kong apiVersion: v2 -appVersion: "3.4" +appVersion: "3.5" dependencies: - condition: postgresql.enabled name: postgresql @@ -18,4 +18,4 @@ maintainers: name: kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.32.0 +version: 2.33.3 diff --git a/charts/kong/kong/README.md b/charts/kong/kong/README.md index 11bc89d7c..3c1cdbd5b 100644 --- a/charts/kong/kong/README.md +++ b/charts/kong/kong/README.md @@ -609,7 +609,7 @@ directory. | Parameter | Description | Default | | ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- | | image.repository | Kong image | `kong` | -| image.tag | Kong image version | `3.4` | +| image.tag | Kong image version | `3.5` | | image.effectiveSemver | Semantic version to use for version-dependent features (if `tag` is not a semver) | | | image.pullPolicy | Image pull policy | `IfNotPresent` | | image.pullSecrets | Image pull secrets | `null` | @@ -777,7 +777,7 @@ section of `values.yaml` file: #### The `env` section For a complete list of all configuration values you can set in the `env` section, please read the Kong Ingress Controller's -[configuration document](https://github.com/Kong/docs.konghq.com/blob/main/src/kubernetes-ingress-controller/references/cli-arguments.md). +[configuration document](https://docs.konghq.com/kubernetes-ingress-controller/latest/reference/cli-arguments/). #### The `customEnv` section diff --git a/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index 373ebdd03..3b8423d55 100644 --- a/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/charts/kong/kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -145,7 +145,7 @@ extraLabels: konghq.com/component: quickstart image: repository: kong/kong-gateway - tag: "3.4" + tag: "3.5" ingressController: enabled: true env: diff --git a/charts/kong/kong/example-values/full-k4k8s-with-kong-enterprise.yaml b/charts/kong/kong/example-values/full-k4k8s-with-kong-enterprise.yaml index 6be6ed8e7..aa20946a0 100644 --- a/charts/kong/kong/example-values/full-k4k8s-with-kong-enterprise.yaml +++ b/charts/kong/kong/example-values/full-k4k8s-with-kong-enterprise.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.4" + tag: "3.5" env: prefix: /kong_prefix/ diff --git a/charts/kong/kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml b/charts/kong/kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml index f8faf44bf..202dc4261 100644 --- a/charts/kong/kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml +++ b/charts/kong/kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml @@ -9,7 +9,7 @@ image: repository: kong/kong-gateway - tag: "3.4" + tag: "3.5" admin: enabled: true diff --git a/charts/kong/kong/example-values/minimal-kong-controller.yaml b/charts/kong/kong/example-values/minimal-kong-controller.yaml index 88d61c748..badf1526d 100644 --- a/charts/kong/kong/example-values/minimal-kong-controller.yaml +++ b/charts/kong/kong/example-values/minimal-kong-controller.yaml @@ -2,7 +2,7 @@ image: repository: kong - tag: "3.4" + tag: "3.5" env: prefix: /kong_prefix/ diff --git a/charts/kong/kong/example-values/minimal-kong-enterprise-dbless.yaml b/charts/kong/kong/example-values/minimal-kong-enterprise-dbless.yaml index 206238df8..c2c83bb1f 100644 --- a/charts/kong/kong/example-values/minimal-kong-enterprise-dbless.yaml +++ b/charts/kong/kong/example-values/minimal-kong-enterprise-dbless.yaml @@ -4,7 +4,7 @@ image: repository: kong/kong-gateway - tag: "3.4" + tag: "3.5" enterprise: enabled: true diff --git a/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-control.yaml b/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-control.yaml index 2c5e9bbcb..89dfab0fd 100644 --- a/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-control.yaml +++ b/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-control.yaml @@ -14,7 +14,7 @@ image: repository: kong/kong-gateway - tag: "3.4" + tag: "3.5" env: database: postgres diff --git a/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-data.yaml b/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-data.yaml index ff08b5343..ac66f18ef 100644 --- a/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-data.yaml +++ b/charts/kong/kong/example-values/minimal-kong-enterprise-hybrid-data.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.4" + tag: "3.5" env: role: data_plane diff --git a/charts/kong/kong/example-values/minimal-kong-hybrid-control.yaml b/charts/kong/kong/example-values/minimal-kong-hybrid-control.yaml index e58cb8ded..e8b449aa1 100644 --- a/charts/kong/kong/example-values/minimal-kong-hybrid-control.yaml +++ b/charts/kong/kong/example-values/minimal-kong-hybrid-control.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.4" + tag: "3.5" env: prefix: /kong_prefix/ diff --git a/charts/kong/kong/example-values/minimal-kong-hybrid-data.yaml b/charts/kong/kong/example-values/minimal-kong-hybrid-data.yaml index 2f40013e5..c3e88e29c 100644 --- a/charts/kong/kong/example-values/minimal-kong-hybrid-data.yaml +++ b/charts/kong/kong/example-values/minimal-kong-hybrid-data.yaml @@ -11,7 +11,7 @@ image: repository: kong - tag: "3.4" + tag: "3.5" env: prefix: /kong_prefix/ diff --git a/charts/kong/kong/example-values/minimal-kong-standalone.yaml b/charts/kong/kong/example-values/minimal-kong-standalone.yaml index ceb9b8bc1..e36d18a58 100644 --- a/charts/kong/kong/example-values/minimal-kong-standalone.yaml +++ b/charts/kong/kong/example-values/minimal-kong-standalone.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.4" + tag: "3.5" env: prefix: /kong_prefix/ diff --git a/charts/kong/kong/templates/NOTES.txt b/charts/kong/kong/templates/NOTES.txt index 9b01d1846..2d7e4ea0d 100644 --- a/charts/kong/kong/templates/NOTES.txt +++ b/charts/kong/kong/templates/NOTES.txt @@ -12,10 +12,17 @@ Once installed, please follow along the getting started guide to start using Kong: https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/getting-started/ {{ $warnings := list -}} + {{- if (hasKey .Values.ingressController "serviceAccount") -}} {{- if (or (hasKey .Values.ingressController.serviceAccount "name") (hasKey .Values.ingressController.serviceAccount "annotations")) -}} {{- $warnings = append $warnings "you have set either .ingressController.serviceAccount.name or .ingressController.serviceAccount.annotations. These settings have moved to .deployment.serviceAccount.name and .deployment.serviceAccount.annotations. You must move your configuration to the new location in values.yaml" -}} {{- end -}} {{- end -}} +{{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}} +{{- if not (and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled)) -}} +{{- $warnings = append $warnings "Kong Manager will not be functional because the Admin API is not enabled. Setting both .admin.enabled and .admin.http.enabled and/or .admin.tls.enabled to true to enable the Admin API over HTTP/TLS." -}} +{{- end -}} +{{- end -}} + {{- include "kong.deprecation-warnings" $warnings -}} diff --git a/charts/kong/kong/templates/_helpers.tpl b/charts/kong/kong/templates/_helpers.tpl index bd2f83d5f..395ed2e80 100644 --- a/charts/kong/kong/templates/_helpers.tpl +++ b/charts/kong/kong/templates/_helpers.tpl @@ -252,8 +252,10 @@ spec: externalTrafficPolicy: {{ .externalTrafficPolicy }} {{- end }} {{- if .clusterIP }} + {{- if (or (not (eq .clusterIP "None")) (and (eq .type "ClusterIP") (eq .clusterIP "None"))) }} clusterIP: {{ .clusterIP }} {{- end }} + {{- end }} selector: {{- .selectorLabels | nindent 4 }} {{- end -}} @@ -1253,7 +1255,6 @@ Kubernetes namespace-scoped resources it uses to build Kong configuration. Collectively, these are built from: kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac?ref=main -kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/knative?ref=main kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/gateway?ref=main However, there is no way to generate the split between cluster and namespaced @@ -1261,6 +1262,25 @@ role sets used in the charts. Updating these requires separating out cluster resource roles into their separate templates. */}} {{- define "kong.kubernetesRBACRules" -}} +{{- if and (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) + (contains (print .Values.ingressController.env.feature_gates) "KongServiceFacade=true") }} +- apiGroups: + - incubator.ingress-controller.konghq.com + resources: + - kongservicefacades + verbs: + - get + - list + - watch +- apiGroups: + - incubator.ingress-controller.konghq.com + resources: + - kongservicefacades/status + verbs: + - get + - patch + - update +{{- end }} {{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - configuration.konghq.com @@ -1654,6 +1674,14 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration. verbs: - get - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch {{- end }} - apiGroups: - networking.k8s.io diff --git a/charts/kong/kong/templates/admission-webhook.yaml b/charts/kong/kong/templates/admission-webhook.yaml index 1be937fbb..979f1c0ab 100644 --- a/charts/kong/kong/templates/admission-webhook.yaml +++ b/charts/kong/kong/templates/admission-webhook.yaml @@ -104,7 +104,9 @@ webhooks: apiVersions: - 'v1alpha2' - 'v1beta1' +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - 'v1' +{{- end }} operations: - CREATE - UPDATE diff --git a/charts/kong/kong/templates/migrations-post-upgrade.yaml b/charts/kong/kong/templates/migrations-post-upgrade.yaml index 6b1b38e32..3fe759ba2 100644 --- a/charts/kong/kong/templates/migrations-post-upgrade.yaml +++ b/charts/kong/kong/templates/migrations-post-upgrade.yaml @@ -76,6 +76,10 @@ spec: {{- toYaml .Values.migrations.resources | nindent 10 }} securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} diff --git a/charts/kong/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/kong/templates/migrations-pre-upgrade.yaml index f5002aec9..2f57eae8d 100644 --- a/charts/kong/kong/templates/migrations-pre-upgrade.yaml +++ b/charts/kong/kong/templates/migrations-pre-upgrade.yaml @@ -78,6 +78,10 @@ spec: {{- toYaml .Values.migrations.resources| nindent 10 }} securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} diff --git a/charts/kong/kong/templates/migrations.yaml b/charts/kong/kong/templates/migrations.yaml index a996fcd13..8faf5e913 100644 --- a/charts/kong/kong/templates/migrations.yaml +++ b/charts/kong/kong/templates/migrations.yaml @@ -86,6 +86,10 @@ spec: {{- toYaml .Values.migrations.resources | nindent 10 }} securityContext: {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} diff --git a/charts/kong/kong/values.yaml b/charts/kong/kong/values.yaml index a3a73015b..340fa1135 100644 --- a/charts/kong/kong/values.yaml +++ b/charts/kong/kong/values.yaml @@ -126,10 +126,10 @@ extraLabels: {} # Specify Kong's Docker image and repository details here image: repository: kong - tag: "3.4" + tag: "3.5" # Kong Enterprise # repository: kong/kong-gateway - # tag: "3.4" + # tag: "3.5" # Specify a semver version if your image tag is not one (e.g. "nightly") effectiveSemver: diff --git a/charts/kubecost/cost-analyzer/Chart.yaml b/charts/kubecost/cost-analyzer/Chart.yaml index 5eb7688ce..87f687beb 100644 --- a/charts/kubecost/cost-analyzer/Chart.yaml +++ b/charts/kubecost/cost-analyzer/Chart.yaml @@ -7,7 +7,7 @@ annotations: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 -appVersion: 1.107.1 +appVersion: 1.108.1 dependencies: - condition: global.grafana.enabled name: grafana @@ -25,4 +25,4 @@ description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to moni cloud costs. icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer -version: 1.107.1 +version: 1.108.1 diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/deployment.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/deployment.yaml index de83b48a0..1ece09a5a 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/deployment.yaml +++ b/charts/kubecost/cost-analyzer/charts/grafana/templates/deployment.yaml @@ -32,26 +32,29 @@ spec: {{- if .Values.global.additionalLabels }} {{ toYaml .Values.global.additionalLabels | nindent 8 }} {{- end }} -{{- with .Values.podAnnotations }} + {{- with .Values.podAnnotations }} annotations: -{{ toYaml . | indent 8 }} -{{- end }} + {{ toYaml . | indent 8 }} + {{- end }} spec: serviceAccountName: {{ template "grafana.serviceAccountName" . }} -{{- if .Values.schedulerName }} + {{- if .Values.schedulerName }} schedulerName: "{{ .Values.schedulerName }}" -{{- end }} -{{- if .Values.global.securityContext }} + {{- end }} + {{- if .Values.securityContext }} securityContext: -{{- toYaml .Values.global.securityContext | nindent 8 }} -{{- else if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} securityContext: -{{- toYaml .Values.securityContext | nindent 8 }} -{{- end }} -{{- if .Values.priorityClassName }} + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} + {{- else if .Values.global.securityContext }} + securityContext: + {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} priorityClassName: "{{ .Values.priorityClassName }}" -{{- end }} -{{- if .Values.dashboards }} + {{- end }} + {{- if .Values.dashboards }} initContainers: - name: download-dashboards image: "{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }}" @@ -67,13 +70,15 @@ spec: subPath: download_dashboards.sh - name: storage mountPath: "/var/lib/grafana" + {{- if .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }} + {{- end }} {{- range .Values.extraSecretMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} readOnly: {{ .readOnly }} {{- end }} -{{- end }} + {{- end }} {{- if .Values.image.pullSecrets }} imagePullSecrets: {{- range .Values.image.pullSecrets }} @@ -81,7 +86,7 @@ spec: {{- end}} {{- end }} containers: -{{- if .Values.sidecar.dashboards.enabled }} + {{- if .Values.sidecar.dashboards.enabled }} - name: {{ template "grafana.name" . }}-sc-dashboard image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }} @@ -96,13 +101,15 @@ spec: value: "{{ .Values.sidecar.dashboards.folder }}" - name: ERROR_THROTTLE_SLEEP value: "{{ .Values.sidecar.dashboards.error_throttle_sleep }}" + {{- with .Values.sidecar.resources }} resources: -{{ toYaml .Values.sidecar.resources | indent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: sc-dashboard-volume mountPath: {{ .Values.sidecar.dashboards.folder | quote }} -{{- end}} -{{- if .Values.sidecar.datasources.enabled }} + {{- end}} + {{- if .Values.sidecar.datasources.enabled }} - name: {{ template "grafana.name" . }}-sc-datasources image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }} @@ -118,11 +125,11 @@ spec: - name: ERROR_THROTTLE_SLEEP value: "{{ .Values.sidecar.datasources.error_throttle_sleep }}" resources: -{{ toYaml .Values.sidecar.resources | indent 12 }} + {{ toYaml .Values.sidecar.resources | indent 12 }} volumeMounts: - name: sc-datasources-volume mountPath: "/etc/grafana/provisioning/datasources" -{{- end}} + {{- end}} - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -177,7 +184,9 @@ spec: {{- end}} - name: storage mountPath: "/var/lib/grafana" + {{- if .Values.persistence.subPath }} subPath: {{ .Values.persistence.subPath }} + {{- end }} {{- range .Values.extraSecretMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/role.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/role.yaml index 69ec661db..4a0abd518 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/role.yaml +++ b/charts/kubecost/cost-analyzer/charts/grafana/templates/role.yaml @@ -1,5 +1,4 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Values.rbac.create }} +{{ if and .Values.global.grafana.enabled .Values.rbac.create .Values.rbac.pspEnabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -10,12 +9,9 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} -{{- if .Values.rbac.pspEnabled }} rules: - apiGroups: ['extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: [{{ template "grafana.fullname" . }}] -{{- end }} -{{- end }} {{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/rolebinding.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/rolebinding.yaml index c8fa0d30c..4f11d6904 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/rolebinding.yaml +++ b/charts/kubecost/cost-analyzer/charts/grafana/templates/rolebinding.yaml @@ -1,5 +1,4 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Values.rbac.create -}} +{{ if and .Values.global.grafana.enabled .Values.rbac.create .Values.rbac.pspEnabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,5 +16,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "grafana.serviceAccountName" . }} -{{- end -}} -{{ end }} +{{ end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/charts/grafana/values.yaml b/charts/kubecost/cost-analyzer/charts/grafana/values.yaml index 3375a8404..61039ebee 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/values.yaml +++ b/charts/kubecost/cost-analyzer/charts/grafana/values.yaml @@ -35,9 +35,9 @@ image: # pullSecrets: # - myRegistrKeySecretName -securityContext: - runAsUser: 472 - fsGroup: 472 +securityContext: {} + # runAsUser: 472 + # fsGroup: 472 downloadDashboardsImage: repository: curlimages/curl @@ -258,15 +258,9 @@ smtp: sidecar: image: repository: kiwigrid/k8s-sidecar - tag: 1.25.1 + tag: 1.25.2 pullPolicy: IfNotPresent - resources: -# limits: -# cpu: 100m -# memory: 100Mi -# requests: -# cpu: 50m -# memory: 50Mi + resources: {} dashboards: enabled: false # label that the configmaps with dashboards are marked with diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-deployment.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-deployment.yaml index e22b07ec4..07f727573 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-deployment.yaml +++ b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-deployment.yaml @@ -88,8 +88,8 @@ spec: image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" args: - - --volume-dir=/etc/config - - --webhook-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload + - --watched-dir=/etc/config + - --reload-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload resources: {{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} volumeMounts: diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-statefulset.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-statefulset.yaml index b519d08f1..5f191382c 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-statefulset.yaml +++ b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-statefulset.yaml @@ -92,8 +92,8 @@ spec: image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" args: - - --volume-dir=/etc/config - - --webhook-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload + - --watched-dir=/etc/config + - --reload-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload resources: {{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} volumeMounts: diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-ocp-scc.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-ocp-scc.yaml new file mode 100644 index 000000000..62b0ff2aa --- /dev/null +++ b/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-ocp-scc.yaml @@ -0,0 +1,29 @@ +{{- if and (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (.Values.global.platforms.openshift.scc.nodeExporter) (.Values.nodeExporter.enabled) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} +priority: 10 +allowPrivilegedContainer: true +allowHostDirVolumePlugin: true +allowHostNetwork: true +allowHostPorts: true +allowHostPID: true +allowHostIPC: false +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +fsGroup: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +seccompProfiles: +- runtime/default +volumes: + - hostPath + - projected +users: + - system:serviceaccount:{{ .Release.Namespace }}:{{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-deployment.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-deployment.yaml index 4924f9136..9c6d2fa46 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-deployment.yaml +++ b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-deployment.yaml @@ -56,7 +56,7 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} - - --volume-dir={{ . }} + - --watched-dir={{ . }} {{- end }} resources: {{- toYaml .Values.configmapReload.prometheus.resources | nindent 12 }} @@ -173,18 +173,25 @@ spec: {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} + {{ toYaml .Values.imagePullSecrets | indent 0 }} {{- end }} {{- if .Values.server.nodeSelector }} nodeSelector: {{- toYaml .Values.server.nodeSelector | nindent 8 }} {{- end }} - {{- if .Values.global.securityContext }} + {{- if .Values.server.securityContext }} + securityContext: + {{- if not .Values.server.securityContext.fsGroup }} + fsGroupChangePolicy: OnRootMismatch + fsGroup: 1001 + {{- end }} + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} + securityContext: + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} + {{- else if .Values.global.securityContext }} securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} - {{- else if .Values.server.securityContext }} - securityContext2: - {{- toYaml .Values.server.securityContext | nindent 8 }} {{- end }} {{- if .Values.server.tolerations }} tolerations: diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-statefulset.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-statefulset.yaml index d121c2696..37ac3d80b 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-statefulset.yaml +++ b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-statefulset.yaml @@ -57,7 +57,7 @@ spec: - --{{ $key }}={{ $value }} {{- end }} {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} - - --volume-dir={{ . }} + - --watched-dir={{ . }} {{- end }} resources: {{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/values.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/values.yaml index 0df64f922..392bae709 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/values.yaml +++ b/charts/kubecost/cost-analyzer/charts/prometheus/values.yaml @@ -321,7 +321,7 @@ configmapReload: ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.68.0 + tag: v0.69.1 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments @@ -351,7 +351,7 @@ configmapReload: alertmanager: ## If false, the configmap-reload container will not be deployed ## - enabled: true + enabled: false ## configmap-reload container name ## @@ -361,7 +361,7 @@ configmapReload: ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.68.0 + tag: v0.69.1 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments @@ -418,7 +418,7 @@ nodeExporter: ## image: repository: prom/node-exporter - tag: v1.5.0 + tag: v1.7.0 pullPolicy: IfNotPresent ## Specify if a Pod Security Policy for node-exporter must be created @@ -543,7 +543,7 @@ server: ## image: repository: quay.io/prometheus/prometheus - tag: v2.35.0 + tag: v2.48.1 pullPolicy: IfNotPresent ## prometheus server priorityClassName @@ -865,11 +865,11 @@ server: ## Security context to be added to server pods ## - securityContext: - runAsUser: 1001 - runAsNonRoot: true - runAsGroup: 1001 - fsGroup: 1001 + securityContext: {} + # runAsUser: 1001 + # runAsNonRoot: true + # runAsGroup: 1001 + # fsGroup: 1001 containerSecurityContext: {} @@ -928,7 +928,7 @@ pushgateway: ## image: repository: prom/pushgateway - tag: v1.5.1 + tag: v1.6.2 pullPolicy: IfNotPresent ## pushgateway priorityClassName @@ -1270,7 +1270,7 @@ serverFiles: metric_relabel_configs: - source_labels: [ __name__ ] - regex: (kubelet_volume_stats_used_bytes) # this metric is in alpha + regex: (kubelet_volume_stats_used_bytes) # this metric is in alpha action: keep # Scrape config for service endpoints. diff --git a/charts/kubecost/cost-analyzer/charts/thanos/values.yaml b/charts/kubecost/cost-analyzer/charts/thanos/values.yaml index 6524e7c04..c0f2c6783 100644 --- a/charts/kubecost/cost-analyzer/charts/thanos/values.yaml +++ b/charts/kubecost/cost-analyzer/charts/thanos/values.yaml @@ -1,6 +1,6 @@ image: repository: thanosio/thanos - tag: v0.29.0 + tag: v0.32.5 pullPolicy: IfNotPresent ## PriorityClassName @@ -187,7 +187,7 @@ queryFrontend: validity: 10m downstreamTripper: - enabled: false + enabled: false idleConnectionTimeout: 90s responseHeaderTimeout: 2m tlsHandshakeTimeout: 10s @@ -198,7 +198,7 @@ queryFrontend: # Downstream Tripper Configuration Content # downstreamTripperConfig: - + # Response cache configuration content # responseCacheConfig: @@ -233,7 +233,7 @@ queryFrontend: # minAvailable and maxUnavailable can't be used simultaneous. Choose one. minAvailable: 1 # maxUnavailable: 50% - + serviceAccount: "" # The http endpoint to communicate with other components @@ -327,7 +327,7 @@ queryFrontend: # Pod affinity # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity affinity: {} - + query: enabled: true # Label to treat as a replica indicator along which data is deduplicated. @@ -355,9 +355,9 @@ query: maxConcurrent: 16 # Maximum number of select requests made concurrently per a query. maxConcurrentSelect: 4 - # Enable automatic adjustment (step / 5) to what source of data should be used in store gateways + # Enable automatic adjustment (step / 5) to what source of data should be used in store gateways # if no max_source_resolution param is specified. - autoDownsampling: false + autoDownsampling: false # https://github.com/improbable-eng/thanos/issues/1015 storeDNSResolver: miekgdns # Enable DNS discovery for stores diff --git a/charts/kubecost/cost-analyzer/ci/aggregator-values.yaml b/charts/kubecost/cost-analyzer/ci/aggregator-values.yaml new file mode 100644 index 000000000..42e6c3593 --- /dev/null +++ b/charts/kubecost/cost-analyzer/ci/aggregator-values.yaml @@ -0,0 +1,12 @@ +kubecostAggregator: + enabled: true + cloudCost: + enabled: true + aggregatorStorage: + storageRequest: 5Gi + aggregatorDbStorage: + storageRequest: 10Gi +kubecostModel: + federatedStorageConfigSecret: federated-store +kubecostProductConfigs: + cloudIntegrationSecret: cloud-integration diff --git a/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml b/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml new file mode 100644 index 000000000..1362f872f --- /dev/null +++ b/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml @@ -0,0 +1,48 @@ +kubecostProductConfigs: + clusterName: CLUSTER_NAME + # cloudIntegrationSecret: cloud-integration +federatedETL: + useExistingS3Config: false + primaryCluster: true + federatedCluster: true + federator: + enabled: true + # primaryClusterID: CLUSTER_NAME # Add after initial setup. This will break the combined folder setup if included at deployment. +kubecostModel: + containerStatsEnabled: true + cloudCost: + enabled: true # Set to true to enable CloudCost view that gives you visibility of your Cloud provider resources cost + etlCloudAsset: false # Set etlCloudAsset to false when cloudCost.enabled=true + federatedStorageConfigSecret: federated-store +serviceAccount: # this example uses AWS IRSA, which creates a service account with rights to the s3 bucket. If using keys+secrets in the federated-store, set create: true + create: true +kubecostDeployment: + queryServiceReplicas: 0 # to improve performance, increase replica count. see: https://docs.kubecost.com/install-and-configure/install/etl-backup/query-service-replicas +global: + prometheus: + enabled: true + # fqdn: http://prometheus-operated.monitoring:9090 + grafana: # prometheus metrics will be local cluster only, disable grafana to save resources + enabled: false + proxy: false +prometheus: + kubeStateMetrics: + enabled: false + kube-state-metrics: + disabled: true + nodeExporter: + enabled: false + server: + global: + external_labels: + # cluster_id should be unique for all clusters and the same value as .kubecostProductConfigs.clusterName + cluster_id: CLUSTER_NAME +networkCosts: + # optional, see: https://docs.kubecost.com/install-and-configure/advanced-configuration/network-costs-configuration + enabled: true + config: + services: + # set the appropriate cloud provider to true + amazon-web-services: true + # google-cloud-services: true + # azure-cloud-services: true diff --git a/charts/kubecost/cost-analyzer/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/templates/_helpers.tpl index e290aa1c2..bf5da954d 100644 --- a/charts/kubecost/cost-analyzer/templates/_helpers.tpl +++ b/charts/kubecost/cost-analyzer/templates/_helpers.tpl @@ -47,6 +47,14 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{- define "diagnostics.fullname" -}} +{{- if .Values.diagnosticsFullnameOverride -}} +{{- .Values.diagnosticsFullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name "diagnostics" | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{- define "federator.fullname" -}} {{- printf "%s-%s" .Release.Name "federator" | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -109,6 +117,9 @@ Create the fully qualified name for Prometheus alertmanager service. {{- printf "%s-%s" .Release.Name "query-service-load-balancer" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "diagnostics.serviceName" -}} +{{- printf "%s-%s" .Release.Name "diagnostics" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{- define "aggregator.serviceName" -}} {{- printf "%s-%s" .Release.Name "aggregator" | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -130,10 +141,10 @@ Create the name of the service account {{- end -}} {{- end -}} {{- define "query-service.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "query-service.fullname" .) .Values.serviceAccount.name }} +{{- if .Values.kubecostDeployment.queryService.serviceAccount.create -}} + {{ default (include "query-service.fullname" .) .Values.kubecostDeployment.queryService.serviceAccount.name }} {{- else -}} - {{ default "default" .Values.serviceAccount.name }} + {{ default "default" .Values.kubecostDeployment.queryService.serviceAccount.name }} {{- end -}} {{- end -}} {{- define "aggregator.serviceAccountName" -}} @@ -233,6 +244,10 @@ app: federator {{ include "cost-analyzer.chartLabels" . }} app: aggregator {{- end -}} +{{- define "diagnostics.commonLabels" -}} +{{ include "cost-analyzer.chartLabels" . }} +app: diagnostics +{{- end -}} {{- define "cloudCost.commonLabels" -}} {{ include "cost-analyzer.chartLabels" . }} {{ include "cloudCost.selectorLabels" . }} @@ -255,6 +270,11 @@ app: {{ template "cost-analyzer.networkCostsName" . }} {{- define "networkcosts.selectorLabels" -}} app: {{ template "cost-analyzer.networkCostsName" . }} {{- end }} +{{- define "diagnostics.selectorLabels" -}} +app.kubernetes.io/name: diagnostics +app.kubernetes.io/instance: {{ .Release.Name }} +app: diagnostics +{{- end }} {{/* {{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml index 0478f8712..88fdc7646 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml @@ -20,6 +20,10 @@ spec: app.kubernetes.io/name: cloud-cost app.kubernetes.io/instance: {{ .Release.Name }} app: cloud-cost + {{- with .Values.global.podAnnotations}} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: restartPolicy: Always serviceAccountName: {{ template "cloudCost.serviceAccountName" . }} @@ -106,12 +110,31 @@ spec: - name: FEDERATED_CLUSTER value: "true" {{- end}} + - name: CLOUD_COST_REFRESH_RATE_HOURS + value: {{ .Values.kubecostAggregator.cloudCost.refreshRateHours | default 6 | quote }} + - name: CLOUD_COST_QUERY_WINDOW_DAYS + value: {{ .Values.kubecostAggregator.cloudCost.queryWindowDays | default 7 | quote }} + - name: CLOUD_COST_RUN_WINDOW_DAYS + value: {{ .Values.kubecostAggregator.cloudCost.runWindowDays | default 3 | quote }} + {{- range $key, $value := .Values.kubecostAggregator.cloudCost.env }} - name: {{ $key | quote }} value: {{ $value | quote }} {{- end }} - - + {{- if .Values.systemProxy.enabled }} + - name: HTTP_PROXY + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: http_proxy + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: HTTPS_PROXY + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: https_proxy + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: NO_PROXY + value: {{ .Values.systemProxy.noProxy }} + - name: no_proxy + value: {{ .Values.systemProxy.noProxy }} + {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 2 }} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml index b2a7063c6..275a2db3c 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml @@ -16,5 +16,8 @@ spec: - name: tcp-api port: 9004 targetPort: 9004 + {{- with .Values.kubecostAggregator.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml index e412fd6d4..a03335240 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml @@ -49,15 +49,22 @@ spec: app.kubernetes.io/name: aggregator app.kubernetes.io/instance: {{ .Release.Name }} app: aggregator + {{- with .Values.global.podAnnotations}} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: restartPolicy: Always - {{- if .Values.kubecostAggregator.securityContext }} + {{- if .Values.kubecostAggregator.securityContext }} securityContext: - {{- toYaml .Values.kubecostAggregator.securityContext | nindent 8 }} - {{- else if .Values.global.securityContext }} + {{- toYaml .Values.kubecostAggregator.securityContext | nindent 8 }} + {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} securityContext: - {{- toYaml .Values.global.securityContext | nindent 8 }} - {{ end }} + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} + {{- else if .Values.global.securityContext }} + securityContext: + {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- end }} serviceAccountName: {{ template "aggregator.serviceAccountName" . }} volumes: {{- $etlBackupBucketSecret := "" }} @@ -69,6 +76,8 @@ spec: secret: defaultMode: 420 secretName: {{ $etlBackupBucketSecret }} + {{- else }} + {{- fail "Kubecost Aggregator requires .Values.kubecostModel.federatedStorageConfigSecret" }} {{- end }} containers: {{- if .Values.kubecostAggregator.jaeger.enabled }} @@ -113,6 +122,9 @@ spec: - name: tcp-api containerPort: 9004 protocol: TCP + {{- with.Values.kubecostAggregator.extraPorts }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{ toYaml .Values.kubecostAggregator.resources | nindent 12 }} volumeMounts: @@ -148,8 +160,23 @@ spec: value: "false" # this pod should never run KC's concept of "ETL" - name: CLOUD_PROVIDER_API_KEY value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API.' - value: "true" # just in case, not sure if necessary - + {{- if .Values.systemProxy.enabled }} + - name: HTTP_PROXY + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: http_proxy + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: HTTPS_PROXY + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: https_proxy + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: NO_PROXY + value: {{ .Values.systemProxy.noProxy }} + - name: no_proxy + value: {{ .Values.systemProxy.noProxy }} + {{- end }} + {{- if .Values.kubecostAggregator.extraEnv -}} + {{ toYaml .Values.kubecostAggregator.extraEnv | nindent 12 }} + {{- end }} {{- if $etlBackupBucketSecret }} # If this isn't set, we pretty much have to be in a read only state, # initialization will probably fail otherwise. diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-account-mapping-configmap.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-account-mapping-configmap.yaml new file mode 100644 index 000000000..3c4902395 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-account-mapping-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.kubecostProductConfigs }} +{{- if .Values.kubecostProductConfigs.cloudAccountMapping }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "account-mapping" + namespace: {{ .Release.Namespace }} + labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} +data: + account-map.json: '{{ toJson .Values.kubecostProductConfigs.cloudAccountMapping }}' +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-alerts-configmap.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-alerts-configmap.yaml index c2491dfb9..3a2554411 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-alerts-configmap.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-alerts-configmap.yaml @@ -4,8 +4,7 @@ kind: ConfigMap metadata: name: {{ default "alert-configs" .Values.alertConfigmapName }} namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} data: alerts.json: '{{ toJson .Values.global.notifications.alertConfigs }}' {{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 33ebdcaba..61a627d1a 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -1,5 +1,4 @@ {{- if and (not .Values.agent) (not .Values.cloudAgent) }} -{{- $nginxPort := int .Values.service.port | default 9090 -}} apiVersion: apps/v1 {{- if and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled }} kind: StatefulSet @@ -56,22 +55,12 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- if .Values.kubecostFrontend.tls }} - {{- if .Values.kubecostFrontend.tls.enabled }} + {{- if .Values.global.platforms.openshift.enabled }} securityContext: - runAsUser: 0 - {{- else }} - securityContext: - runAsUser: 1001 - runAsGroup: 1001 - fsGroup: 1001 - {{- end }} - {{- else if lt $nginxPort 1025 }} - securityContext: - runAsUser: 0 + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} {{- else if .Values.global.securityContext }} securityContext: - {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- toYaml .Values.global.securityContext | nindent 8 }} {{- else }} securityContext: runAsUser: 1001 @@ -307,16 +296,18 @@ spec: claimName: {{ template "cost-analyzer.fullname" . }}-db {{- end }} {{- end }} - initContainers: {{- if .Values.supportNFS }} + initContainers: - name: config-db-perms-fix {{- if .Values.initChownDataImage }} image: {{ .Values.initChownDataImage }} {{- else }} image: busybox {{- end }} + {{- with .Values.initChownData.resources }} resources: -{{ toYaml .Values.initChownData.resources | indent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled }} command: ["sh", "-c", "/bin/chmod -R 777 /var/configs && /bin/chmod -R 777 /var/db"] {{- else }} @@ -379,10 +370,14 @@ spec: {{- else }} imagePullPolicy: Always {{- end }} - {{- if .Values.global.containerSecurityContext }} + {{- if .Values.global.containerSecurityContext }} securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 -}} - {{- end }} + {{- end }} + {{- with .Values.sigV4Proxy.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} args: - --name - {{ .Values.sigV4Proxy.name }} @@ -465,10 +460,10 @@ spec: - image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} {{- else }} - image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} - {{ end }} + {{- end }} {{- else }} - image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} - {{ end }} + {{- end }} name: cost-model {{- if .Values.kubecostModel.extraArgs }} args: @@ -492,23 +487,28 @@ spec: - name: tcp-frontend containerPort: 9090 protocol: TCP + {{- with .Values.kubecostModel.extraPorts }} + {{- toYaml . | nindent 10 }} + {{- end }} resources: {{ toYaml .Values.kubecostModel.resources | indent 12 }} + {{- if .Values.kubecostModel.readinessProbe.enabled }} readinessProbe: httpGet: path: /healthz port: 9003 - initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 200 - {{- if .Values.kubecostFrontend.livenessProbe.enabled }} + initialDelaySeconds: {{ .Values.kubecostModel.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.kubecostModel.readinessProbe.periodSeconds}} + failureThreshold: {{ .Values.kubecostModel.readinessProbe.failureThreshold}} + {{- end }} + {{- if .Values.kubecostModel.livenessProbe.enabled }} livenessProbe: httpGet: path: /healthz port: 9003 - initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 200 + initialDelaySeconds: {{ .Values.kubecostModel.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.kubecostModel.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.kubecostModel.livenessProbe.failureThreshold }} {{- end }} {{- if .Values.global.containerSecuritycontext }} securityContext: @@ -863,12 +863,6 @@ spec: {{- end }} - name: CLOUD_ASSETS_EXCLUDE_PROVIDER_ID value: {{ (quote .Values.kubecostModel.cloudAssetsExcludeProviderID) | default (quote false) }} - - name: ETL_CLOUD_REFRESH_RATE_HOURS - value: {{ (quote .Values.kubecostModel.etlCloudRefreshRateHours) | default (quote 6) }} - - name: ETL_CLOUD_QUERY_WINDOW_DAYS - value: {{ (quote .Values.kubecostModel.etlCloudQueryWindowDays) | default (quote 7) }} - - name: ETL_CLOUD_RUN_WINDOW_DAYS - value: {{ (quote .Values.kubecostModel.etlCloudRunWindowDays) | default (quote 3) }} {{- if .Values.persistentVolume.dbPVEnabled }} - name: ETL_PATH_PREFIX value: "/var/db" @@ -913,6 +907,12 @@ spec: - name: CLOUD_COST_TOP_N value: {{ (quote .topNItems) | default (quote 1000) }} {{- end }} + - name: CLOUD_COST_REFRESH_RATE_HOURS + value: {{ .Values.kubecostModel.cloudCost.refreshRateHours | default .Values.kubecostModel.etlCloudRefreshRateHours | default 6 | quote }} + - name: CLOUD_COST_QUERY_WINDOW_DAYS + value: {{ .Values.kubecostModel.cloudCost.queryWindowDays | default .Values.kubecostModel.etlCloudQueryWindowDays | default 7 | quote }} + - name: CLOUD_COST_RUN_WINDOW_DAYS + value: {{ .Values.kubecostModel.cloudCost.runWindowDays | default .Values.kubecostModel.etlCloudRunWindowDays | default 3 | quote }} - name: CONTAINER_STATS_ENABLED value: {{ (quote .Values.kubecostModel.containerStatsEnabled) | default (quote false) }} - name: RECONCILE_NETWORK @@ -947,6 +947,19 @@ spec: {{- if .Values.networkCosts.enabled }} - name: NETWORK_COSTS_PORT value: {{ quote .Values.networkCosts.port | default (quote 3001) }} + # ADVANCED_NETWORK_STATS is a feature offered by Kubecost that gives you network + # insights of your Kubernetes resources with cloud services. The feature is + # enabled when network cost is enabled and one of the service tagging is enabled + {{- if .Values.networkCosts.config.services }} + {{- $services := .Values.networkCosts.config.services -}} + {{- if or (index $services "google-cloud-services") (index $services "amazon-web-services") (index $services "azure-cloud-services")}} + - name: ADVANCED_NETWORK_STATS + value: "true" + {{- else}} + - name: ADVANCED_NETWORK_STATS + value: "false" + {{- end}} + {{- end }} {{- end }} {{- end }} {{- /* @@ -1122,21 +1135,12 @@ spec: - image: {{ .Values.kubecostFrontend.fullImageName }} {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostFrontend.image }}:{{ .Values.imageVersion }} - {{- else if .Values.kubecostAggregator.enabled }} - - image: {{ .Values.kubecostFrontend.image }}:prod-aggregator-{{ $.Chart.AppVersion }} {{- else }} - image: {{ .Values.kubecostFrontend.image }}:prod-{{ $.Chart.AppVersion }} - {{ end }} + {{- end }} {{- else }} - image: gcr.io/kubecost1/frontend:prod-{{ $.Chart.AppVersion }} - {{ end }} - {{- if .Values.kubecostFrontend.tls }} - {{- if .Values.kubecostFrontend.tls.enabled }} - command: ["nginx", "-g", "daemon off;"] - ports: - - containerPort: 443 - {{- end }} - {{- end }} + {{- end }} env: - name: GET_HOSTS_FROM value: dns @@ -1147,7 +1151,7 @@ spec: {{- if .Values.kubecostFrontend.securityContext }} securityContext: {{- toYaml .Values.kubecostFrontend.securityContext | nindent 12 }} - {{- else if and .Values.global.containerSecurityContext (gt $nginxPort 1025) }} + {{- else }} securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} {{- end }} @@ -1175,13 +1179,15 @@ spec: {{- else }} imagePullPolicy: Always {{- end }} + {{- if .Values.kubecostFrontend.readinessProbe.enabled }} readinessProbe: httpGet: path: /healthz port: 9003 - initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 200 + initialDelaySeconds: {{ .Values.kubecostFrontend.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.kubecostFrontend.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.kubecostFrontend.readinessProbe.failureThreshold }} + {{- end }} {{- if .Values.kubecostFrontend.livenessProbe.enabled }} livenessProbe: httpGet: diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index 3894f70ac..97a391824 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -1,7 +1,6 @@ {{- if .Values.kubecostFrontend.enabled }} {{- if and (not .Values.agent) (not .Values.cloudAgent) }} {{- $serviceName := include "cost-analyzer.serviceName" . -}} -{{- $nginxPort := .Values.service.targetPort | default 9090 -}} {{- if .Values.saml.enabled }} {{- if .Values.oidc.enabled }} {{- fail "SAML and OIDC cannot both be enabled" }} @@ -118,6 +117,15 @@ data: server {{ template "cloudCost.fullname" . }}.{{ .Release.Namespace }}:9005; } {{- end }} + + {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} + {{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} + upstream multi-cluster-diagnostics { + server {{ template "diagnostics.fullname" . }}.{{ .Release.Namespace }}:9007; + } + {{- end }} + {{- end }} + server { server_name _; root /var/www; @@ -166,20 +174,20 @@ data: {{- end }} ssl_certificate /etc/ssl/certs/kc.crt; ssl_certificate_key /etc/ssl/certs/kc.key; - listen 443 ssl; + listen {{ .Values.service.targetPort }} ssl; {{- if .Values.kubecostFrontend.ipv6.enabled }} - listen [::]:443 ssl; + listen [::]:{{ .Values.service.targetPort }} ssl; {{- end }} {{- else }} - listen {{ $nginxPort }}; + listen {{ .Values.service.targetPort }}; {{- if .Values.kubecostFrontend.ipv6.enabled }} - listen [::]:{{ $nginxPort }}; + listen [::]:{{ .Values.service.targetPort }}; {{- end }} {{- end }} {{- else }} - listen {{ $nginxPort }}; + listen {{ .Values.service.targetPort }}; {{- if .Values.kubecostFrontend.ipv6.enabled }} - listen [::]:{{ $nginxPort }}; + listen [::]:{{ .Values.service.targetPort }}; {{- end }} {{- end }} location /api/ { @@ -194,9 +202,9 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /model/ { - proxy_connect_timeout 600; - proxy_send_timeout 600; - proxy_read_timeout 600; + proxy_connect_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_send_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://model/; proxy_redirect off; proxy_http_version 1.1; @@ -320,9 +328,9 @@ data: {{- end }} location /model/allocation { - proxy_connect_timeout 600; - proxy_send_timeout 600; - proxy_read_timeout 600; + proxy_connect_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; + proxy_send_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; proxy_pass http://queryservice/allocation; proxy_redirect off; proxy_http_version 1.1; @@ -332,9 +340,9 @@ data: } location /model/assets { - proxy_connect_timeout 600; - proxy_send_timeout 600; - proxy_read_timeout 600; + proxy_connect_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; + proxy_send_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; proxy_pass http://queryservice/assets; proxy_redirect off; proxy_http_version 1.1; @@ -347,9 +355,9 @@ data: # for example if you want heap dump from query service end point should be # /model/queryservice/debug/pprof/heap to get queryservice heap dumps location ~ /model/queryservice/(.*)$ { - proxy_connect_timeout 600; - proxy_send_timeout 600; - proxy_read_timeout 600; + proxy_connect_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; + proxy_send_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; proxy_pass http://queryservice/$1; proxy_redirect off; proxy_http_version 1.1; @@ -367,7 +375,7 @@ data: {{- end }} location = /model/allocation { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/allocation; proxy_redirect off; proxy_set_header Connection ""; @@ -385,7 +393,7 @@ data: } {{ end }} location = /model/allocation/view { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/allocation/view; proxy_redirect off; proxy_set_header Connection ""; @@ -393,7 +401,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/allocation/summary { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/allocation/summary; proxy_redirect off; proxy_set_header Connection ""; @@ -401,15 +409,23 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/allocation/summary/topline { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/allocation/summary/topline; proxy_redirect off; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - location = /model/assets { + location = /model/allocation/autocomplete { proxy_read_timeout 300; + proxy_pass http://aggregator/allocation/autocomplete; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/assets { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/assets; proxy_redirect off; proxy_set_header Connection ""; @@ -441,8 +457,16 @@ data: location = /model/assets/breakdown { return 501 "Aggregator does not support this endpoint."; } - location = /model/savings/requestSizingV2 { + location = /model/assets/autocomplete { proxy_read_timeout 300; + proxy_pass http://aggregator/assets/autocomplete; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/savings/requestSizingV2 { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings/requestSizingV2; proxy_redirect off; proxy_set_header Connection ""; @@ -450,7 +474,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/savings/requestSizingV2/topline { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings/requestSizingV2/topline; proxy_redirect off; proxy_set_header Connection ""; @@ -458,7 +482,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/cloudCost; proxy_redirect off; proxy_set_header Connection ""; @@ -466,7 +490,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/view/graph { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/cloudCost/view/graph; proxy_redirect off; proxy_set_header Connection ""; @@ -474,7 +498,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/view/totals { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/cloudCost/view/totals; proxy_redirect off; proxy_set_header Connection ""; @@ -482,15 +506,31 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/view/table { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/cloudCost/view/table; proxy_redirect off; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - location = /model/clusters/status { + location = /model/cloudCost/view/trends { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/cloudCost/view/trends; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/cloudCost/autocomplete { proxy_read_timeout 300; + proxy_pass http://aggregator/cloudCost/autocomplete; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/clusters/status { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/clusters/status; proxy_redirect off; proxy_set_header Connection ""; @@ -498,7 +538,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/savings { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings; proxy_redirect off; proxy_set_header Connection ""; @@ -506,7 +546,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/savings/abandonedWorkloads { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings/abandonedWorkloads; proxy_redirect off; proxy_set_header Connection ""; @@ -514,7 +554,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/savings/abandonedWorkloads/topline { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings/abandonedWorkloads/topline; proxy_redirect off; proxy_set_header Connection ""; @@ -522,7 +562,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/savings/unclaimedVolumes { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings/unclaimedVolumes; proxy_redirect off; proxy_set_header Connection ""; @@ -530,7 +570,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/savings/localLowDisks { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings/localLowDisks; proxy_redirect off; proxy_set_header Connection ""; @@ -538,7 +578,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/savings/persistentVolumeSizing { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/savings/persistentVolumeSizing; proxy_redirect off; proxy_set_header Connection ""; @@ -546,7 +586,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/reports/allocation { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/allocation; proxy_redirect off; proxy_set_header Connection ""; @@ -554,7 +594,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/reports/asset { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/asset; proxy_redirect off; proxy_set_header Connection ""; @@ -562,7 +602,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/reports/advanced { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/advanced; proxy_redirect off; proxy_set_header Connection ""; @@ -570,7 +610,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/reports/cloudCost { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/cloudCost; proxy_redirect off; proxy_set_header Connection ""; @@ -578,7 +618,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/reports/group { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/group; proxy_redirect off; proxy_set_header Connection ""; @@ -589,14 +629,14 @@ data: # was handled by /model/, so no special case proxies were required. without this, /model/reports/groups/?foo=bar # will be directed to /reports/groups?foo=bar (note the missing /model prefix) location ~ ^/model/reports/group/ { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/group/$is_args$args; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/budget { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/budget; proxy_redirect off; proxy_set_header Connection ""; @@ -604,7 +644,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/budgets { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/budgets; proxy_redirect off; proxy_set_header Connection ""; @@ -612,18 +652,26 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } {{- end }} - location = /model/hideDiagnostics { - default_type text/html; - {{- if .Values.kubecostFrontend.hideDiagnostics }} - return 200 'true'; + + location = /model/hideOrphanedResources { + default_type 'application/json'; + {{- if .Values.kubecostFrontend.hideOrphanedResources }} + return 200 '{"hideOrphanedResources": "true"}'; {{- else }} - return 200 'false'; + return 200 '{"hideOrphanedResources": "false"}'; + {{- end }} + } + location = /model/hideDiagnostics { + default_type 'application/json'; + {{- if .Values.kubecostFrontend.hideDiagnostics }} + return 200 '{"hideDiagnostics": "true"}'; + {{- else }} + return 200 '{"hideDiagnostics": "false"}'; {{- end }} } - {{- if .Values.kubecostAggregator.cloudCost.enabled }} location = /model/cloudCost/status { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://cloudCost/cloudCost/status; proxy_redirect off; proxy_set_header Connection ""; @@ -631,7 +679,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/rebuild { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://cloudCost/cloudCost/rebuild; proxy_redirect off; proxy_set_header Connection ""; @@ -639,7 +687,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/repair { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://cloudCost/cloudCost/repair; proxy_redirect off; proxy_set_header Connection ""; @@ -647,7 +695,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/integration/export { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://cloudCost/cloudCost/integration/export; proxy_redirect off; proxy_set_header Connection ""; @@ -655,7 +703,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/integration/enable { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://cloudCost/cloudCost/integration/enable; proxy_redirect off; proxy_set_header Connection ""; @@ -663,7 +711,7 @@ data: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location = /model/cloudCost/integration/disable { - proxy_read_timeout 300; + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://cloudCost/cloudCost/integration/disable; proxy_redirect off; proxy_set_header Connection ""; @@ -672,13 +720,55 @@ data: } {{- end }} - - {{- if .Values.kubecostFrontend.trendsDisabled }} location /model/allocation/trends { return 204 'endpoint disabled'; } {{ end }} + + location /model/multi-cluster-diagnostics-enabled { + default_type 'application/json'; + {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} + {{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} + return 200 '{"multi-cluster-diagnostics-enabled": "true"}'; + {{- end }} + {{- else }} + return 200 '{"multi-cluster-diagnostics-enabled": "false"}'; + {{- end }} + } + {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} + {{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} + location /model/multi-cluster-diagnostics { + default_type 'application/json'; + proxy_read_timeout 300; + proxy_pass http://multi-cluster-diagnostics/status; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + # simple alias for support + location /model/mcd { + default_type 'application/json'; + proxy_read_timeout 300; + proxy_pass http://multi-cluster-diagnostics/status?window=7d; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + {{- end }} + {{- end }} + + location /model/aggregatorEnabled { + default_type 'application/json'; + {{- if .Values.kubecostAggregator.enabled }} + return 200 '{"aggregatorEnabled": "true"}'; + {{- else }} + return 200 '{"aggregatorEnabled": "false"}'; + {{- end }} + } + } {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml index 8b11d4772..ba58350b7 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml @@ -14,9 +14,6 @@ spec: {{- include "cost-analyzer.selectorLabels" . | nindent 6 }} policyTypes: - Egress - egress: - - to: - - namespaceSelector: {} {{- else }} {{- if .Values.networkPolicy.sameNamespace}} metadata: diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-networks-costs-ocp-scc.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-networks-costs-ocp-scc.yaml new file mode 100644 index 000000000..8602cb0c6 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-networks-costs-ocp-scc.yaml @@ -0,0 +1,30 @@ +{{- if and (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (.Values.global.platforms.openshift.scc.networkCosts) (.Values.networkCosts.enabled) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "cost-analyzer.networkCostsName" . }} +priority: 10 +allowPrivilegedContainer: true +allowHostDirVolumePlugin: true +allowHostNetwork: true +allowHostPorts: true +allowHostPID: false +allowHostIPC: false +readOnlyRootFilesystem: false +runAsUser: + type: RunAsAny +fsGroup: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +seccompProfiles: +- runtime/default +volumes: + - hostPath + - projected + - configMap +users: + - system:serviceaccount:{{ .Release.Namespace }}:{{ template "cost-analyzer.serviceAccountName" . }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-ocp-route.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-ocp-route.yaml new file mode 100644 index 000000000..3438dcd54 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-ocp-route.yaml @@ -0,0 +1,25 @@ +{{- if and (.Capabilities.APIVersions.Has "route.openshift.io/v1/Route") (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.route.enabled) }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ template "cost-analyzer.fullname" . }}-route + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- with .Values.global.platforms.openshift.route.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.global.platforms.openshift.route.host }} + host: "{{ .Values.global.platforms.openshift.route.host }}" + {{- end }} + port: + targetPort: tcp-frontend + tls: + termination: edge + to: + kind: Service + name: {{ template "cost-analyzer.serviceName" . }} + weight: 100 + wildcardPolicy: None +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-server-configmap.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-server-configmap.yaml index dc8741ffb..57038b9cd 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-server-configmap.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-server-configmap.yaml @@ -1,73 +1,72 @@ {{- if .Values.kubecostProductConfigs }} -{{- if or .Values.kubecostProductConfigs.grafanaURL .Values.kubecostProductConfigs.labelMappingConfigs }} +{{- if or .Values.kubecostProductConfigs.grafanaURL .Values.kubecostProductConfigs.labelMappingConfigs .Values.kubecostProductConfigs.cloudAccountMapping}} apiVersion: v1 kind: ConfigMap metadata: name: {{ default "app-configs" .Values.appConfigmapName }} namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} data: {{- if .Values.kubecostProductConfigs.labelMappingConfigs }} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.enabled }} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.owner_label }} - owner_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.owner_label }}" + owner_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.owner_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.team_label }} - team_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.team_label }}" + team_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.team_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.department_label }} - department_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.department_label }}" + department_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.department_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.product_label }} - product_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.product_label }}" + product_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.product_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.environment_label }} - environment_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.environment_label }}" + environment_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.environment_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.namespace_external_label }} - namespace_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.namespace_external_label }}" + namespace_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.namespace_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.cluster_external_label }} - cluster_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.cluster_external_label }}" + cluster_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.cluster_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.controller_external_label }} - controller_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.controller_external_label }}" + controller_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.controller_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.product_external_label }} - product_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.product_external_label }}" + product_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.product_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.service_external_label }} - service_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.service_external_label }}" + service_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.service_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.deployment_external_label }} - deployment_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.deployment_external_label }}" + deployment_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.deployment_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.team_external_label }} - team_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.team_external_label }}" + team_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.team_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.environment_external_label }} - environment_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.environment_external_label }}" + environment_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.environment_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.department_external_label }} - department_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.department_external_label }}" + department_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.department_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.statefulset_external_label }} - statefulset_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.statefulset_external_label }}" + statefulset_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.statefulset_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.daemonset_external_label }} - daemonset_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.daemonset_external_label }}" + daemonset_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.daemonset_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.pod_external_label }} - pod_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.pod_external_label }}" + pod_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.pod_external_label }}" {{- end -}} {{- if .Values.kubecostProductConfigs.labelMappingConfigs.owner_external_label }} - owner_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.owner_external_label }}" + owner_external_label: "{{ .Values.kubecostProductConfigs.labelMappingConfigs.owner_external_label }}" {{- end -}} {{- end -}} {{- end -}} {{- if .Values.kubecostProductConfigs.grafanaURL }} - grafanaURL: "{{ .Values.kubecostProductConfigs.grafanaURL }}" + grafanaURL: "{{ .Values.kubecostProductConfigs.grafanaURL }}" {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml index ab7e469b0..662d0122f 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml @@ -1,6 +1,4 @@ {{- if and (not .Values.agent) (not .Values.cloudAgent) }} -{{- $nginxPort := .Values.service.targetPort | default 9090 -}} -{{- $servicePort := .Values.service.port | default 9090 -}} kind: Service apiVersion: v1 metadata: @@ -31,34 +29,19 @@ spec: - name: tcp-model port: 9003 targetPort: 9003 + {{- with .Values.kubecostModel.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.kubecostFrontend.enabled }} - name: tcp-frontend - {{- if .Values.kubecostFrontend.tls }} - {{- if .Values.kubecostFrontend.tls.enabled }} - port: 443 - targetPort: 443 {{- if (eq .Values.service.type "NodePort") }} {{- if .Values.service.nodePort }} nodePort: {{ .Values.service.nodePort }} {{- end }} {{- end }} - {{- else }} - port: {{ $servicePort }} - targetPort: {{ $nginxPort }} - {{- if (eq .Values.service.type "NodePort") }} - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - {{- end }} - {{- end}} - {{- else }} - port: {{ $servicePort }} - targetPort: {{ $nginxPort }} - {{- if (eq .Values.service.type "NodePort") }} - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - {{- end }} - {{- end }} + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + {{- end }} {{- if .Values.saml }} {{- if .Values.saml.enabled }} - name: apiserver @@ -73,4 +56,14 @@ spec: targetPort: 9004 {{- end }} {{- end }} +{{- if .Values.service.sessionAffinity.enabled }} + sessionAffinity: ClientIP + {{- if .Values.service.sessionAffinity.timeoutSeconds }} + sessionAffinityConfig: + clientIP: + timeoutSeconds: {{ .Values.service.sessionAffinity.timeoutSeconds }} + {{- end }} +{{- else }} + sessionAffinity: None +{{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml new file mode 100644 index 000000000..5a5ae3cbf --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml @@ -0,0 +1,182 @@ +{{- if .Values.diagnostics.enabled }} +{{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} + +{{- if eq .Values.prometheus.server.global.external_labels.cluster_id "cluster-one" }} +{{- fail "Error: The 'cluster_id' is set to default 'cluster-one'. Please update so that the diagnostics service can uniquely identify data coming from this cluster." }} +{{- end }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "diagnostics.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "diagnostics.selectorLabels" . | nindent 4 }} + {{- if and .Values.diagnostics .Values.diagnostics.labels }} + {{- toYaml .Values.diagnostics.labels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "diagnostics.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "diagnostics.selectorLabels" . | nindent 8 }} + annotations: + # Generates a unique annotation upon each `helm upgrade`, forcing a redeployment + helm.sh/pod-restarter: {{ randNumeric 3 | quote}} + {{- with .Values.global.podAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Always + {{- if .Values.diagnostics.securityContext }} + securityContext: + {{- toYaml .Values.diagnostics.securityContext | nindent 8 }} + {{- else if .Values.global.securityContext }} + securityContext: + {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }} + volumes: + {{- if .Values.kubecostModel.federatedStorageConfigSecret }} + - name: federated-storage-config + secret: + defaultMode: 420 + secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret }} + {{- else if .Values.global.thanos.enabled }} + - name: federated-storage-config + secret: + defaultMode: 420 + secretName: {{ .Values.thanos.storeSecretName }} + items: + - key: object-store.yaml + path: federated-store.yaml + {{- end }} + - name: config-db + {{- /* #TODO: make pv? */}} + emptyDir: {} + containers: + - name: diagnostics + args: ["diagnostics"] + {{- if .Values.kubecostModel }} + {{- if .Values.kubecostModel.openSourceOnly }} + image: quay.io/kubecost1/kubecost-cost-model:{{ .Values.imageVersion }} + {{- else if .Values.kubecostModel.fullImageName }} + image: {{ .Values.kubecostModel.fullImageName }} + {{- else if .Values.imageVersion }} + image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} + {{- else }} + image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} + {{- end }} + {{- else }} + image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} + {{- end }} + {{- if .Values.kubecostModel.imagePullPolicy }} + imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }} + {{- else }} + imagePullPolicy: Always + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.diagnostics.containerSecurityContext }} + securityContext: + {{- toYaml .Values.diagnostics.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: + {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} + volumeMounts: + - name: config-db + mountPath: /var/configs/db + readOnly: false + - name: federated-storage-config + mountPath: /var/configs/etl + readOnly: true + env: + {{- if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} + - name: CLUSTER_ID + value: {{ .Values.prometheus.server.global.external_labels.cluster_id }} + {{- end }} + {{- if .Values.prometheus.server.clusterIDConfigmap }} + - name: CLUSTER_ID + valueFrom: + configMapKeyRef: + name: {{ .Values.prometheus.server.clusterIDConfigmap }} + key: CLUSTER_ID + {{- end }} + - name: FEDERATED_STORE_CONFIG + value: /var/configs/etl/federated-store.yaml + - name: DIAGNOSTICS_KUBECOST_FQDN + value: {{ template "cost-analyzer.serviceName" . }} + - name: DIAGNOSTICS_KUBECOST_NAMESPACE + value: {{ .Release.Namespace }} + - name: DIAGNOSTICS_POLLING_INTERVAL + value: {{ .Values.diagnostics.pollingInterval | default "300s" }} + - name: DIAGNOSTICS_PRIMARY + {{- if .Values.diagnostics.isDiagnosticsPrimary.enabled }} + value: "true" + {{- else }} + value: "false" + {{- end }} + - name: DIAGNOSTICS_COLLECT_HELM_VALUES + {{- if and .Values.reporting.valuesReporting .Values.diagnostics.collectHelmValues }} + value: "true" + {{- else }} + value: "false" + {{- end }} + - name: DIAGNOSTICS_KEEP_HISTORY + {{- if .Values.diagnostics.keepDiagnosticHistory }} + value: "true" + {{- else }} + value: "false" + {{- end }} + {{- if .Values.systemProxy.enabled }} + - name: HTTP_PROXY + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: http_proxy + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: HTTPS_PROXY + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: https_proxy + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: NO_PROXY + value: {{ .Values.systemProxy.noProxy }} + - name: no_proxy + value: {{ .Values.systemProxy.noProxy }} + {{- end }} + {{- range $key, $value := .Values.diagnostics.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- /* TODO: heatlhcheck that validates the diagnotics pod is healthy */}} + {{- if .Values.diagnostics.isDiagnosticsPrimary.enabled}} + readinessProbe: + httpGet: + path: /healthz + port: 9007 + ports: + - name: diagnostics-api + containerPort: 9007 + protocol: TCP + {{- end }} + resources: + {{- toYaml .Values.diagnostics.resources | nindent 12 }} + {{- with .Values.diagnostics.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.diagnostics.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.diagnostics.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml b/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml new file mode 100644 index 000000000..ae3937cec --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml @@ -0,0 +1,22 @@ +{{- if .Values.diagnostics.isDiagnosticsPrimary.enabled }} +{{- if .Values.diagnostics.enabled }} +{{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "diagnostics.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "diagnostics.selectorLabels" . | nindent 4 }} +spec: + ports: + - name: diagnostics-api + protocol: TCP + port: 9007 + targetPort: diagnostics-api + selector: + {{- include "diagnostics.selectorLabels" . | nindent 4 }} + type: ClusterIP +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/federator-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/federator-deployment-template.yaml index 095644355..f77726770 100644 --- a/charts/kubecost/cost-analyzer/templates/federator-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/federator-deployment-template.yaml @@ -24,7 +24,10 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- if .Values.global.securityContext }} + {{- if and .Values.global.platforms.openshift.enabled .Values.global.platforms.openshift.securityContext }} + securityContext: + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} + {{- else if .Values.global.securityContext }} securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml index beabc38d7..78a75700c 100644 --- a/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml @@ -233,6 +233,10 @@ spec: metadata: labels: app: {{ template "kubecost.clusterControllerName" . }} + {{- with .Values.global.podAnnotations}} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- if .Values.clusterController.priorityClassName }} priorityClassName: "{{ .Values.clusterController.priorityClassName }}" diff --git a/charts/kubecost/cost-analyzer/templates/network-costs-role.template.yaml b/charts/kubecost/cost-analyzer/templates/network-costs-role.template.yaml index 4d6840e43..1376b66a4 100644 --- a/charts/kubecost/cost-analyzer/templates/network-costs-role.template.yaml +++ b/charts/kubecost/cost-analyzer/templates/network-costs-role.template.yaml @@ -10,13 +10,16 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} annotations: -{{- if .Values.networkCosts.podSecurityPolicy.annotations }} -{{ toYaml .Values.networkCosts.podSecurityPolicy.annotations | indent 4 }} -{{- end }} + {{- with .Values.networkCosts.podSecurityPolicy.annotations }} + {{ toYaml . | indent 4 }} + {{- end }} rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] +- apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use resourceNames: - {{ template "cost-analyzer.fullname" . }}-network-costs {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/network-costs-rolebinding.template.yaml b/charts/kubecost/cost-analyzer/templates/network-costs-rolebinding.template.yaml index 890f67208..4992407a3 100644 --- a/charts/kubecost/cost-analyzer/templates/network-costs-rolebinding.template.yaml +++ b/charts/kubecost/cost-analyzer/templates/network-costs-rolebinding.template.yaml @@ -5,14 +5,14 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "cost-analyzer.fullname" . }}-network-costs - namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 6 }} + name: {{ template "cost-analyzer.fullname" . }}-network-costs + namespace: {{ .Release.Namespace }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 6 }} roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "cost-analyzer.fullname" . }}-network-costs + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "cost-analyzer.fullname" . }}-network-costs subjects: - kind: ServiceAccount name: {{ template "cost-analyzer.serviceAccountName" . }} diff --git a/charts/kubecost/cost-analyzer/templates/query-service-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-deployment-template.yaml index 06188ff9a..c36565b3a 100644 --- a/charts/kubecost/cost-analyzer/templates/query-service-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/query-service-deployment-template.yaml @@ -47,6 +47,9 @@ spec: {{- if .Values.kubecostDeployment.queryService.securityContext }} securityContext: {{- toYaml .Values.kubecostDeployment.queryService.securityContext | nindent 8 }} + {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} + securityContext: + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} {{- else if .Values.global.securityContext }} securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} @@ -72,18 +75,6 @@ spec: {{- if .Values.kubecostDeployment.queryService.extraVolumes }} {{- toYaml .Values.kubecostDeployment.queryService.extraVolumes | nindent 8 }} {{- end }} - initContainers: - - name: config-db-perms-fix - image: {{ .Values.kubecostDeployment.queryService.initImage.repository | default "busybox"}}:{{ .Values.kubecostDeployment.queryService.initImage.tag | default "stable"}} - imagePullPolicy: {{ .Values.kubecostDeployment.queryService.initImage.pullPolicy | default "IfNotPresent"}} - command: ["sh", "-c", "/bin/chmod -R 777 /var/configs && /bin/chmod -R 777 /var/db"] - volumeMounts: - - name: persistent-configs - mountPath: /var/configs - - name: database-storage - mountPath: /var/db - securityContext: - runAsUser: 0 containers: - name: query-service {{- if .Values.kubecostModel }} @@ -118,6 +109,9 @@ spec: - name: tcp-model containerPort: 9003 protocol: TCP + {{- with .Values.kubecostDeployment.queryService.extraPorts }} + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.kubecostDeployment.queryService.resources | nindent 12 }} volumeMounts: diff --git a/charts/kubecost/cost-analyzer/templates/query-service-service-account-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-service-account-template.yaml index b03ed6836..e93bf6014 100644 --- a/charts/kubecost/cost-analyzer/templates/query-service-service-account-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/query-service-service-account-template.yaml @@ -1,6 +1,6 @@ {{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) }} {{- if gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0 }} -{{- if .Values.serviceAccount.create }} +{{- if .Values.kubecostDeployment.queryService.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,7 +8,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{ include "query-service.commonLabels" . | nindent 4 }} -{{- with .Values.serviceAccount.annotations }} +{{- with .Values.kubecostDeployment.queryService.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/query-service-service-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-service-template.yaml index 8df515707..160afc034 100644 --- a/charts/kubecost/cost-analyzer/templates/query-service-service-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/query-service-service-template.yaml @@ -15,5 +15,8 @@ spec: - name: tcp-query-service port: 9003 targetPort: 9003 + {{- with .Values.kubecostDeployment.queryService.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/values-agent.yaml b/charts/kubecost/cost-analyzer/values-agent.yaml index 4f790b455..2f46281dd 100644 --- a/charts/kubecost/cost-analyzer/values-agent.yaml +++ b/charts/kubecost/cost-analyzer/values-agent.yaml @@ -88,7 +88,7 @@ prometheus: enableAdminApi: true sidecarContainers: - name: thanos-sidecar - image: thanosio/thanos:v0.29.0 + image: thanosio/thanos:v0.32.5 securityContext: runAsNonRoot: true runAsUser: 1001 diff --git a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml index d68b95675..71bcc2614 100644 --- a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml +++ b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml @@ -7,7 +7,7 @@ pricingCsv: enabled: false location: provider: "AWS" - region: "us-east-1" + region: "us-east-1" URI: s3://kc-csv-test/pricing_schema.csv # a valid file URI csvAccessCredentials: pricing-schema-access-secret @@ -46,7 +46,7 @@ kubecostFrontend: #limits: # cpu: "100m" # memory: "256Mi" - + kubecostModel: image: public.ecr.aws/kubecost/cost-model imagePullPolicy: Always @@ -151,8 +151,8 @@ prometheus: ## configmap-reload container image ## image: - repository: public.ecr.aws/bitnami/configmap-reload - tag: 0.7.1 + repository: public.ecr.aws/kubecost/prometheus-config-reloader + tag: v0.69.1 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments ## @@ -172,7 +172,7 @@ prometheus: ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} - + kube-state-metrics: disabled: false nodeExporter: diff --git a/charts/kubecost/cost-analyzer/values-openshift.yaml b/charts/kubecost/cost-analyzer/values-openshift.yaml new file mode 100644 index 000000000..7c8ea13b3 --- /dev/null +++ b/charts/kubecost/cost-analyzer/values-openshift.yaml @@ -0,0 +1,25 @@ +global: + # Platforms is a higher-level abstraction for platform-specific values and settings. + platforms: + # Deploying to OpenShift (OCP) requires enabling this option. + openshift: + enabled: true # Deploy Kubecost to OpenShift. + route: + enabled: false # Create an OpenShift Route. + annotations: {} # Add annotations to the Route. + # host: kubecost.apps.okd4.example.com # Add a custom host for your Route. + # Create Security Context Constraint resources for the DaemonSets requiring additional privileges. + scc: + nodeExporter: false # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled. + networkCosts: false # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled. + # When OpenShift is enabled, the following securityContext will be applied to all resources unless they define their own. + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +# networkCosts: +# enabled: true # Enable network costs. +# prometheus: +# nodeExporter: +# enabled: true # Enable Prometheus Node Exporter. diff --git a/charts/kubecost/cost-analyzer/values-thanos.yaml b/charts/kubecost/cost-analyzer/values-thanos.yaml index b48c53e70..cc7a32b68 100644 --- a/charts/kubecost/cost-analyzer/values-thanos.yaml +++ b/charts/kubecost/cost-analyzer/values-thanos.yaml @@ -17,9 +17,10 @@ prometheus: storage.tsdb.min-block-duration: 2h storage.tsdb.max-block-duration: 2h storage.tsdb.retention: 2w - securityContext: - runAsNonRoot: true - runAsUser: 1001 + # these were previously being set by default. + # securityContext: + # runAsNonRoot: true + # runAsUser: 1001 extraVolumes: - name: object-store-volume secret: @@ -28,13 +29,14 @@ prometheus: enableAdminApi: true sidecarContainers: - name: thanos-sidecar - image: thanosio/thanos:v0.29.0 - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL + image: thanosio/thanos:v0.32.5 + # these were previously being set by default. + # securityContext: + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + # capabilities: + # drop: + # - ALL args: - sidecar - --log.level=debug diff --git a/charts/kubecost/cost-analyzer/values.yaml b/charts/kubecost/cost-analyzer/values.yaml index cb2d57d82..bffabcacf 100644 --- a/charts/kubecost/cost-analyzer/values.yaml +++ b/charts/kubecost/cost-analyzer/values.yaml @@ -45,9 +45,9 @@ global: # Amazon Managed Service for Prometheus amp: - enabled: false # If true, kubecost will be configured to remote_write and query from Amazon Managed Service for Prometheus. - prometheusServerEndpoint: https://localhost:8085/workspaces// # The prometheus service endpoint used by kubecost. The calls are forwarded through the SigV4Proxy side car to the AMP workspace. - remoteWriteService: https://aps-workspaces.us-west-2.amazonaws.com/workspaces//api/v1/remote_write # The remote_write endpoint for the AMP workspace. + enabled: false # If true, kubecost will be configured to remote_write and query from Amazon Managed Service for Prometheus. + prometheusServerEndpoint: http://localhost:8005/workspaces// # The prometheus service endpoint used by kubecost. The calls are forwarded through the SigV4Proxy side car to the AMP workspace. + remoteWriteService: https://aps-workspaces.us-west-2.amazonaws.com/workspaces//api/v1/remote_write # The remote_write endpoint for the AMP workspace. sigv4: region: us-west-2 # access_key: ACCESS_KEY # AWS Access key @@ -148,12 +148,11 @@ global: chartDisplay: "category" idle: "separate" rate: "cumulative" - accumulate: false # daily resolution - filters: - - property: "cluster" - value: "cluster-one,cluster*" # supports wildcard filtering and multiple comma separated values - - property: "namespace" - value: "kubecost" + accumulate: false # daily resolution + filters: # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api + - key: "cluster" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api + operator: ":" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators + value: "dev" - title: "Example Saved Report 1" window: "month" aggregateBy: "controllerKind" @@ -161,10 +160,9 @@ global: idle: "share" rate: "monthly" accumulate: false - filters: - - property: "label" - value: "app:cost*,environment:kube*" - - property: "namespace" + filters: # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api + - key: "namespace" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api + operator: "!:" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators value: "kubecost" - title: "Example Saved Report 2" window: "2020-11-11T00:00:00Z,2020-12-09T23:59:59Z" @@ -196,9 +194,10 @@ global: - title: "Example Advanced Report 0" window: "7d" aggregateBy: "namespace" - filters: - - property: "cluster" - value: "cluster-one" + filters: # same as allocation api filters Ref: https://docs.kubecost.com/apis/apis-overview/filters-api + - key: "cluster" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#allocation-apis-request-sizing-v2-api + operator: ":" # Ref: https://docs.kubecost.com/apis/apis-overview/filters-api#filter-operators + value: "dev" cloudBreakdown: "service" cloudJoin: "label:kubernetes_namespace" @@ -235,6 +234,25 @@ global: drop: - ALL + # Platforms is a higher-level abstraction for platform-specific values and settings. + platforms: + # Deploying to OpenShift (OCP) requires enabling this option. + openshift: + enabled: false # Deploy Kubecost to OpenShift. + route: + enabled: false # Create an OpenShift Route. + annotations: {} # Add annotations to the Route. + # host: kubecost.apps.okd4.example.com # Add a custom host for your Route. + # Create Security Context Constraint resources for the DaemonSets requiring additional privileges. + scc: + nodeExporter: false # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled. + networkCosts: false # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled. + # When OpenShift is enabled, the following securityContext will be applied to all resources unless they define their own. + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + # generated at http://kubecost.com/install, used for alerts tracking and free trials kubecostToken: # "" @@ -349,6 +367,14 @@ kubecostFrontend: # limits: # cpu: "100m" # memory: "256Mi" + # Define a readiness probe for the Kubecost frontend container. + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + failureThreshold: 200 + + # Define a liveness probe for the Kubecost frontend container. livenessProbe: enabled: true initialDelaySeconds: 30 @@ -356,14 +382,15 @@ kubecostFrontend: failureThreshold: 200 ipv6: enabled: true # disable if the cluster does not support ipv6 + # timeoutSeconds: 600 # should be rarely used, but can be increased if needed # allow customizing nginx-conf server block # extraServerConfig: |- # proxy_busy_buffers_size 512k; # proxy_buffers 4 512k; # proxy_buffer_size 256k; # large_client_header_buffers 4 64k; - # hideDiagnostics: false # used if the primary is not monitored. Supported in limited environments. - + # hideDiagnostics: false # useful if the primary is not monitored. Supported in limited environments. + # hideOrphanedResources: false # OrphanedResources works on the primary-cluster's cloud-provider only. # api: # fqdn: kubecost-api.kubecost.svc.cluster.local:9001 # model: @@ -432,6 +459,8 @@ sigV4Proxy: # value: # - name: AWS_SECRET_ACCESS_KEY # value: + # Optional resource requests and limits for the sigV4proxy container. + resources: {} kubecostModel: image: "gcr.io/kubecost1/cost-model" @@ -507,13 +536,29 @@ kubecostModel: # limits: # cpu: "800m" # memory: "256Mi" + + # Define a readiness probe for the Kubecost cost-model container. + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + failureThreshold: 200 + + # Define a liveness probe for the Kubecost cost-model container. livenessProbe: - enabled: false + enabled: true initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 200 extraArgs: [] + # Optional. A list of extra environment variables to be added to the cost-model container. + # extraEnv: [] + # - name: LOG_LEVEL + # value: trace + # - name: LOG_FORMAT + # value: json + # creates an ingress directly to the model container, for API access ingress: enabled: false @@ -532,6 +577,13 @@ kubecostModel: # - secretName: cost-analyzer-model-tls # hosts: # - cost-analyzer-model.local + utcOffset: "+00:00" + # Optional - add extra ports to the cost-model container. For kubecost development purposes only - not recommended for users. + extraPorts: [] + # - name: debug + # port: 40000 + # targetPort: 40000 + # containerPort: 40000 # etlUtils is a utility currently used by Kubecost internal support to implement specific functionality related to Thanos conversion. etlUtils: @@ -620,7 +672,7 @@ extraVolumes: [] ## extraVolumeMounts: [] -# Define persistence volume for cost-analyzer, more information at https://github.com/kubecost/docs/blob/main/storage.md +# Define persistence volume for cost-analyzer, more information at https://docs.kubecost.com/install-and-configure/install/storage persistentVolume: size: 32Gi dbSize: 32.0Gi @@ -637,6 +689,9 @@ service: # nodePort: labels: {} annotations: {} + sessionAffinity: + enabled: false # Makes sure that connections from a client are passed to the same Pod each time, when set to `true`. You should set it when you enabled authentication through OIDC or SAML integration. + timeoutSeconds: 10800 # Enabling long-term durable storage with Postgres requires an enterprise license remoteWrite: @@ -721,6 +776,9 @@ prometheus: nodeExporter: enabled: true + # rbac: + # create: true # Create the RBAC resources for Prometheus Node Exporter. + ## Default disabled since Kubecost already emits KSMv1 metrics. ## Ref: https://docs.kubecost.com/architecture/ksm-metrics kubeStateMetrics: @@ -783,7 +841,8 @@ networkCosts: enabled: false podSecurityPolicy: enabled: false - image: gcr.io/kubecost1/kubecost-network-costs:v0.17.1 + # annotations: {} # Add annotations to the PodSecurityPolicy for network-costs. + image: gcr.io/kubecost1/kubecost-network-costs:v0.17.2 imagePullPolicy: Always updateStrategy: type: RollingUpdate @@ -938,14 +997,18 @@ kubecostDeployment: ## queryServiceReplicas: 0 queryService: - securityContext: - runAsGroup: 1001 - runAsUser: 1001 - fsGroup: 1001 - fsGroupChangePolicy: OnRootMismatch - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault + serviceAccount: + create: true + annotations: {} + # name: kc-qs-test + securityContext: {} # Define a custom securityContext for the query service. This will take the highest precedence. + # runAsGroup: 1001 + # runAsUser: 1001 + # fsGroup: 1001 + # fsGroupChangePolicy: OnRootMismatch + # runAsNonRoot: false + # seccompProfile: + # type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: true readOnlyRootFilesystem: false @@ -964,11 +1027,17 @@ kubecostDeployment: databaseVolumeSize: 100Gi configVolumeSize: 1Gi initImage: {} + # Optional - add extra ports to the query service container. For kubecost development purposes only - not recommended for users. + extraPorts: [] + # - name: debug + # port: 40000 + # targetPort: 40000 + # containerPort: 40000 ## The Kubecost Aggregator is a high scale implementation of Kubecost intended ## for large datasets and/or high query load. At present, this should only be ## enabled when recommended by Kubecost staff. -## +## kubecostAggregator: enabled: false replicas: 1 @@ -999,6 +1068,9 @@ kubecostAggregator: # default storage class storageClass: "" storageRequest: 128Gi + # extraEnv: + # - name: SOME_VARIABLE + # value: "some_value" # securityContext: # runAsGroup: 1001 # runAsUser: 1001 @@ -1016,11 +1088,43 @@ kubecostAggregator: # capabilities: # drop: # - ALL + # + # Optional - add extra ports to the aggregator container. For kubecost development purposes only - not recommended for users. + extraPorts: [] + # - name: debug + # port: 40000 + # targetPort: 40000 + # containerPort: 40000 + securityContext: {} # Define a securityContext for the aggregator pod. This will take highest precedence. + +## Kubecost Multi-cluster Diagnostics (beta) +## A single view into the health of all agent clusters. Each agent cluster sends +## its diagnostic data to a storage bucket. Future versions may include +## repairing & alerting from the primary. +## Ref: https://docs.kubecost.com/install-and-configure/install/diagnostics +## +diagnostics: + enabled: true + ## How frequently to run & push diagnostics. Defaults to 5 minutes. + pollingInterval: "300s" + ## Creates a new Diagnostic file in the bucket for every run. + keepDiagnosticHistory: false + ## Pushes the cluster's Kubecost Helm Values to the bucket once upon startup. + ## This may contain sensitive information and is roughly 30kb per cluster. + collectHelmValues: false + ## The primary aggregates all diagnostic data and serves HTTP queries. + isDiagnosticsPrimary: + enabled: false + resources: + requests: + cpu: "10m" + memory: "20Mi" + securityContext: {} # Kubecost Cluster Controller for Right Sizing and Cluster Turndown clusterController: enabled: false - image: gcr.io/kubecost1/cluster-controller:v0.12.0 + image: gcr.io/kubecost1/cluster-controller:v0.13.0 imagePullPolicy: Always ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass @@ -1109,7 +1213,7 @@ grafana: # set root_url to "%(protocol)s://%(domain)s:%(http_port)s/kubecost/grafana". No change is necessary here if kubecost runs at a root URL grafana.ini: server: - serve_from_sub_path: true + serve_from_sub_path: false # Set to false on Grafana v10+ root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana" serviceAccount: create: true # Set this to false if you're bringing your own service account. @@ -1117,6 +1221,7 @@ serviceAccount: # name: kc-test awsstore: useAwsStore: false + # imageNameAndVersion: gcr.io/kubecost1/awsstore:latest # Name and version of the container image for AWSStore. createServiceAccount: false ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass @@ -1157,6 +1262,12 @@ federatedETL: ## storage. clusters: [] + ## Optional. A list of extra volumes to pass to the federator Pod. + # extraVolumes: [] + + ## Optional. A list of extra volume mounts to pass to the federator Pod. + # extraVolumeMounts: [] + ## Optional. An RFC 3339-formatted string. All ETL files with windows that ## fall before this time are not processed by the Federator. If this is not ## set, the Federator will process all files regardless of date. @@ -1270,6 +1381,10 @@ costEventsAudit: # daemonset_external_label: "kubernetes_daemonset" # pod_external_label: "kubernetes_pod" # grafanaURL: "" +# # Provide a mapping from Account ID to a readable Account Name in a key/value object. Provide Account IDs as they are displayed in CloudCost +# # as the 'key' and the Account Name associated with it as the 'value' +# cloudAccountMapping: +# EXAMPLE_ACCOUNT_ID: EXAMPLE_ACCOUNT_NAME # clusterName: "" # clusterName is the default context name in settings. # clusterAccountID: "" # Manually set Account property for assets # currencyCode: "USD" # official support for USD, AUD, BRL, CAD, CHF, CNY, DKK, EUR, GBP, IDR, INR, JPY, NOK, PLN, SEK diff --git a/charts/kuma/kuma/Chart.yaml b/charts/kuma/kuma/Chart.yaml index b9c4cef34..99862cc6e 100644 --- a/charts/kuma/kuma/Chart.yaml +++ b/charts/kuma/kuma/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/namespace: kuma-system catalog.cattle.io/release-name: kuma apiVersion: v2 -appVersion: 2.5.0 +appVersion: 2.5.1 description: A Helm chart for the Kuma Control Plane home: https://github.com/kumahq/kuma icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg @@ -20,4 +20,4 @@ maintainers: name: nickolaev name: kuma type: application -version: 2.5.0 +version: 2.5.1 diff --git a/charts/kuma/kuma/README.md b/charts/kuma/kuma/README.md index 6f3b28233..52e005421 100644 --- a/charts/kuma/kuma/README.md +++ b/charts/kuma/kuma/README.md @@ -2,7 +2,7 @@ A Helm chart for the Kuma Control Plane -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.5.1](https://img.shields.io/badge/Version-2.5.1-informational?style=flat-square) ![AppVersion: 2.5.1](https://img.shields.io/badge/AppVersion-2.5.1-informational?style=flat-square) **Homepage:** diff --git a/charts/linkerd/linkerd-control-plane/Chart.yaml b/charts/linkerd/linkerd-control-plane/Chart.yaml index c739729b9..9e94968be 100644 --- a/charts/linkerd/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 -appVersion: stable-2.14.5 +appVersion: stable-2.14.8 dependencies: - name: partials repository: file://./charts/partials @@ -25,4 +25,4 @@ name: linkerd-control-plane sources: - https://github.com/linkerd/linkerd2/ type: application -version: 1.16.6 +version: 1.16.9 diff --git a/charts/linkerd/linkerd-control-plane/README.md b/charts/linkerd/linkerd-control-plane/README.md index 5d364aa5e..8658a5417 100644 --- a/charts/linkerd/linkerd-control-plane/README.md +++ b/charts/linkerd/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 1.16.6](https://img.shields.io/badge/Version-1.16.6-informational?style=flat-square) +![Version: 1.16.9](https://img.shields.io/badge/Version-1.16.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) @@ -175,11 +175,15 @@ Kubernetes: `>=1.21.0-0` | identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format | | identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. | | identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install | +| identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | | identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token | | identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. | | identityTrustDomain | string | clusterDomain | Trust domain used for identity | | imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy | | imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | +| kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | | linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | | networkValidator.connectAddr | string | `"1.1.1.1:20001"` | Address to which the network-validator will attempt to connect. we expect this to be rewritten | | networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec | diff --git a/charts/linkerd/linkerd-control-plane/templates/identity.yaml b/charts/linkerd/linkerd-control-plane/templates/identity.yaml index b22357f01..3964efe74 100644 --- a/charts/linkerd/linkerd-control-plane/templates/identity.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/identity.yaml @@ -159,6 +159,8 @@ spec: - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}} - -identity-scheme={{.Values.identity.issuer.scheme}} - -enable-pprof={{.Values.enablePprof | default false}} + - -kube-apiclient-qps={{.Values.identity.kubeAPI.clientQPS}} + - -kube-apiclient-burst={{.Values.identity.kubeAPI.clientBurst}} {{- include "partials.linkerd.trace" . | nindent 8 -}} env: - name: LINKERD_DISABLED diff --git a/charts/linkerd/linkerd-control-plane/values.yaml b/charts/linkerd/linkerd-control-plane/values.yaml index 0c7b7596f..8f0279f2a 100644 --- a/charts/linkerd/linkerd-control-plane/values.yaml +++ b/charts/linkerd/linkerd-control-plane/values.yaml @@ -22,7 +22,7 @@ controlPlaneTracing: false # -- namespace to send control plane traces to controlPlaneTracingNamespace: linkerd-jaeger # -- control plane version. See Proxy section for proxy version -linkerdVersion: stable-2.14.5 +linkerdVersion: stable-2.14.8 # -- default kubernetes deployment strategy deploymentStrategy: rollingUpdate: @@ -48,6 +48,13 @@ identityTrustAnchorsPEM: | # -- Trust domain used for identity # @default -- clusterDomain identityTrustDomain: "" +kubeAPI: &kubeapi + # -- Maximum QPS sent to the kube-apiserver before throttling. + # See [token bucket rate limiter + # implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) + clientQPS: 100 + # -- Burst value over clientQPS + clientBurst: 200 # -- Additional annotations to add to all pods podAnnotations: {} # -- Additional labels to add to all pods @@ -327,6 +334,7 @@ identity: # -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token serviceAccountTokenProjection: true + issuer: scheme: linkerd.io/tls @@ -345,6 +353,8 @@ identity: # install keyPEM: | + kubeAPI: *kubeapi + # -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields) #identityResources: # -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields) diff --git a/charts/mongodb/community-operator/Chart.lock b/charts/mongodb/community-operator/Chart.lock index 2986579be..69cea69c5 100644 --- a/charts/mongodb/community-operator/Chart.lock +++ b/charts/mongodb/community-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: community-operator-crds repository: https://mongodb.github.io/helm-charts - version: 0.8.3 -digest: sha256:d2b27b3bb494d226e7af474e0441caab70859066e41186c0348d3d9b42006773 -generated: "2023-10-17T14:45:13.566377748Z" + version: 0.9.0 +digest: sha256:02e79baf6cea1dc4d174bd3d0f92be020bcf610ed1bcfdb663ca879846bbd99a +generated: "2023-12-13T12:09:21.529169936Z" diff --git a/charts/mongodb/community-operator/Chart.yaml b/charts/mongodb/community-operator/Chart.yaml index 45a988da6..8aa9636fe 100644 --- a/charts/mongodb/community-operator/Chart.yaml +++ b/charts/mongodb/community-operator/Chart.yaml @@ -4,12 +4,12 @@ annotations: catalog.cattle.io/kube-version: '>=1.16-0' catalog.cattle.io/release-name: community-operator apiVersion: v2 -appVersion: 0.8.3 +appVersion: 0.9.0 dependencies: - condition: community-operator-crds.enabled name: community-operator-crds repository: file://./charts/community-operator-crds - version: 0.8.3 + version: 0.9.0 description: MongoDB Kubernetes Community Operator home: https://github.com/mongodb/mongodb-kubernetes-operator icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png @@ -23,4 +23,4 @@ maintainers: name: MongoDB name: community-operator type: application -version: 0.8.3 +version: 0.9.0 diff --git a/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml b/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml index b112b98bf..a2befe274 100644 --- a/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml +++ b/charts/mongodb/community-operator/charts/community-operator-crds/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.8.3 +appVersion: 0.9.0 description: MongoDB Kubernetes Community Operator - CRDs home: https://github.com/mongodb/mongodb-kubernetes-operator icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png @@ -13,4 +13,4 @@ maintainers: name: MongoDB name: community-operator-crds type: application -version: 0.8.3 +version: 0.9.0 diff --git a/charts/mongodb/community-operator/values.yaml b/charts/mongodb/community-operator/values.yaml index b04749bf0..459361925 100644 --- a/charts/mongodb/community-operator/values.yaml +++ b/charts/mongodb/community-operator/values.yaml @@ -15,7 +15,7 @@ operator: deploymentName: mongodb-kubernetes-operator # Version of mongodb-kubernetes-operator - version: 0.8.3 + version: 0.9.0 # Uncomment this line to watch all namespaces # watchNamespace: "*" @@ -58,7 +58,7 @@ database: agent: name: mongodb-agent - version: 12.0.25.7724-1 + version: 107.0.0.8465-1 versionUpgradeHook: name: mongodb-kubernetes-operator-version-upgrade-post-start-hook version: 1.0.8 diff --git a/charts/nats/nats/Chart.yaml b/charts/nats/nats/Chart.yaml index c1c65f936..31ace7003 100644 --- a/charts/nats/nats/Chart.yaml +++ b/charts/nats/nats/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.16-0' catalog.cattle.io/release-name: nats apiVersion: v2 -appVersion: 2.10.5 +appVersion: 2.10.7 description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications Technology. home: http://github.com/nats-io/k8s @@ -18,4 +18,4 @@ maintainers: name: The NATS Authors url: https://github.com/nats-io name: nats -version: 1.1.5 +version: 1.1.6 diff --git a/charts/nats/nats/values.yaml b/charts/nats/nats/values.yaml index cb45b08f6..6acf13ce3 100644 --- a/charts/nats/nats/values.yaml +++ b/charts/nats/nats/values.yaml @@ -312,7 +312,7 @@ config: container: image: repository: nats - tag: 2.10.5-alpine + tag: 2.10.7-alpine pullPolicy: registry: @@ -353,7 +353,7 @@ reloader: enabled: true image: repository: natsio/nats-server-config-reloader - tag: 0.13.0 + tag: 0.14.0 pullPolicy: registry: @@ -378,7 +378,7 @@ promExporter: enabled: false image: repository: natsio/prometheus-nats-exporter - tag: 0.12.0 + tag: 0.13.0 pullPolicy: registry: diff --git a/charts/new-relic/nri-bundle/Chart.lock b/charts/new-relic/nri-bundle/Chart.lock index 29a0cfbf9..b5450d38b 100644 --- a/charts/new-relic/nri-bundle/Chart.lock +++ b/charts/new-relic/nri-bundle/Chart.lock @@ -1,28 +1,28 @@ dependencies: - name: newrelic-infrastructure repository: https://newrelic.github.io/nri-kubernetes - version: 3.26.0 + version: 3.29.0 - name: nri-prometheus repository: https://newrelic.github.io/nri-prometheus version: 2.1.17 - name: newrelic-prometheus-agent repository: https://newrelic.github.io/newrelic-prometheus-configurator - version: 1.7.0 + version: 1.8.2 - name: nri-metadata-injection repository: https://newrelic.github.io/k8s-metadata-injection - version: 4.14.1 + version: 4.15.2 - name: newrelic-k8s-metrics-adapter repository: https://newrelic.github.io/newrelic-k8s-metrics-adapter - version: 1.6.0 + version: 1.8.1 - name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts version: 5.12.1 - name: nri-kube-events repository: https://newrelic.github.io/nri-kube-events - version: 3.5.0 + version: 3.7.2 - name: newrelic-logging repository: https://newrelic.github.io/helm-charts - version: 1.18.1 + version: 1.19.0 - name: newrelic-pixie repository: https://newrelic.github.io/helm-charts version: 2.1.2 @@ -31,6 +31,6 @@ dependencies: version: 0.1.4 - name: newrelic-infra-operator repository: https://newrelic.github.io/newrelic-infra-operator - version: 2.6.0 -digest: sha256:72573c55a0ffa6b4756c19e15f0b6f53bb1ad6fcc47197b08c842f8fc893c392 -generated: "2023-11-21T05:20:45.737726359Z" + version: 2.8.1 +digest: sha256:5058130538bb4a1b59fade32a9ef10431cfd33d84b96655a759b3617cdcf5605 +generated: "2024-01-09T02:11:05.964634023Z" diff --git a/charts/new-relic/nri-bundle/Chart.yaml b/charts/new-relic/nri-bundle/Chart.yaml index fbf2da7e7..6b0c9d15d 100644 --- a/charts/new-relic/nri-bundle/Chart.yaml +++ b/charts/new-relic/nri-bundle/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - condition: infrastructure.enabled,newrelic-infrastructure.enabled name: newrelic-infrastructure repository: file://./charts/newrelic-infrastructure - version: 3.26.0 + version: 3.29.0 - condition: prometheus.enabled,nri-prometheus.enabled name: nri-prometheus repository: file://./charts/nri-prometheus @@ -15,15 +15,15 @@ dependencies: - condition: newrelic-prometheus-agent.enabled name: newrelic-prometheus-agent repository: file://./charts/newrelic-prometheus-agent - version: 1.7.0 + version: 1.8.2 - condition: webhook.enabled,nri-metadata-injection.enabled name: nri-metadata-injection repository: file://./charts/nri-metadata-injection - version: 4.14.1 + version: 4.15.2 - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled name: newrelic-k8s-metrics-adapter repository: file://./charts/newrelic-k8s-metrics-adapter - version: 1.6.0 + version: 1.8.1 - condition: ksm.enabled,kube-state-metrics.enabled name: kube-state-metrics repository: file://./charts/kube-state-metrics @@ -31,11 +31,11 @@ dependencies: - condition: kubeEvents.enabled,nri-kube-events.enabled name: nri-kube-events repository: file://./charts/nri-kube-events - version: 3.5.0 + version: 3.7.2 - condition: logging.enabled,newrelic-logging.enabled name: newrelic-logging repository: file://./charts/newrelic-logging - version: 1.18.1 + version: 1.19.0 - condition: newrelic-pixie.enabled name: newrelic-pixie repository: file://./charts/newrelic-pixie @@ -48,7 +48,7 @@ dependencies: - condition: newrelic-infra-operator.enabled name: newrelic-infra-operator repository: file://./charts/newrelic-infra-operator - version: 2.6.0 + version: 2.8.1 description: Groups together the individual charts for the New Relic Kubernetes solution for a more comfortable deployment. home: https://github.com/newrelic/helm-charts @@ -58,24 +58,10 @@ keywords: - newrelic - monitoring maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr name: nri-bundle sources: - https://github.com/newrelic/nri-bundle/ @@ -89,4 +75,4 @@ sources: - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator -version: 5.0.46 +version: 5.0.58 diff --git a/charts/new-relic/nri-bundle/README.md b/charts/new-relic/nri-bundle/README.md index 01e3f00a4..09679dfcb 100644 --- a/charts/new-relic/nri-bundle/README.md +++ b/charts/new-relic/nri-bundle/README.md @@ -193,12 +193,5 @@ Note, the value table below is automatically generated from `values.yaml` by `he ## Maintainers -* [nserrino](https://github.com/nserrino) -* [philkuz](https://github.com/philkuz) -* [htroisi](https://github.com/htroisi) * [juanjjaramillo](https://github.com/juanjjaramillo) -* [svetlanabrennan](https://github.com/svetlanabrennan) -* [nrepai](https://github.com/nrepai) * [csongnr](https://github.com/csongnr) -* [vuqtran88](https://github.com/vuqtran88) -* [xqi-nr](https://github.com/xqi-nr) diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml index 09b51244f..f6e9791b0 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.14.0 +appVersion: 0.16.1 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -32,4 +32,4 @@ name: newrelic-infra-operator sources: - https://github.com/newrelic/newrelic-infra-operator - https://github.com/newrelic/newrelic-infra-operator/tree/main/charts/newrelic-infra-operator -version: 2.6.0 +version: 2.8.1 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml index f5d4288fa..8d3168039 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.21.0 +appVersion: 3.24.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -35,4 +35,4 @@ sources: - https://github.com/newrelic/nri-kubernetes/ - https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure - https://github.com/newrelic/infrastructure-agent/ -version: 3.26.0 +version: 3.29.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml index 9c8d57836..e16b59d42 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/values.yaml @@ -30,7 +30,7 @@ images: agent: registry: "" repository: newrelic/infrastructure-bundle - tag: 3.2.24 + tag: 3.2.26 pullPolicy: IfNotPresent # -- Image for the New Relic Kubernetes integration. # @default -- See `values.yaml` diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml index 63107025d..2812972c9 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.8.0 +appVersion: 0.10.1 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -20,4 +20,4 @@ name: newrelic-k8s-metrics-adapter sources: - https://github.com/newrelic/newrelic-k8s-metrics-adapter - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter -version: 1.6.0 +version: 1.8.1 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml index b69a88ab2..acd232ad3 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.17.3 +appVersion: 1.19.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -17,4 +17,4 @@ maintainers: - name: danybmx - name: sdaubin name: newrelic-logging -version: 1.18.1 +version: 1.19.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml index e2ae53ef5..e7ec27e0f 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml @@ -37,7 +37,6 @@ spec: {{- end }} spec: serviceAccountName: {{ include "newrelic.common.serviceAccount.name" $ }} - hostNetwork: false {{- with include "newrelic.common.dnsConfig" $ }} dnsConfig: {{- . | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml index b21dd8eb2..7b95d62e7 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml @@ -33,7 +33,6 @@ spec: {{- end }} spec: serviceAccountName: {{ include "newrelic.common.serviceAccount.name" . }} - hostNetwork: true # This option is a requirement for the Infrastructure Agent to report the proper hostname in New Relic. {{- with include "newrelic.common.dnsConfig" . }} dnsConfig: {{- . | nindent 8 }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/podsecuritypolicy.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/podsecuritypolicy.yaml index 52e261650..2c8c598e2 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/podsecuritypolicy.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/podsecuritypolicy.yaml @@ -18,7 +18,6 @@ spec: - '*' hostPID: true hostIPC: true - hostNetwork: true hostPorts: - min: 1 max: 65536 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml index e7b65ccb7..55da1a73c 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/images_test.yaml @@ -17,16 +17,16 @@ tests: asserts: - equal: path: spec.template.spec.containers[0].image - value: newrelic/newrelic-fluentbit-output:1.17.3 + value: newrelic/newrelic-fluentbit-output:1.19.0 template: templates/daemonset.yaml - equal: path: spec.template.spec.containers[0].image - value: newrelic/newrelic-fluentbit-output:1.17.3-windows-ltsc-2019 + value: newrelic/newrelic-fluentbit-output:1.19.0-windows-ltsc-2019 template: templates/daemonset-windows.yaml documentIndex: 0 - equal: path: spec.template.spec.containers[0].image - value: newrelic/newrelic-fluentbit-output:1.17.3-windows-ltsc-2022 + value: newrelic/newrelic-fluentbit-output:1.19.0-windows-ltsc-2022 template: templates/daemonset-windows.yaml documentIndex: 1 - it: global registry is used if set diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml index 11d723c46..834d7e510 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml @@ -1,5 +1,5 @@ annotations: - configuratorVersion: 1.10.0 + configuratorVersion: 1.11.3 apiVersion: v2 appVersion: v2.37.8 dependencies: @@ -31,4 +31,4 @@ maintainers: url: https://github.com/xqi-nr name: newrelic-prometheus-agent type: application -version: 1.7.0 +version: 1.8.2 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml index 618911b5a..18e0aa62a 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.5.0 +appVersion: 2.7.2 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -35,4 +35,4 @@ sources: - https://github.com/newrelic/nri-kube-events/ - https://github.com/newrelic/nri-kube-events/tree/main/charts/nri-kube-events - https://github.com/newrelic/infrastructure-agent/ -version: 3.5.0 +version: 3.7.2 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md index 52e92806f..6c45fc85d 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md @@ -1,6 +1,6 @@ # nri-kube-events -![Version: 3.5.0](https://img.shields.io/badge/Version-3.5.0-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square) +![Version: 3.7.2](https://img.shields.io/badge/Version-3.7.2-informational?style=flat-square) ![AppVersion: 2.7.2](https://img.shields.io/badge/AppVersion-2.7.2-informational?style=flat-square) A Helm chart to deploy the New Relic Kube Events router diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml index 719226fb9..f7dd2a642 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.22.1 +appVersion: 1.23.2 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -22,4 +22,4 @@ name: nri-metadata-injection sources: - https://github.com/newrelic/k8s-metadata-injection - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection -version: 4.14.1 +version: 4.15.2 diff --git a/charts/nutanix/nutanix-csi-snapshot/Chart.yaml b/charts/nutanix/nutanix-csi-snapshot/Chart.yaml index 2fdf0ea09..682476117 100644 --- a/charts/nutanix/nutanix-csi-snapshot/Chart.yaml +++ b/charts/nutanix/nutanix-csi-snapshot/Chart.yaml @@ -1,7 +1,6 @@ annotations: artifacthub.io/changes: | - - Update Snapshot Controller version - - Change Snapshot Controller to HA deployement + - Update Snapshot Controller to v6.3.2 artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/displayName: Nutanix CSI Snapshot artifacthub.io/links: | @@ -14,10 +13,10 @@ annotations: - url: https://artifacthub.io/packages/helm/nutanix/nutanix-csi-storage catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Nutanix CSI Snapshot - catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/kube-version: '>= 1.20.0-0' catalog.cattle.io/release-name: nutanix-csi-snapshot apiVersion: v2 -appVersion: 6.2.1 +appVersion: 6.3.2 description: Snapshot components required for CSI snapshotting and not specific to any CSI driver home: https://github.com/nutanix/helm @@ -28,10 +27,10 @@ keywords: - Snapshot - SnapshotClass - CSI -kubeVersion: '>= 1.17.0-0' +kubeVersion: '>= 1.20.0-0' maintainers: - email: cloudnative@nutanix.com name: nutanix-cloud-native-bot name: nutanix-csi-snapshot type: application -version: 6.2.1 +version: 6.3.2 diff --git a/charts/nutanix/nutanix-csi-snapshot/values.yaml b/charts/nutanix/nutanix-csi-snapshot/values.yaml index a7314679e..8909ff0f1 100644 --- a/charts/nutanix/nutanix-csi-snapshot/values.yaml +++ b/charts/nutanix/nutanix-csi-snapshot/values.yaml @@ -10,7 +10,7 @@ imagePullPolicy: IfNotPresent tag: rel3: v3.0.3 - rel60: v6.2.1 + rel60: v6.3.2 controller: replicas: 2 diff --git a/charts/nutanix/nutanix-csi-storage/Chart.yaml b/charts/nutanix/nutanix-csi-storage/Chart.yaml index 1aada3365..1c45b8f99 100644 --- a/charts/nutanix/nutanix-csi-storage/Chart.yaml +++ b/charts/nutanix/nutanix-csi-storage/Chart.yaml @@ -1,6 +1,6 @@ annotations: artifacthub.io/changes: | - - Update Nutanix CSI driver to v2.6.4 + - Update Nutanix CSI driver to v2.6.6 - Update CSI Sidecar version artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/displayName: Nutanix CSI Storage @@ -14,10 +14,10 @@ annotations: - url: https://artifacthub.io/packages/helm/nutanix/nutanix-csi-snapshot catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Nutanix CSI Storage - catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/kube-version: '>= 1.20.0-0' catalog.cattle.io/release-name: nutanix-csi-storage apiVersion: v1 -appVersion: 2.6.4 +appVersion: 2.6.6 description: Nutanix Container Storage Interface (CSI) Driver home: https://github.com/nutanix/helm icon: https://avatars2.githubusercontent.com/u/6165865?s=200&v=4 @@ -31,9 +31,9 @@ keywords: - CentOS - Ubuntu - CSI -kubeVersion: '>= 1.17.0-0' +kubeVersion: '>= 1.20.0-0' maintainers: - email: cloudnative@nutanix.com name: nutanix-cloud-native-bot name: nutanix-csi-storage -version: 2.6.5 +version: 2.6.6 diff --git a/charts/nutanix/nutanix-csi-storage/README.md b/charts/nutanix/nutanix-csi-storage/README.md index ce4ee533f..874c34ad6 100644 --- a/charts/nutanix/nutanix-csi-storage/README.md +++ b/charts/nutanix/nutanix-csi-storage/README.md @@ -25,7 +25,7 @@ https://portal.nutanix.com/page/documents/details?targetId=CSI-Volume-Driver-v2_ ## Features list -- Nutanix CSI Driver v2.6.4 +- Nutanix CSI Driver v2.6.6 - Nutanix Volumes support - Nutanix Files support - Volume clone @@ -41,7 +41,7 @@ https://portal.nutanix.com/page/documents/details?targetId=CSI-Volume-Driver-v2_ ## Prerequisites -- Kubernetes 1.17 or later +- Kubernetes 1.20 or later - Kubernetes worker nodes must have the iSCSI package installed (Nutanix Volumes mode) and/or NFS tools (Nutanix Files mode) - This chart have been validated on RHEL/CentOS/Rocky 7/8/9 and Ubuntu 18.04/20.04/21.04/21.10/22.05, but the new architecture enables easy portability to other distributions. diff --git a/charts/nutanix/nutanix-csi-storage/values.yaml b/charts/nutanix/nutanix-csi-storage/values.yaml index 8c951ac36..35e49c29c 100644 --- a/charts/nutanix/nutanix-csi-storage/values.yaml +++ b/charts/nutanix/nutanix-csi-storage/values.yaml @@ -132,28 +132,28 @@ servicemonitor: controller: replicas: 2 - image: quay.io/karbon/ntnx-csi:v2.6.4 + image: quay.io/karbon/ntnx-csi:v2.6.6 nodeSelector: {} tolerations: [] node: - image: quay.io/karbon/ntnx-csi:v2.6.4 + image: quay.io/karbon/ntnx-csi:v2.6.6 nodeSelector: {} tolerations: [] sidecars: registrar: - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 provisioner: - image: registry.k8s.io/sig-storage/csi-provisioner:v3.5.0 + image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 imageLegacy: registry.k8s.io/sig-storage/csi-provisioner:v2.2.2 snapshotter: - image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1 + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 imageBeta: registry.k8s.io/sig-storage/csi-snapshotter:v3.0.3 resizer: - image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 + image: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 livenessprobe: - image: registry.k8s.io/sig-storage/livenessprobe:v2.10.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.11.0 # Used for deployment test in kind cluster # diff --git a/charts/openebs/openebs/Chart.lock b/charts/openebs/openebs/Chart.lock index 1dbac25ab..676e5d4a8 100644 --- a/charts/openebs/openebs/Chart.lock +++ b/charts/openebs/openebs/Chart.lock @@ -4,24 +4,24 @@ dependencies: version: 2.1.0 - name: localpv-provisioner repository: https://openebs.github.io/dynamic-localpv-provisioner - version: 3.4.1 + version: 3.5.0 - name: cstor repository: https://openebs.github.io/cstor-operators - version: 3.5.0 + version: 3.6.0 - name: jiva repository: https://openebs.github.io/jiva-operator - version: 3.5.1 + version: 3.6.0 - name: zfs-localpv repository: https://openebs.github.io/zfs-localpv - version: 2.3.1 + version: 2.4.0 - name: lvm-localpv repository: https://openebs.github.io/lvm-localpv - version: 1.3.0 + version: 1.4.0 - name: nfs-provisioner repository: https://openebs.github.io/dynamic-nfs-provisioner - version: 0.10.0 + version: 0.11.0 - name: mayastor repository: https://openebs.github.io/mayastor-extensions - version: 2.4.0 -digest: sha256:189f7edfd9afecb40e757800569aa71a053d986fb9520aec22d08e134a7f6038 -generated: "2023-09-06T06:22:45.720572899Z" + version: 2.5.0 +digest: sha256:993e350acdf7829c400f828ca217b0fa9c69f63a9f70f0d5cd6b403445b3c537 +generated: "2023-12-18T16:10:50.764710202Z" diff --git a/charts/openebs/openebs/Chart.yaml b/charts/openebs/openebs/Chart.yaml index f38494c6c..62d381195 100644 --- a/charts/openebs/openebs/Chart.yaml +++ b/charts/openebs/openebs/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: OpenEBS catalog.cattle.io/release-name: openebs apiVersion: v2 -appVersion: 3.9.0 +appVersion: 3.10.0 dependencies: - condition: openebs-ndm.enabled name: openebs-ndm @@ -12,31 +12,31 @@ dependencies: - condition: localpv-provisioner.enabled name: localpv-provisioner repository: file://./charts/localpv-provisioner - version: 3.4.1 + version: 3.5.0 - condition: cstor.enabled name: cstor repository: file://./charts/cstor - version: 3.5.0 + version: 3.6.0 - condition: jiva.enabled name: jiva repository: file://./charts/jiva - version: 3.5.1 + version: 3.6.0 - condition: zfs-localpv.enabled name: zfs-localpv repository: file://./charts/zfs-localpv - version: 2.3.1 + version: 2.4.0 - condition: lvm-localpv.enabled name: lvm-localpv repository: file://./charts/lvm-localpv - version: 1.3.0 + version: 1.4.0 - condition: nfs-provisioner.enabled name: nfs-provisioner repository: file://./charts/nfs-provisioner - version: 0.10.0 + version: 0.11.0 - condition: mayastor.enabled name: mayastor repository: file://./charts/mayastor - version: 2.4.0 + version: 2.5.0 description: Containerized Attached Storage for Kubernetes home: http://www.openebs.io/ icon: https://raw.githubusercontent.com/cncf/artwork/HEAD/projects/openebs/icon/color/openebs-icon-color.png @@ -58,4 +58,4 @@ maintainers: name: openebs sources: - https://github.com/openebs/openebs -version: 3.9.0 +version: 3.10.0 diff --git a/charts/openebs/openebs/README.md b/charts/openebs/openebs/README.md index 0d2ab1bf7..1e4bf7e2f 100644 --- a/charts/openebs/openebs/README.md +++ b/charts/openebs/openebs/README.md @@ -141,14 +141,14 @@ The following table lists the common configurable parameters of the OpenEBS char | `localprovisioner.basePath` | BasePath for hostPath volumes on Nodes | `/var/openebs/local` | | `localprovisioner.enabled` | Enable localProvisioner | `true` | | `localprovisioner.image` | Image for localProvisioner | `openebs/provisioner-localpv` | -| `localprovisioner.imageTag` | Image Tag for localProvisioner | `3.4.0` | +| `localprovisioner.imageTag` | Image Tag for localProvisioner | `3.5.0` | | `mayastor.enabled` | Enable mayastor (disables localprovisioner and ndm) | `false` | | `mayastor.etcd.replicaCount` | Set the number of etcd replicas in the | `3` | | `mayastor.etcd.persistence.storageClass` | Set the StorageClass name used to provision the volume(s) for the etcd | `""` | | `mayastor.etcd.persistence.size` | Set the size of the volume(s) used by the etcd | `""` | | `mayastor.image.registry` | Set the container image registry for the mayastor containers | `"docker.io"` | | `mayastor.image.repo` | Set the container image repository for the mayastor containers | `"openebs"` | -| `mayastor.image.tag` | Set the container image tag for the mayastor containers | `"v2.4.0"` | +| `mayastor.image.tag` | Set the container image tag for the mayastor containers | `"v2.5.0"` | | `mayastor.image.pullPolicy` | Set the container ImagePullPolicy for the mayastor containers | `"Always"` | | `mayastor.csi.image.registry` | Set the container image registry for the Kubernetes CSI sidecar containers | `"registry.k8s.io"` | | `mayastor.csi.image.repo` | Set the container image repository for the Kubernetes CSI sidecar containers | `"sig-storage"` | diff --git a/charts/openebs/openebs/charts/cstor/Chart.lock b/charts/openebs/openebs/charts/cstor/Chart.lock index da43d9e7d..4356f55bd 100644 --- a/charts/openebs/openebs/charts/cstor/Chart.lock +++ b/charts/openebs/openebs/charts/cstor/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://openebs.github.io/node-disk-manager version: 2.1.0 digest: sha256:47adcc8a92ea7ce83ca7f37f05f9e2f4c10154adc9551bd92e92c1ca5608f131 -generated: "2023-07-26T01:22:54.45340259Z" +generated: "2023-12-11T18:03:20.558350107Z" diff --git a/charts/openebs/openebs/charts/cstor/Chart.yaml b/charts/openebs/openebs/charts/cstor/Chart.yaml index 8125f89f8..121ac8047 100644 --- a/charts/openebs/openebs/charts/cstor/Chart.yaml +++ b/charts/openebs/openebs/charts/cstor/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.5.0 +appVersion: 3.6.0 dependencies: - condition: openebsNDM.enabled name: openebs-ndm @@ -26,4 +26,4 @@ name: cstor sources: - https://github.com/openebs/cstor-operators type: application -version: 3.5.0 +version: 3.6.0 diff --git a/charts/openebs/openebs/charts/cstor/README.md b/charts/openebs/openebs/charts/cstor/README.md index ef70ec18e..93fa11efb 100644 --- a/charts/openebs/openebs/charts/cstor/README.md +++ b/charts/openebs/openebs/charts/cstor/README.md @@ -109,7 +109,7 @@ helm install openebs-cstor openebs-cstor/cstor --namespace openebs --create-name | admissionServer.image.pullPolicy | string | `"IfNotPresent"` | Admission webhook image pull policy | | admissionServer.image.registry | string | `nil` | Admission webhook image registry | | admissionServer.image.repository | string | `"openebs/cstor-webhook"` | Admission webhook image repo | -| admissionServer.image.tag | string | `"3.5.0"` | Admission webhook image tag | +| admissionServer.image.tag | string | `"3.6.0"` | Admission webhook image tag | | admissionServer.nodeSelector | object | `{}` | Admission webhook pod node selector | | admissionServer.podAnnotations | object | `{}` | Admission webhook pod annotations | | admissionServer.resources | object | `{}` | Admission webhook pod resources | @@ -175,19 +175,19 @@ helm install openebs-cstor openebs-cstor/cstor --namespace openebs --create-name | cspcOperator.componentName | string | `"cspc-operator"` | CSPC operator component name | | cspcOperator.cstorPool.image.registry | string | `nil` | CStor pool image registry | | cspcOperator.cstorPool.image.repository | string | `"openebs/cstor-pool"` | CStor pool image repository| -| cspcOperator.cstorPool.image.tag | string | `"3.5.0"` | CStor pool image tag | +| cspcOperator.cstorPool.image.tag | string | `"3.6.0"` | CStor pool image tag | | cspcOperator.cstorPoolExporter.image.registry | string | `nil` | CStor pool exporter image registry | | cspcOperator.cstorPoolExporter.image.repository | string | `"openebs/m-exporter"` | CStor pool exporter image repository | -| cspcOperator.cstorPoolExporter.image.tag | string | `"3.5.0"` | CStor pool exporter image tag | +| cspcOperator.cstorPoolExporter.image.tag | string | `"3.6.0"` | CStor pool exporter image tag | | cspcOperator.image.pullPolicy | string | `"IfNotPresent"` | CSPC operator image pull policy | | cspcOperator.image.registry | string | `nil` | CSPC operator image registry | | cspcOperator.image.repository | string | `"openebs/cspc-operator"` | CSPC operator image repository | -| cspcOperator.image.tag | string | `"3.5.0"` | CSPC operator image tag | +| cspcOperator.image.tag | string | `"3.6.0"` | CSPC operator image tag | | cspcOperator.nodeSelector | object | `{}` | CSPC operator pod nodeSelector| | cspcOperator.podAnnotations | object | `{}` | CSPC operator pod annotations | | cspcOperator.poolManager.image.registry | string | `nil` | CStor Pool Manager image registry | | cspcOperator.poolManager.image.repository | string | `"openebs/cstor-pool-manager"` | CStor Pool Manager image repository | -| cspcOperator.poolManager.image.tag | string | `"3.5.0"` | CStor Pool Manager image tag | +| cspcOperator.poolManager.image.tag | string | `"3.6.0"` | CStor Pool Manager image tag | | cspcOperator.resources | object | `{}` | CSPC operator pod resources | | cspcOperator.resyncInterval | string | `"30"` | CSPC operator resync interval | | cspcOperator.securityContext | object | `{}` | CSPC operator security context | @@ -197,7 +197,7 @@ helm install openebs-cstor openebs-cstor/cstor --namespace openebs --create-name | cstorCSIPlugin.image.pullPolicy | string | `"IfNotPresent"` | CStor CSI driver image pull policy | | cstorCSIPlugin.image.registry | string | `nil` | CStor CSI driver image registry | | cstorCSIPlugin.image.repository | string | `"openebs/cstor-csi-driver"` | CStor CSI driver image repository | -| cstorCSIPlugin.image.tag | string | `"3.5.0"` | CStor CSI driver image tag | +| cstorCSIPlugin.image.tag | string | `"3.6.0"` | CStor CSI driver image tag | | cstorCSIPlugin.name | string | `"cstor-csi-plugin"` | CStor CSI driver container name | | cstorCSIPlugin.remount | string | `"true"` | Enable/disable auto-remount when volume recovers from read-only state | | cvcOperator.annotations | object | `{}` | CVC operator annotations | @@ -205,7 +205,7 @@ helm install openebs-cstor openebs-cstor/cstor --namespace openebs --create-name | cvcOperator.image.pullPolicy | string | `"IfNotPresent"` | CVC operator image pull policy | | cvcOperator.image.registry | string | `nil` | CVC operator image registry | | cvcOperator.image.repository | string | `"openebs/cvc-operator"` | CVC operator image repository | -| cvcOperator.image.tag | string | `"3.5.0"` | CVC operator image tag | +| cvcOperator.image.tag | string | `"3.6.0"` | CVC operator image tag | | cvcOperator.logLevel | string | `"2"` | Log level for CVC operator container (1 = least verbose, 5 = most verbose) | | cvcOperator.nodeSelector | object | `{}` | CVC operator pod nodeSelector | | cvcOperator.podAnnotations | object | `{}` | CVC operator pod annotations | @@ -214,14 +214,14 @@ helm install openebs-cstor openebs-cstor/cstor --namespace openebs --create-name | cvcOperator.securityContext | object | `{}` | CVC operator security context | | cvcOperator.target.image.registry | string | `nil` | Volume Target image registry | | cvcOperator.target.image.repository | string | `"openebs/cstor-istgt"` | Volume Target image repository | -| cvcOperator.target.image.tag | string | `"3.5.0"` | Volume Target image tag | +| cvcOperator.target.image.tag | string | `"3.6.0"` | Volume Target image tag | | cvcOperator.tolerations | list | `[]` | CVC operator pod tolerations | | cvcOperator.volumeExporter.image.registry | string | `nil` | Volume exporter image registry | | cvcOperator.volumeExporter.image.repository | string | `"openebs/m-exporter"` | Volume exporter image repository | -| cvcOperator.volumeExporter.image.tag | string | `"3.5.0"` | Volume exporter image tag | +| cvcOperator.volumeExporter.image.tag | string | `"3.6.0"` | Volume exporter image tag | | cvcOperator.volumeMgmt.image.registry | string | `nil` | Volume mgmt image registry | | cvcOperator.volumeMgmt.image.repository | string | `"openebs/cstor-volume-manager"` | Volume mgmt image repository | -| cvcOperator.volumeMgmt.image.tag | string | `"3.5.0"` | Volume mgmt image tag| +| cvcOperator.volumeMgmt.image.tag | string | `"3.6.0"` | Volume mgmt image tag| | cvcOperator.baseDir | string | `"/var/openebs"` | CVC operator base directory for openebs on host path | | imagePullSecrets | string | `nil` | Image registry pull secrets | | openebsNDM.enabled | bool | `true` | Enable OpenEBS NDM dependency | @@ -243,7 +243,7 @@ helm install openebs-cstor openebs-cstor/cstor --namespace openebs --create-name | openebs-ndm.ndmOperator.image.repository | string | `openebs/node-disk-operator` | Image repository for NDM operator | | rbac.create | bool | `true` | Enable RBAC | | rbac.pspEnabled | bool | `false` | Enable PodSecurityPolicy | -| release.version | string | `"3.5.0"` | Openebs CStor release version | +| release.version | string | `"3.6.0"` | Openebs CStor release version | | serviceAccount.annotations | object | `{}` | Service Account annotations | | serviceAccount.csiController.create | bool | `true` | Enable CSI Controller ServiceAccount | | serviceAccount.csiController.name | string | `"openebs-cstor-csi-controller-sa"` | CSI Controller ServiceAccount name | diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorbackup.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorbackup.yaml index 1063d8b2c..639ba09b9 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorbackup.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorbackup.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorbackups.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,76 +11,76 @@ spec: listKind: CStorBackupList plural: cstorbackups shortNames: - - cbackup + - cbackup singular: cstorbackup scope: Namespaced versions: - - additionalPrinterColumns: - - description: Name of the volume for which this backup is destined - jsonPath: .spec.volumeName - name: Volume - type: string - - description: Name of the backup or scheduled backup - jsonPath: .spec.backupName - name: Backup/Schedule - type: string - - description: Identifies the phase of the backup - jsonPath: .status - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: CStorBackup describes a cstor backup resource created as a custom - resource - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: Name of the volume for which this backup is destined + jsonPath: .spec.volumeName + name: Volume + type: string + - description: Name of the backup or scheduled backup + jsonPath: .spec.backupName + name: Backup/Schedule + type: string + - description: Identifies the phase of the backup + jsonPath: .status + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: CStorBackup describes a cstor backup resource created as a custom + resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CStorBackupSpec is the spec for a CStorBackup resource - properties: - backupDest: - description: BackupDest is the remote address for backup transfer - type: string - backupName: - description: BackupName is the name of the backup or scheduled backup - type: string - localSnap: - description: LocalSnap is the flag to enable local snapshot only - type: boolean - prevSnapName: - description: PrevSnapName is the last completed-backup's snapshot - name - type: string - snapName: - description: SnapName is the name of the current backup snapshot - type: string - volumeName: - description: VolumeName is the name of the volume for which this backup - is destined - type: string - required: - - backupName - - snapName - - volumeName - type: object - status: - description: CStorBackupStatus is a string type that represents the status - of the backup - type: string - required: - - spec - type: object - served: true - storage: true - subresources: {} + type: string + metadata: + type: object + spec: + description: CStorBackupSpec is the spec for a CStorBackup resource + properties: + backupDest: + description: BackupDest is the remote address for backup transfer + type: string + backupName: + description: BackupName is the name of the backup or scheduled backup + type: string + localSnap: + description: LocalSnap is the flag to enable local snapshot only + type: boolean + prevSnapName: + description: PrevSnapName is the last completed-backup's snapshot + name + type: string + snapName: + description: SnapName is the name of the current backup snapshot + type: string + volumeName: + description: VolumeName is the name of the volume for which this backup + is destined + type: string + required: + - backupName + - snapName + - volumeName + type: object + status: + description: CStorBackupStatus is a string type that represents the status + of the backup + type: string + required: + - spec + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorcompletedbackup.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorcompletedbackup.yaml index 9b2683c39..81ad52ce8 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorcompletedbackup.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorcompletedbackup.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorcompletedbackups.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,63 +11,63 @@ spec: listKind: CStorCompletedBackupList plural: cstorcompletedbackups shortNames: - - ccompletedbackup + - ccompletedbackup singular: cstorcompletedbackup scope: Namespaced versions: - - additionalPrinterColumns: - - description: Volume name on which backup is performed - jsonPath: .spec.volumeName - name: Volume - type: string - - description: Name of the backup or scheduled backup - jsonPath: .spec.backupName - name: Backup/Schedule - type: string - - description: Last successfully backup snapshot - jsonPath: .spec.lastSnapName - name: LastSnap - type: string - name: v1 - schema: - openAPIV3Schema: - description: CStorCompletedBackup describes a cstor completed-backup resource - created as custom resource - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: Volume name on which backup is performed + jsonPath: .spec.volumeName + name: Volume + type: string + - description: Name of the backup or scheduled backup + jsonPath: .spec.backupName + name: Backup/Schedule + type: string + - description: Last successfully backup snapshot + jsonPath: .spec.lastSnapName + name: LastSnap + type: string + name: v1 + schema: + openAPIV3Schema: + description: CStorCompletedBackup describes a cstor completed-backup resource + created as custom resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CStorCompletedBackupSpec is the spec for a CStorBackup resource - properties: - backupName: - description: BackupName is the name of backup or scheduled backup - type: string - lastSnapName: - description: LastSnapName is the name of last completed-backup's snapshot - name - type: string - secondLastSnapName: - description: SecondLastSnapName is the name of second last 'successfully' - completed-backup's snapshot - type: string - volumeName: - description: VolumeName is the name of volume for which this backup - is destined - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} + type: string + metadata: + type: object + spec: + description: CStorCompletedBackupSpec is the spec for a CStorBackup resource + properties: + backupName: + description: BackupName is the name of backup or scheduled backup + type: string + lastSnapName: + description: LastSnapName is the name of last completed-backup's snapshot + name + type: string + secondLastSnapName: + description: SecondLastSnapName is the name of second last 'successfully' + completed-backup's snapshot + type: string + volumeName: + description: VolumeName is the name of volume for which this backup + is destined + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorpoolcluster.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorpoolcluster.yaml index 8f92f4f5d..33fd947dd 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorpoolcluster.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorpoolcluster.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorpoolclusters.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,474 +11,564 @@ spec: listKind: CStorPoolClusterList plural: cstorpoolclusters shortNames: - - cspc + - cspc singular: cstorpoolcluster scope: Namespaced versions: - - additionalPrinterColumns: - - description: The number of healthy cStorPoolInstances - jsonPath: .status.healthyInstances - name: HealthyInstances - type: integer - - description: The number of provisioned cStorPoolInstances - jsonPath: .status.provisionedInstances - name: ProvisionedInstances - type: integer - - description: The number of desired cStorPoolInstances - jsonPath: .status.desiredInstances - name: DesiredInstances - type: integer - - description: Age of CStorPoolCluster - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CStorPoolCluster describes a CStorPoolCluster custom resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: The number of healthy cStorPoolInstances + jsonPath: .status.healthyInstances + name: HealthyInstances + type: integer + - description: The number of provisioned cStorPoolInstances + jsonPath: .status.provisionedInstances + name: ProvisionedInstances + type: integer + - description: The number of desired cStorPoolInstances + jsonPath: .status.desiredInstances + name: DesiredInstances + type: integer + - description: Age of CStorPoolCluster + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CStorPoolCluster describes a CStorPoolCluster custom resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CStorPoolClusterSpec is the spec for a CStorPoolClusterSpec - resource - properties: - auxResources: - description: AuxResources are the compute resources required by the - cstor-pool pod side car containers. - nullable: true - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - pools: - description: Pools is the spec for pools for various nodes where it - should be created. - items: - description: PoolSpec is the spec for pool on node where it should - be created. + type: string + metadata: + type: object + spec: + description: CStorPoolClusterSpec is the spec for a CStorPoolClusterSpec + resource + properties: + auxResources: + description: AuxResources are the compute resources required by the + cstor-pool pod side car containers. + nullable: true properties: - dataRaidGroups: - description: DataRaidGroups is the raid group configuration - for the given pool. + claims: + description: "Claims lists the names of resources, defined in + spec.resourceClaims, that are used by this container. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be set + for containers." items: - description: RaidGroup contains the details of a raid group - for the pool + description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: - blockDevices: - items: - description: CStorPoolInstanceBlockDevice contains the - details of block devices that constitutes a raid group. - properties: - blockDeviceName: - description: BlockDeviceName is the name of the - block device. - type: string - capacity: - description: Capacity is the capacity of the block - device. It is system generated - format: int64 - type: integer - devLink: - description: DevLink is the dev link for block devices - type: string - required: - - blockDeviceName - type: object - type: array + name: + description: Name must match the name of one entry in pod.spec.resourceClaims + of the Pod where this field is used. It makes that resource + available inside a container. + type: string required: - - blockDevices + - name type: object type: array - nodeSelector: + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: additionalProperties: - type: string - description: NodeSelector is the labels that will be used to - select a node for pool provisioning. Required field + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object - poolConfig: - description: PoolConfig is the default pool config that applies - to the pool on node. - properties: - auxResources: - description: AuxResources are the compute resources required - by the cstor-pool pod side car containers. - nullable: true + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + pools: + description: Pools is the spec for pools for various nodes where it + should be created. + items: + description: PoolSpec is the spec for pool on node where it should + be created. + properties: + dataRaidGroups: + description: DataRaidGroups is the raid group configuration + for the given pool. + items: + description: RaidGroup contains the details of a raid group + for the pool properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of + blockDevices: + items: + description: CStorPoolInstanceBlockDevice contains the + details of block devices that constitutes a raid group. + properties: + blockDeviceName: + description: BlockDeviceName is the name of the + block device. + type: string + capacity: + description: Capacity is the capacity of the block + device. It is system generated + format: int64 + type: integer + devLink: + description: DevLink is the dev link for block devices + type: string + required: + - blockDeviceName + type: object + type: array + required: + - blockDevices + type: object + type: array + nodeSelector: + additionalProperties: + type: string + description: NodeSelector is the labels that will be used to + select a node for pool provisioning. Required field + type: object + poolConfig: + description: PoolConfig is the default pool config that applies + to the pool on node. + properties: + auxResources: + description: AuxResources are the compute resources required + by the cstor-pool pod side car containers. + nullable: true + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where + this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - compression: - description: 'Compression to enable compression Optional + value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + compression: + description: 'Compression to enable compression Optional -- defaults to off Possible values : lz, off' - type: string - dataRaidGroupType: - description: DataRaidGroupType is the raid type. - type: string - priorityClassName: - description: PriorityClassName if specified applies to this - pool pod If left empty, DefaultPriorityClassName is applied. - (See CStorPoolClusterSpec.DefaultPriorityClassName) If - both are empty, not priority class is applied. - nullable: true - type: string - resources: - description: Resources are the compute resources required - by the cstor-pool container. - nullable: true - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of + type: string + dataRaidGroupType: + description: DataRaidGroupType is the raid type. + type: string + priorityClassName: + description: PriorityClassName if specified applies to this + pool pod If left empty, DefaultPriorityClassName is applied. + (See CStorPoolClusterSpec.DefaultPriorityClassName) If + both are empty, not priority class is applied. + nullable: true + type: string + resources: + description: Resources are the compute resources required + by the cstor-pool container. + nullable: true + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in + PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where + this field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - roThresholdLimit: - description: 'ROThresholdLimit is threshold(percentage base) + value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + roThresholdLimit: + description: 'ROThresholdLimit is threshold(percentage base) limit for pool read only mode. If ROThresholdLimit(%) amount of pool storage is reached then pool will set to readonly. NOTE: 1. If ROThresholdLimit is set to 100 then entire pool storage will be used by default it will be set to 85%. 2. ROThresholdLimit value will be 0 <= ROThresholdLimit <= 100.' - nullable: true - type: integer - thickProvision: - description: ThickProvision to enable thick provisioning - Optional -- defaults to false - type: boolean - tolerations: - description: Tolerations, if specified, the pool pod's tolerations. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple - using the matching operator . - properties: - effect: - description: Effect indicates the taint effect to - match. Empty means match all taint effects. When - specified, allowed values are NoSchedule, PreferNoSchedule - and NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If - the key is empty, operator must be Exists; this - combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints - of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect - NoExecute, otherwise this field is ignored) tolerates - the taint. By default, it is not set, which means - tolerate the taint forever (do not evict). Zero - and negative values will be treated as 0 (evict - immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value - should be empty, otherwise just a regular string. - type: string - type: object - nullable: true - type: array - writeCacheGroupType: - description: WriteCacheGroupType is the write cache raid - type. - type: string - required: - - dataRaidGroupType - type: object - writeCacheRaidGroups: - description: WriteCacheRaidGroups is the write cache raid group. - items: - description: RaidGroup contains the details of a raid group - for the pool - properties: - blockDevices: + nullable: true + type: integer + thickProvision: + description: ThickProvision to enable thick provisioning + Optional -- defaults to false + type: boolean + tolerations: + description: Tolerations, if specified, the pool pod's tolerations. items: - description: CStorPoolInstanceBlockDevice contains the - details of block devices that constitutes a raid group. + description: The pod this Toleration is attached to tolerates + any taint that matches the triple + using the matching operator . properties: - blockDeviceName: - description: BlockDeviceName is the name of the - block device. + effect: + description: Effect indicates the taint effect to + match. Empty means match all taint effects. When + specified, allowed values are NoSchedule, PreferNoSchedule + and NoExecute. type: string - capacity: - description: Capacity is the capacity of the block - device. It is system generated + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If + the key is empty, operator must be Exists; this + combination means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect + NoExecute, otherwise this field is ignored) tolerates + the taint. By default, it is not set, which means + tolerate the taint forever (do not evict). Zero + and negative values will be treated as 0 (evict + immediately) by the system. format: int64 type: integer - devLink: - description: DevLink is the dev link for block devices + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. type: string - required: - - blockDeviceName type: object + nullable: true type: array + writeCacheGroupType: + description: WriteCacheGroupType is the write cache raid + type. + type: string required: - - blockDevices + - dataRaidGroupType type: object - nullable: true - type: array - required: - - dataRaidGroups - - nodeSelector - type: object - type: array - priorityClassName: - description: DefaultPriorityClassName if specified applies to all - the pool pods in the pool spec if the priorityClass at the pool - level is not specified. - type: string - resources: - description: DefaultResources are the compute resources required by - the cstor-pool container. If the resources at PoolConfig is not - specified, this is written to CSPI PoolConfig. - nullable: true - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + writeCacheRaidGroups: + description: WriteCacheRaidGroups is the write cache raid group. + items: + description: RaidGroup contains the details of a raid group + for the pool + properties: + blockDevices: + items: + description: CStorPoolInstanceBlockDevice contains the + details of block devices that constitutes a raid group. + properties: + blockDeviceName: + description: BlockDeviceName is the name of the + block device. + type: string + capacity: + description: Capacity is the capacity of the block + device. It is system generated + format: int64 + type: integer + devLink: + description: DevLink is the dev link for block devices + type: string + required: + - blockDeviceName + type: object + type: array + required: + - blockDevices + type: object + nullable: true + type: array + required: + - dataRaidGroups + - nodeSelector type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute + type: array + priorityClassName: + description: DefaultPriorityClassName if specified applies to all + the pool pods in the pool spec if the priorityClass at the pool + level is not specified. + type: string + resources: + description: DefaultResources are the compute resources required by + the cstor-pool container. If the resources at PoolConfig is not + specified, this is written to CSPI PoolConfig. + nullable: true + properties: + claims: + description: "Claims lists the names of resources, defined in + spec.resourceClaims, that are used by this container. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be set + for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims + of the Pod where this field is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - tolerations: - description: Tolerations, if specified, are the pool pod's tolerations - If tolerations at PoolConfig is empty, this is written to CSPI PoolConfig. - items: - description: The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . - properties: - effect: - description: Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string + to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object type: object - nullable: true - type: array - type: object - status: - description: CStorPoolClusterStatus represents the latest available observations - of a CSPC's current state. - properties: - conditions: - description: Current state of CSPC. - items: - description: CStorPoolClusterCondition describes the state of a - CSPC at a certain point. + tolerations: + description: Tolerations, if specified, are the pool pod's tolerations + If tolerations at PoolConfig is empty, this is written to CSPI PoolConfig. + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + nullable: true + type: array + type: object + status: + description: CStorPoolClusterStatus represents the latest available observations + of a CSPC's current state. + properties: + conditions: + description: Current state of CSPC. + items: + description: CStorPoolClusterCondition describes the state of a + CSPC at a certain point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of CSPC condition. + type: string + required: + - status + - type + type: object + nullable: true + type: array + desiredInstances: + description: DesiredInstances is the number of CSPI(s) that should + be provisioned. + format: int32 + nullable: true + type: integer + healthyInstances: + description: HealthyInstances is the number of CSPI(s) that are healthy. + format: int32 + nullable: true + type: integer + provisionedInstances: + description: ProvisionedInstances is the the number of CSPI present + at the current state. + format: int32 + nullable: true + type: integer + type: object + versionDetails: + description: VersionDetails provides the details for upgrade + properties: + autoUpgrade: + description: If AutoUpgrade is set to true then the resource is upgraded + automatically without any manual steps + type: boolean + desired: + description: Desired is the version that we want to upgrade or the + control plane version + type: string + status: + description: Status gives the status of reconciliation triggered when + the desired and current version are not same properties: - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time + current: + description: Current is the version of resource type: string + dependentsUpgraded: + description: DependentsUpgraded gives the details whether all + children of a resource are upgraded to desired version or not + type: boolean lastUpdateTime: - description: The last time this condition was updated. + description: LastUpdateTime is the time the status was last updated format: date-time + nullable: true type: string message: - description: A human readable message indicating details about - the transition. + description: Message is a human readable message if some error + occurs type: string reason: - description: The reason for the condition's last transition. + description: Reason is the actual reason for the error state type: string - status: - description: Status of the condition, one of True, False, Unknown. + state: + description: State is the state of reconciliation type: string - type: - description: Type of CSPC condition. - type: string - required: - - status - - type type: object - nullable: true - type: array - desiredInstances: - description: DesiredInstances is the number of CSPI(s) that should - be provisioned. - format: int32 - nullable: true - type: integer - healthyInstances: - description: HealthyInstances is the number of CSPI(s) that are healthy. - format: int32 - nullable: true - type: integer - provisionedInstances: - description: ProvisionedInstances is the the number of CSPI present - at the current state. - format: int32 - nullable: true - type: integer - type: object - versionDetails: - description: VersionDetails provides the details for upgrade - properties: - autoUpgrade: - description: If AutoUpgrade is set to true then the resource is upgraded - automatically without any manual steps - type: boolean - desired: - description: Desired is the version that we want to upgrade or the - control plane version - type: string - status: - description: Status gives the status of reconciliation triggered when - the desired and current version are not same - properties: - current: - description: Current is the version of resource - type: string - dependentsUpgraded: - description: DependentsUpgraded gives the details whether all - children of a resource are upgraded to desired version or not - type: boolean - lastUpdateTime: - description: LastUpdateTime is the time the status was last updated - format: date-time - nullable: true - type: string - message: - description: Message is a human readable message if some error - occurs - type: string - reason: - description: Reason is the actual reason for the error state - type: string - state: - description: State is the state of reconciliation - type: string - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorpoolinstance.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorpoolinstance.yaml index 4981ac0b3..9c2b7cdfb 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorpoolinstance.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorpoolinstance.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorpoolinstances.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,438 +11,484 @@ spec: listKind: CStorPoolInstanceList plural: cstorpoolinstances shortNames: - - cspi + - cspi singular: cstorpoolinstance scope: Namespaced versions: - - additionalPrinterColumns: - - description: Host name where cstorpool instances scheduled - jsonPath: .spec.hostName - name: HostName - type: string - - description: The amount of storage space within the pool that has been physically - allocated - jsonPath: .status.capacity.used - name: Allocated - priority: 1 - type: string - - description: The amount of usable free space available in the pool - jsonPath: .status.capacity.free - name: Free - type: string - - description: Total amount of usable space in pool - jsonPath: .status.capacity.total - name: Capacity - type: string - - description: Identifies the pool read only mode - jsonPath: .status.readOnly - name: ReadOnly - type: boolean - - description: Represents no.of replicas present in the pool - jsonPath: .status.provisionedReplicas - name: ProvisionedReplicas - type: integer - - description: Represents no.of healthy replicas present in the pool - jsonPath: .status.healthyReplicas - name: HealthyReplicas - type: integer - - description: Represents the type of the storage pool - jsonPath: .spec.poolConfig.dataRaidGroupType - name: Type - priority: 1 - type: string - - description: Identifies the current health of the pool - jsonPath: .status.phase - name: Status - type: string - - description: Age of CStorPoolInstance - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CStorPoolInstance describes a cstor pool instance resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: Host name where cstorpool instances scheduled + jsonPath: .spec.hostName + name: HostName + type: string + - description: The amount of storage space within the pool that has been physically + allocated + jsonPath: .status.capacity.used + name: Allocated + priority: 1 + type: string + - description: The amount of usable free space available in the pool + jsonPath: .status.capacity.free + name: Free + type: string + - description: Total amount of usable space in pool + jsonPath: .status.capacity.total + name: Capacity + type: string + - description: Identifies the pool read only mode + jsonPath: .status.readOnly + name: ReadOnly + type: boolean + - description: Represents no.of replicas present in the pool + jsonPath: .status.provisionedReplicas + name: ProvisionedReplicas + type: integer + - description: Represents no.of healthy replicas present in the pool + jsonPath: .status.healthyReplicas + name: HealthyReplicas + type: integer + - description: Represents the type of the storage pool + jsonPath: .spec.poolConfig.dataRaidGroupType + name: Type + priority: 1 + type: string + - description: Identifies the current health of the pool + jsonPath: .status.phase + name: Status + type: string + - description: Age of CStorPoolInstance + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CStorPoolInstance describes a cstor pool instance resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec is the specification of the cstorpoolinstance resource. - properties: - dataRaidGroups: - description: DataRaidGroups is the raid group configuration for the - given pool. - items: - description: RaidGroup contains the details of a raid group for - the pool - properties: - blockDevices: - items: - description: CStorPoolInstanceBlockDevice contains the details - of block devices that constitutes a raid group. - properties: - blockDeviceName: - description: BlockDeviceName is the name of the block - device. - type: string - capacity: - description: Capacity is the capacity of the block device. - It is system generated - format: int64 - type: integer - devLink: - description: DevLink is the dev link for block devices - type: string - required: - - blockDeviceName - type: object - type: array - required: - - blockDevices - type: object - type: array - hostName: - description: HostName is the name of kubernetes node where the pool - should be created. - type: string - nodeSelector: - additionalProperties: + type: string + metadata: + type: object + spec: + description: Spec is the specification of the cstorpoolinstance resource. + properties: + dataRaidGroups: + description: DataRaidGroups is the raid group configuration for the + given pool. + items: + description: RaidGroup contains the details of a raid group for + the pool + properties: + blockDevices: + items: + description: CStorPoolInstanceBlockDevice contains the details + of block devices that constitutes a raid group. + properties: + blockDeviceName: + description: BlockDeviceName is the name of the block + device. + type: string + capacity: + description: Capacity is the capacity of the block device. + It is system generated + format: int64 + type: integer + devLink: + description: DevLink is the dev link for block devices + type: string + required: + - blockDeviceName + type: object + type: array + required: + - blockDevices + type: object + type: array + hostName: + description: HostName is the name of kubernetes node where the pool + should be created. type: string - description: NodeSelector is the labels that will be used to select - a node for pool provisioning. Required field - type: object - poolConfig: - description: PoolConfig is the default pool config that applies to - the pool on node. - properties: - auxResources: - description: AuxResources are the compute resources required by - the cstor-pool pod side car containers. - nullable: true - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute + nodeSelector: + additionalProperties: + type: string + description: NodeSelector is the labels that will be used to select + a node for pool provisioning. Required field + type: object + poolConfig: + description: PoolConfig is the default pool config that applies to + the pool on node. + properties: + auxResources: + description: AuxResources are the compute resources required by + the cstor-pool pod side car containers. + nullable: true + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - compression: - description: 'Compression to enable compression Optional -- defaults + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + compression: + description: 'Compression to enable compression Optional -- defaults to off Possible values : lz, off' - type: string - dataRaidGroupType: - description: DataRaidGroupType is the raid type. - type: string - priorityClassName: - description: PriorityClassName if specified applies to this pool - pod If left empty, DefaultPriorityClassName is applied. (See - CStorPoolClusterSpec.DefaultPriorityClassName) If both are empty, - not priority class is applied. - nullable: true - type: string - resources: - description: Resources are the compute resources required by the - cstor-pool container. - nullable: true - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute + type: string + dataRaidGroupType: + description: DataRaidGroupType is the raid type. + type: string + priorityClassName: + description: PriorityClassName if specified applies to this pool + pod If left empty, DefaultPriorityClassName is applied. (See + CStorPoolClusterSpec.DefaultPriorityClassName) If both are empty, + not priority class is applied. + nullable: true + type: string + resources: + description: Resources are the compute resources required by the + cstor-pool container. + nullable: true + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - roThresholdLimit: - description: 'ROThresholdLimit is threshold(percentage base) limit + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + roThresholdLimit: + description: 'ROThresholdLimit is threshold(percentage base) limit for pool read only mode. If ROThresholdLimit(%) amount of pool storage is reached then pool will set to readonly. NOTE: 1. If ROThresholdLimit is set to 100 then entire pool storage will be used by default it will be set to 85%. 2. ROThresholdLimit value will be 0 <= ROThresholdLimit <= 100.' - nullable: true - type: integer - thickProvision: - description: ThickProvision to enable thick provisioning Optional - -- defaults to false - type: boolean - tolerations: - description: Tolerations, if specified, the pool pod's tolerations. - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - nullable: true - type: array - writeCacheGroupType: - description: WriteCacheGroupType is the write cache raid type. - type: string - required: - - dataRaidGroupType - type: object - writeCacheRaidGroups: - description: WriteCacheRaidGroups is the write cache raid group. - items: - description: RaidGroup contains the details of a raid group for - the pool - properties: - blockDevices: + nullable: true + type: integer + thickProvision: + description: ThickProvision to enable thick provisioning Optional + -- defaults to false + type: boolean + tolerations: + description: Tolerations, if specified, the pool pod's tolerations. items: - description: CStorPoolInstanceBlockDevice contains the details - of block devices that constitutes a raid group. + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . properties: - blockDeviceName: - description: BlockDeviceName is the name of the block - device. + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. type: string - capacity: - description: Capacity is the capacity of the block device. - It is system generated + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. format: int64 type: integer - devLink: - description: DevLink is the dev link for block devices + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. type: string - required: - - blockDeviceName type: object + nullable: true type: array + writeCacheGroupType: + description: WriteCacheGroupType is the write cache raid type. + type: string required: - - blockDevices + - dataRaidGroupType type: object - nullable: true - type: array - required: - - dataRaidGroups - - nodeSelector - type: object - status: - description: Status is the possible statuses of the cstorpoolinstance - resource. - properties: - capacity: - description: Capacity describes the capacity details of a cstor pool - properties: - free: - anyOf: - - type: integer - - type: string - description: Amount of usable space in the pool after excluding - metadata and raid parity - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - total: - anyOf: - - type: integer - - type: string - description: Sum of usable capacity in all the data raidgroups - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - used: - anyOf: - - type: integer - - type: string - description: Amount of physical data (and its metadata) written - to pool after applying compression, etc.., - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - zfs: - description: ZFSCapacityAttributes contains advanced information - about pool capacity details + writeCacheRaidGroups: + description: WriteCacheRaidGroups is the write cache raid group. + items: + description: RaidGroup contains the details of a raid group for + the pool properties: - logicalUsed: - anyOf: + blockDevices: + items: + description: CStorPoolInstanceBlockDevice contains the details + of block devices that constitutes a raid group. + properties: + blockDeviceName: + description: BlockDeviceName is the name of the block + device. + type: string + capacity: + description: Capacity is the capacity of the block device. + It is system generated + format: int64 + type: integer + devLink: + description: DevLink is the dev link for block devices + type: string + required: + - blockDeviceName + type: object + type: array + required: + - blockDevices + type: object + nullable: true + type: array + required: + - dataRaidGroups + - nodeSelector + type: object + status: + description: Status is the possible statuses of the cstorpoolinstance + resource. + properties: + capacity: + description: Capacity describes the capacity details of a cstor pool + properties: + free: + anyOf: - type: integer - type: string - description: LogicalUsed is the amount of space that is "logically" - consumed by this pool and all its descendents. The logical - space ignores the effect of the compression and copies properties, - giving a quantity closer to the amount of data that applications - see. However, it does include space consumed by metadata. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true + description: Amount of usable space in the pool after excluding + metadata and raid parity + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + total: + anyOf: + - type: integer + - type: string + description: Sum of usable capacity in all the data raidgroups + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + used: + anyOf: + - type: integer + - type: string + description: Amount of physical data (and its metadata) written + to pool after applying compression, etc.., + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + zfs: + description: ZFSCapacityAttributes contains advanced information + about pool capacity details + properties: + logicalUsed: + anyOf: + - type: integer + - type: string + description: LogicalUsed is the amount of space that is "logically" + consumed by this pool and all its descendents. The logical + space ignores the effect of the compression and copies properties, + giving a quantity closer to the amount of data that applications + see. However, it does include space consumed by metadata. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - logicalUsed + type: object + required: + - free + - total + - used + - zfs + type: object + conditions: + description: Current state of CSPI with details. + items: + description: CSPIConditionType describes the state of a CSPI at + a certain point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of CSPC condition. + type: string required: - - logicalUsed + - status + - type type: object - required: - - free - - total - - used - - zfs - type: object - conditions: - description: Current state of CSPI with details. - items: - description: CSPIConditionType describes the state of a CSPI at - a certain point. + type: array + healthyReplicas: + description: HealthyReplicas describes the total count of healthy + Volume Replicas in the cstor pool + format: int32 + type: integer + phase: + description: The phase of a CStorPool is a simple, high-level summary + of the pool state on the node. + type: string + provisionedReplicas: + description: ProvisionedReplicas describes the total count of Volume + Replicas present in the cstor pool + format: int32 + type: integer + readOnly: + description: ReadOnly if pool is readOnly or not + type: boolean + required: + - healthyReplicas + - provisionedReplicas + - readOnly + type: object + versionDetails: + description: VersionDetails is the openebs version. + properties: + autoUpgrade: + description: If AutoUpgrade is set to true then the resource is upgraded + automatically without any manual steps + type: boolean + desired: + description: Desired is the version that we want to upgrade or the + control plane version + type: string + status: + description: Status gives the status of reconciliation triggered when + the desired and current version are not same properties: - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time + current: + description: Current is the version of resource type: string + dependentsUpgraded: + description: DependentsUpgraded gives the details whether all + children of a resource are upgraded to desired version or not + type: boolean lastUpdateTime: - description: The last time this condition was updated. + description: LastUpdateTime is the time the status was last updated format: date-time + nullable: true type: string message: - description: A human readable message indicating details about - the transition. + description: Message is a human readable message if some error + occurs type: string reason: - description: The reason for the condition's last transition. + description: Reason is the actual reason for the error state type: string - status: - description: Status of the condition, one of True, False, Unknown. + state: + description: State is the state of reconciliation type: string - type: - description: Type of CSPC condition. - type: string - required: - - status - - type type: object - type: array - healthyReplicas: - description: HealthyReplicas describes the total count of healthy - Volume Replicas in the cstor pool - format: int32 - type: integer - phase: - description: The phase of a CStorPool is a simple, high-level summary - of the pool state on the node. - type: string - provisionedReplicas: - description: ProvisionedReplicas describes the total count of Volume - Replicas present in the cstor pool - format: int32 - type: integer - readOnly: - description: ReadOnly if pool is readOnly or not - type: boolean - required: - - healthyReplicas - - provisionedReplicas - - readOnly - type: object - versionDetails: - description: VersionDetails is the openebs version. - properties: - autoUpgrade: - description: If AutoUpgrade is set to true then the resource is upgraded - automatically without any manual steps - type: boolean - desired: - description: Desired is the version that we want to upgrade or the - control plane version - type: string - status: - description: Status gives the status of reconciliation triggered when - the desired and current version are not same - properties: - current: - description: Current is the version of resource - type: string - dependentsUpgraded: - description: DependentsUpgraded gives the details whether all - children of a resource are upgraded to desired version or not - type: boolean - lastUpdateTime: - description: LastUpdateTime is the time the status was last updated - format: date-time - nullable: true - type: string - message: - description: Message is a human readable message if some error - occurs - type: string - reason: - description: Reason is the actual reason for the error state - type: string - state: - description: State is the state of reconciliation - type: string - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorrestore.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorrestore.yaml index 26963df4b..6b1ee35ad 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorrestore.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorrestore.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorrestores.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,89 +11,89 @@ spec: listKind: CStorRestoreList plural: cstorrestores shortNames: - - crestore + - crestore singular: cstorrestore scope: Namespaced versions: - - additionalPrinterColumns: - - description: Name of the snapshot which is restored - jsonPath: .spec.restoreName - name: Backup - type: string - - description: Volume on which restore is performed - jsonPath: .spec.volumeName - name: Volume - type: string - - description: Identifies the state of the restore - jsonPath: .status - name: Status - type: string - name: v1 - schema: - openAPIV3Schema: - description: CStorRestore describes a cstor restore resource created as a - custom resource - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: Name of the snapshot which is restored + jsonPath: .spec.restoreName + name: Backup + type: string + - description: Volume on which restore is performed + jsonPath: .spec.volumeName + name: Volume + type: string + - description: Identifies the state of the restore + jsonPath: .status + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: CStorRestore describes a cstor restore resource created as a + custom resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CStorRestoreSpec is the spec for a CStorRestore resource - properties: - localRestore: - description: Local defines whether restore is from local/remote - type: boolean - maxretrycount: - description: MaxRestoreRetryCount is the maximum number of attempt, - will be performed to restore - type: integer - restoreName: - description: RestoreName holds restore name - type: string - restoreSrc: - description: RestoreSrc can be ip:port in case of restore from remote - or volumeName in case of local restore - type: string - retrycount: - description: RetryCount represents the number of restore attempts - performed for the restore - type: integer - size: - anyOf: - - type: integer - - type: string - description: Size represents the size of a snapshot to restore - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - storageClass: - description: StorageClass represents name of StorageClass of restore - volume - type: string - volumeName: - description: VolumeName is used to restore the data to corresponding - volume - type: string - required: - - restoreName - - restoreSrc - - volumeName - type: object - status: - description: CStorRestoreStatus is a string type that represents the status - of the restore - type: string - required: - - spec - type: object - served: true - storage: true - subresources: {} + type: string + metadata: + type: object + spec: + description: CStorRestoreSpec is the spec for a CStorRestore resource + properties: + localRestore: + description: Local defines whether restore is from local/remote + type: boolean + maxretrycount: + description: MaxRestoreRetryCount is the maximum number of attempt, + will be performed to restore + type: integer + restoreName: + description: RestoreName holds restore name + type: string + restoreSrc: + description: RestoreSrc can be ip:port in case of restore from remote + or volumeName in case of local restore + type: string + retrycount: + description: RetryCount represents the number of restore attempts + performed for the restore + type: integer + size: + anyOf: + - type: integer + - type: string + description: Size represents the size of a snapshot to restore + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + storageClass: + description: StorageClass represents name of StorageClass of restore + volume + type: string + volumeName: + description: VolumeName is used to restore the data to corresponding + volume + type: string + required: + - restoreName + - restoreSrc + - volumeName + type: object + status: + description: CStorRestoreStatus is a string type that represents the status + of the restore + type: string + required: + - spec + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorvolume.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorvolume.yaml index 9d7d19ed8..d083db9ca 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorvolume.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorvolume.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorvolumes.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,254 +11,254 @@ spec: listKind: CStorVolumeList plural: cstorvolumes shortNames: - - cv + - cv singular: cstorvolume scope: Namespaced versions: - - additionalPrinterColumns: - - description: Current volume capacity - jsonPath: .status.capacity - name: Capacity - type: string - - description: Identifies the current health of the volume - jsonPath: .status.phase - name: Status - type: string - - description: Age of CStorVolume - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CStorVolume describes a cstor volume resource created as custom - resource - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: Current volume capacity + jsonPath: .status.capacity + name: Capacity + type: string + - description: Identifies the current health of the volume + jsonPath: .status.phase + name: Status + type: string + - description: Age of CStorVolume + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CStorVolume describes a cstor volume resource created as custom + resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CStorVolumeSpec is the spec for a CStorVolume resource - properties: - capacity: - anyOf: - - type: integer - - type: string - description: Capacity represents the desired size of the underlying - volume. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - consistencyFactor: - description: ConsistencyFactor is minimum number of volume replicas - i.e. `RF/2 + 1` has to be connected to the target for write operations. - Basically more then 50% of replica has to be connected to target. - type: integer - desiredReplicationFactor: - description: DesiredReplicationFactor represents maximum number of - replicas that are allowed to connect to the target. Required for - scale operations - type: integer - iqn: - description: Target iSCSI Qualified Name.combination of nodeBase - type: string - replicaDetails: - description: ReplicaDetails refers to the trusty replica information - properties: - knownReplicas: - additionalProperties: - type: string - description: KnownReplicas represents the replicas that target - can trust to read data - type: object - type: object - replicationFactor: - description: ReplicationFactor represents number of volume replica - created during volume provisioning connect to the target - type: integer - targetIP: - description: TargetIP IP of the iSCSI target service - type: string - targetPort: - description: iSCSI Target Port typically TCP ports 3260 - type: string - targetPortal: - description: iSCSI Target Portal. The Portal is combination of IP:port - (typically TCP ports 3260) - type: string - type: object - status: - description: CStorVolumeStatus is for handling status of cvr. - properties: - capacity: - anyOf: - - type: integer - - type: string - description: Represents the actual capacity of the underlying volume. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - conditions: - description: Current Condition of cstorvolume. If underlying persistent - volume is being resized then the Condition will be set to 'ResizePending'. - items: - description: CStorVolumeCondition contains details about state of - cstorvolume + type: string + metadata: + type: object + spec: + description: CStorVolumeSpec is the spec for a CStorVolume resource + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Capacity represents the desired size of the underlying + volume. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + consistencyFactor: + description: ConsistencyFactor is minimum number of volume replicas + i.e. `RF/2 + 1` has to be connected to the target for write operations. + Basically more then 50% of replica has to be connected to target. + type: integer + desiredReplicationFactor: + description: DesiredReplicationFactor represents maximum number of + replicas that are allowed to connect to the target. Required for + scale operations + type: integer + iqn: + description: Target iSCSI Qualified Name.combination of nodeBase + type: string + replicaDetails: + description: ReplicaDetails refers to the trusty replica information properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, this should be a short, machine understandable - string that gives the reason for condition's last transition. - If it reports "ResizePending" that means the underlying cstorvolume - is being resized. - type: string - status: - description: ConditionStatus states in which state condition - is present - type: string - type: - description: CStorVolumeConditionType is a valid value of CStorVolumeCondition.Type - type: string - required: - - status - - type + knownReplicas: + additionalProperties: + type: string + description: KnownReplicas represents the replicas that target + can trust to read data + type: object type: object - type: array - lastTransitionTime: - description: LastTransitionTime refers to the time when the phase - changes - format: date-time - nullable: true - type: string - lastUpdateTime: - description: LastUpdateTime refers to the time when last status updated - due to any operations - format: date-time - nullable: true - type: string - message: - description: A human-readable message indicating details about why - the volume is in this state. - type: string - phase: - description: CStorVolumePhase is to hold result of action. - type: string - replicaDetails: - description: ReplicaDetails refers to the trusty replica information - properties: - knownReplicas: - additionalProperties: - type: string - description: KnownReplicas represents the replicas that target - can trust to read data + replicationFactor: + description: ReplicationFactor represents number of volume replica + created during volume provisioning connect to the target + type: integer + targetIP: + description: TargetIP IP of the iSCSI target service + type: string + targetPort: + description: iSCSI Target Port typically TCP ports 3260 + type: string + targetPortal: + description: iSCSI Target Portal. The Portal is combination of IP:port + (typically TCP ports 3260) + type: string + type: object + status: + description: CStorVolumeStatus is for handling status of cvr. + properties: + capacity: + anyOf: + - type: integer + - type: string + description: Represents the actual capacity of the underlying volume. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + conditions: + description: Current Condition of cstorvolume. If underlying persistent + volume is being resized then the Condition will be set to 'ResizePending'. + items: + description: CStorVolumeCondition contains details about state of + cstorvolume + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, this should be a short, machine understandable + string that gives the reason for condition's last transition. + If it reports "ResizePending" that means the underlying cstorvolume + is being resized. + type: string + status: + description: ConditionStatus states in which state condition + is present + type: string + type: + description: CStorVolumeConditionType is a valid value of CStorVolumeCondition.Type + type: string + required: + - status + - type type: object - type: object - replicaStatuses: - items: - description: ReplicaStatus stores the status of replicas + type: array + lastTransitionTime: + description: LastTransitionTime refers to the time when the phase + changes + format: date-time + nullable: true + type: string + lastUpdateTime: + description: LastUpdateTime refers to the time when last status updated + due to any operations + format: date-time + nullable: true + type: string + message: + description: A human-readable message indicating details about why + the volume is in this state. + type: string + phase: + description: CStorVolumePhase is to hold result of action. + type: string + replicaDetails: + description: ReplicaDetails refers to the trusty replica information properties: - checkpointedIOSeq: - description: Represents IO number of replica persisted on the - disk - type: string - inflightRead: - description: Ongoing reads I/O from target to replica - type: string - inflightSync: - description: Ongoing sync I/O from target to replica - type: string - inflightWrite: - description: ongoing writes I/O from target to replica - type: string - mode: - description: Mode represents replica status i.e. Healthy, Degraded - type: string - quorum: - description: 'Quorum indicates wheather data wrtitten to the + knownReplicas: + additionalProperties: + type: string + description: KnownReplicas represents the replicas that target + can trust to read data + type: object + type: object + replicaStatuses: + items: + description: ReplicaStatus stores the status of replicas + properties: + checkpointedIOSeq: + description: Represents IO number of replica persisted on the + disk + type: string + inflightRead: + description: Ongoing reads I/O from target to replica + type: string + inflightSync: + description: Ongoing sync I/O from target to replica + type: string + inflightWrite: + description: ongoing writes I/O from target to replica + type: string + mode: + description: Mode represents replica status i.e. Healthy, Degraded + type: string + quorum: + description: 'Quorum indicates wheather data wrtitten to the replica is lost or exists. "0" means: data has been lost( might be ephimeral case) and will recostruct data from other Healthy replicas in a write-only mode 1 means: written data is exists on replica' + type: string + replicaId: + description: ID is replica unique identifier + type: string + upTime: + description: time since the replica connected to target + type: integer + required: + - checkpointedIOSeq + - inflightRead + - inflightSync + - inflightWrite + - mode + - quorum + - replicaId + - upTime + type: object + type: array + type: object + versionDetails: + description: VersionDetails provides the details for upgrade + properties: + autoUpgrade: + description: If AutoUpgrade is set to true then the resource is upgraded + automatically without any manual steps + type: boolean + desired: + description: Desired is the version that we want to upgrade or the + control plane version + type: string + status: + description: Status gives the status of reconciliation triggered when + the desired and current version are not same + properties: + current: + description: Current is the version of resource type: string - replicaId: - description: ID is replica unique identifier + dependentsUpgraded: + description: DependentsUpgraded gives the details whether all + children of a resource are upgraded to desired version or not + type: boolean + lastUpdateTime: + description: LastUpdateTime is the time the status was last updated + format: date-time + nullable: true + type: string + message: + description: Message is a human readable message if some error + occurs + type: string + reason: + description: Reason is the actual reason for the error state + type: string + state: + description: State is the state of reconciliation type: string - upTime: - description: time since the replica connected to target - type: integer - required: - - checkpointedIOSeq - - inflightRead - - inflightSync - - inflightWrite - - mode - - quorum - - replicaId - - upTime type: object - type: array - type: object - versionDetails: - description: VersionDetails provides the details for upgrade - properties: - autoUpgrade: - description: If AutoUpgrade is set to true then the resource is upgraded - automatically without any manual steps - type: boolean - desired: - description: Desired is the version that we want to upgrade or the - control plane version - type: string - status: - description: Status gives the status of reconciliation triggered when - the desired and current version are not same - properties: - current: - description: Current is the version of resource - type: string - dependentsUpgraded: - description: DependentsUpgraded gives the details whether all - children of a resource are upgraded to desired version or not - type: boolean - lastUpdateTime: - description: LastUpdateTime is the time the status was last updated - format: date-time - nullable: true - type: string - message: - description: Message is a human readable message if some error - occurs - type: string - reason: - description: Reason is the actual reason for the error state - type: string - state: - description: State is the state of reconciliation - type: string - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorvolumeattachment.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorvolumeattachment.yaml index b4b163e6a..8651e8681 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorvolumeattachment.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorvolumeattachment.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorvolumeattachments.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,111 +11,111 @@ spec: listKind: CStorVolumeAttachmentList plural: cstorvolumeattachments shortNames: - - cva + - cva singular: cstorvolumeattachment scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - description: CStorVolumeAttachment represents a CSI based volume - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - name: v1 + schema: + openAPIV3Schema: + description: CStorVolumeAttachment represents a CSI based volume + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CStorVolumeAttachmentSpec is the spec for a CStorVolume resource - properties: - iscsi: - description: ISCSIInfo specific to ISCSI protocol, this is filled - only if the volume type is iSCSI - properties: - iqn: - description: Iqn of this volume - type: string - iscsiInterface: - description: IscsiInterface of this volume - type: string - lun: - description: 'Lun specify the lun number 0, 1.. on iSCSI Volume. + type: string + metadata: + type: object + spec: + description: CStorVolumeAttachmentSpec is the spec for a CStorVolume resource + properties: + iscsi: + description: ISCSIInfo specific to ISCSI protocol, this is filled + only if the volume type is iSCSI + properties: + iqn: + description: Iqn of this volume + type: string + iscsiInterface: + description: IscsiInterface of this volume + type: string + lun: + description: 'Lun specify the lun number 0, 1.. on iSCSI Volume. (default: 0)' - type: string - targetPortal: - description: TargetPortal holds the target portal of this volume - type: string - type: object - volume: - description: Volume specific info - properties: - accessModes: - description: AccessMode of a volume will hold the access mode - of the volume - items: type: string - type: array - accessType: - description: AccessType of a volume will indicate if the volume - will be used as a block device or mounted on a path - type: string - capacity: - description: Capacity of the volume - type: string - devicePath: - description: Device Path specifies the device path which is returned - when the iSCSI login is successful - type: string - fsType: - description: FSType of a volume will specify the format type - - ext4(default), xfs of PV - type: string - mountOptions: - description: MountOptions specifies the options with which mount - needs to be attempted - items: + targetPortal: + description: TargetPortal holds the target portal of this volume type: string - type: array - name: - description: Name of the CSI volume - type: string - ownerNodeID: - description: OwnerNodeID is the Node ID which is also the owner - of this Volume - type: string - readOnly: - description: ReadOnly specifies if the volume needs to be mounted - in ReadOnly mode - type: boolean - stagingTargetPath: - description: StagingPath of the volume will hold the path on which - the volume is mounted on that node - type: string - targetPath: - description: TargetPath of the volume will hold the path on which - the volume is bind mounted on that node - type: string - required: - - name - - ownerNodeID - type: object - required: - - iscsi - - volume - type: object - status: - description: CStorVolumeAttachmentStatus status represents the current - mount status of the volume - type: string - required: - - spec - type: object - served: true - storage: true + type: object + volume: + description: Volume specific info + properties: + accessModes: + description: AccessMode of a volume will hold the access mode + of the volume + items: + type: string + type: array + accessType: + description: AccessType of a volume will indicate if the volume + will be used as a block device or mounted on a path + type: string + capacity: + description: Capacity of the volume + type: string + devicePath: + description: Device Path specifies the device path which is returned + when the iSCSI login is successful + type: string + fsType: + description: FSType of a volume will specify the format type - + ext4(default), xfs of PV + type: string + mountOptions: + description: MountOptions specifies the options with which mount + needs to be attempted + items: + type: string + type: array + name: + description: Name of the CSI volume + type: string + ownerNodeID: + description: OwnerNodeID is the Node ID which is also the owner + of this Volume + type: string + readOnly: + description: ReadOnly specifies if the volume needs to be mounted + in ReadOnly mode + type: boolean + stagingTargetPath: + description: StagingPath of the volume will hold the path on which + the volume is mounted on that node + type: string + targetPath: + description: TargetPath of the volume will hold the path on which + the volume is bind mounted on that node + type: string + required: + - name + - ownerNodeID + type: object + required: + - iscsi + - volume + type: object + status: + description: CStorVolumeAttachmentStatus status represents the current + mount status of the volume + type: string + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorvolumeconfig.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorvolumeconfig.yaml index 4642a9b1c..a88d5e4b6 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorvolumeconfig.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorvolumeconfig.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorvolumeconfigs.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,74 +11,74 @@ spec: listKind: CStorVolumeConfigList plural: cstorvolumeconfigs shortNames: - - cvc + - cvc singular: cstorvolumeconfig scope: Namespaced versions: - - additionalPrinterColumns: - - description: Identifies the volume capacity - jsonPath: .status.capacity.storage - name: Capacity - type: string - - description: Identifies the volume provisioning status - jsonPath: .status.phase - name: Status - type: string - - description: Age of CStorVolumeReplica - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CStorVolumeConfig describes a cstor volume config resource created - as custom resource. CStorVolumeConfig is a request for creating cstor volume - related resources like deployment, svc etc. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: Identifies the volume capacity + jsonPath: .status.capacity.storage + name: Capacity + type: string + - description: Identifies the volume provisioning status + jsonPath: .status.phase + name: Status + type: string + - description: Age of CStorVolumeReplica + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CStorVolumeConfig describes a cstor volume config resource created + as custom resource. CStorVolumeConfig is a request for creating cstor volume + related resources like deployment, svc etc. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - publish: - description: Publish contains info related to attachment of a volume to - a node. i.e. NodeId etc. - properties: - nodeId: - description: NodeID contains publish info related to attachment of - a volume to a node. - type: string - type: object - spec: - description: Spec defines a specification of a cstor volume config required - to provisione cstor volume resources - properties: - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Capacity represents the actual resources of the underlying - cstor volume. - type: object - cstorVolumeRef: - description: CStorVolumeRef has the information about where CstorVolumeClaim - is created from. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of + type: string + metadata: + type: object + publish: + description: Publish contains info related to attachment of a volume to + a node. i.e. NodeId etc. + properties: + nodeId: + description: NodeID contains publish info related to attachment of + a volume to a node. + type: string + type: object + spec: + description: Spec defines a specification of a cstor volume config required + to provisione cstor volume resources + properties: + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Capacity represents the actual resources of the underlying + cstor volume. + type: object + cstorVolumeRef: + description: CStorVolumeRef has the information about where CstorVolumeClaim + is created from. + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within @@ -90,669 +89,713 @@ spec: only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - cstorVolumeSource: - description: CStorVolumeSource contains the source volumeName@snapShotname - combaination. This will be filled only if it is a clone creation. - type: string - policy: - description: Policy contains volume specific required policies target - and replicas - properties: - provision: - description: replicaAffinity is set to true then volume replica - resources need to be distributed across the pool instances - properties: - blockSize: - description: BlockSize is the logical block size in multiple - of 512 bytes BlockSize specifies the block size of the volume. - The blocksize cannot be changed once the volume has been - written, so it should be set at volume creation time. The - default blocksize for volumes is 4 Kbytes. Any power of - 2 from 512 bytes to 128 Kbytes is valid. - format: int32 - type: integer - replicaAffinity: - description: replicaAffinity is set to true then volume replica - resources need to be distributed across the cstor pool instances - based on the given topology - type: boolean - required: - - replicaAffinity - type: object - replica: - description: ReplicaSpec represents configuration related to replicas - resources - properties: - compression: - description: The zle compression algorithm compresses runs - of zeros. - type: string - zvolWorkers: - description: IOWorkers represents number of threads that executes - client IOs - type: string - type: object - replicaPoolInfo: - description: 'ReplicaPoolInfo holds the pool information of volume + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + cstorVolumeSource: + description: CStorVolumeSource contains the source volumeName@snapShotname + combaination. This will be filled only if it is a clone creation. + type: string + policy: + description: Policy contains volume specific required policies target + and replicas + properties: + provision: + description: replicaAffinity is set to true then volume replica + resources need to be distributed across the pool instances + properties: + blockSize: + description: BlockSize is the logical block size in multiple + of 512 bytes BlockSize specifies the block size of the volume. + The blocksize cannot be changed once the volume has been + written, so it should be set at volume creation time. The + default blocksize for volumes is 4 Kbytes. Any power of + 2 from 512 bytes to 128 Kbytes is valid. + format: int32 + type: integer + replicaAffinity: + description: replicaAffinity is set to true then volume replica + resources need to be distributed across the cstor pool instances + based on the given topology + type: boolean + required: + - replicaAffinity + type: object + replica: + description: ReplicaSpec represents configuration related to replicas + resources + properties: + compression: + description: The zle compression algorithm compresses runs + of zeros. + type: string + zvolWorkers: + description: IOWorkers represents number of threads that executes + client IOs + type: string + type: object + replicaPoolInfo: + description: 'ReplicaPoolInfo holds the pool information of volume replicas. Ex: If volume is provisioned on which CStor pool volume replicas exist' - items: - description: ReplicaPoolInfo represents the pool information - of volume replica + items: + description: ReplicaPoolInfo represents the pool information + of volume replica + properties: + poolName: + description: PoolName represents the pool name where volume + replica exists + type: string + required: + - poolName + type: object + type: array + target: + description: TargetSpec represents configuration related to cstor + target and its resources properties: - poolName: - description: PoolName represents the pool name where volume - replica exists - type: string - required: - - poolName - type: object - type: array - target: - description: TargetSpec represents configuration related to cstor - target and its resources - properties: - affinity: - description: PodAffinity if specified, are the target pod's - affinities - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods - to nodes that satisfy the affinity expressions specified - by this field, but it may choose a node that violates - one or more of the expressions. The node that is most - preferred is the one with the greatest sum of weights, - i.e. for each node that meets all of the scheduling - requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum by iterating - through the elements of this field and adding "weight" - to the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum are - the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the - corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the affinity requirements - specified by this field cease to be met at some point - during pod execution (e.g. due to a pod label update), - the system may or may not try to eventually evict the - pod from its node. When there are multiple elements, - the lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not - co-located (anti-affinity) with, where co-located - is defined as running on a node whose value of the - label with key matches that of any node - on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - auxResources: - description: AuxResources are the compute resources required - by the cstor-target pod side car containers. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - luWorkers: - description: IOWorkers sets the number of threads that are - working on above queue - format: int64 - type: integer - monitor: - description: Monitor enables or disables the target exporter - sidecar - type: boolean - nodeSelector: - additionalProperties: - type: string - description: NodeSelector is the labels that will be used - to select a node for target pod scheduleing Required field - type: object - priorityClassName: - description: PriorityClassName if specified applies to this - target pod If left empty, no priority class is applied. - type: string - queueDepth: - description: QueueDepth sets the queue size at iSCSI target - which limits the ongoing IO count from client - type: string - replicationFactor: - description: ReplicationFactor represents maximum number of - replicas that are allowed to connect to the target - format: int64 - type: integer - resources: - description: Resources are the compute resources required - by the cstor-target container. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of - compute resources required. If Requests is omitted for - a container, it defaults to Limits if that is explicitly - specified, otherwise to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - tolerations: - description: Tolerations, if specified, are the target pod's - tolerations - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + affinity: + description: PodAffinity if specified, are the target pod's + affinities properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. - type: string - key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. - type: string + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array type: object - type: array - type: object - type: object - provision: - description: Provision represents the initial volume configuration - for the underlying cstor volume based on the persistent volume request - by user. Provision properties are immutable - properties: - capacity: - additionalProperties: - anyOf: + auxResources: + description: AuxResources are the compute resources required + by the cstor-target pod side car containers. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + luWorkers: + description: IOWorkers sets the number of threads that are + working on above queue + format: int64 + type: integer + monitor: + description: Monitor enables or disables the target exporter + sidecar + type: boolean + nodeSelector: + additionalProperties: + type: string + description: NodeSelector is the labels that will be used + to select a node for target pod scheduleing Required field + type: object + priorityClassName: + description: PriorityClassName if specified applies to this + target pod If left empty, no priority class is applied. + type: string + queueDepth: + description: QueueDepth sets the queue size at iSCSI target + which limits the ongoing IO count from client + type: string + replicationFactor: + description: ReplicationFactor represents maximum number of + replicas that are allowed to connect to the target + format: int64 + type: integer + resources: + description: Resources are the compute resources required + by the cstor-target container. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + tolerations: + description: Tolerations, if specified, are the target pod's + tolerations + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule and + NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. If the + key is empty, operator must be Exists; this combination + means to match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate all taints of + a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period + of time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the + taint forever (do not evict). Zero and negative values + will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value should + be empty, otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + provision: + description: Provision represents the initial volume configuration + for the underlying cstor volume based on the persistent volume request + by user. Provision properties are immutable + properties: + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Capacity represents initial capacity of volume replica + required during volume clone operations to maintain some metadata + info related to child resources like snapshot, cloned volumes. + type: object + replicaCount: + description: ReplicaCount represents initial cstor volume replica + count, its will not be updated later on based on scale up/down + operations, only readonly operations and validations. + type: integer + required: + - capacity + - replicaCount + type: object + required: + - capacity + - policy + - provision + type: object + status: + description: Status represents the current information/status for the + cstor volume config, populated by the controller. + properties: + capacity: + additionalProperties: + anyOf: - type: integer - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Capacity represents initial capacity of volume replica - required during volume clone operations to maintain some metadata - info related to child resources like snapshot, cloned volumes. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Capacity the actual resources of the underlying volume. + type: object + condition: + items: + description: CStorVolumeConfigCondition contains details about state + of cstor volume + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Reason is a brief CamelCase string that describes + any failure + type: string + type: + description: Current Condition of cstor volume config. If underlying + persistent volume is being resized then the Condition will + be set to 'ResizeStarted' etc + type: string + required: + - message + - reason + - type type: object - replicaCount: - description: ReplicaCount represents initial cstor volume replica - count, its will not be updated later on based on scale up/down - operations, only readonly operations and validations. - type: integer - required: - - capacity - - replicaCount - type: object - required: - - capacity - - policy - - provision - type: object - status: - description: Status represents the current information/status for the - cstor volume config, populated by the controller. - properties: - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Capacity the actual resources of the underlying volume. - type: object - condition: - items: - description: CStorVolumeConfigCondition contains details about state - of cstor volume + type: array + phase: + description: Phase represents the current phase of CStorVolumeConfig. + type: string + poolInfo: + description: PoolInfo represents current pool names where volume replicas + exists + items: + type: string + type: array + type: object + versionDetails: + description: VersionDetails provides the details for upgrade + properties: + autoUpgrade: + description: If AutoUpgrade is set to true then the resource is upgraded + automatically without any manual steps + type: boolean + desired: + description: Desired is the version that we want to upgrade or the + control plane version + type: string + status: + description: Status gives the status of reconciliation triggered when + the desired and current version are not same properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time + current: + description: Current is the version of resource type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. + dependentsUpgraded: + description: DependentsUpgraded gives the details whether all + children of a resource are upgraded to desired version or not + type: boolean + lastUpdateTime: + description: LastUpdateTime is the time the status was last updated format: date-time + nullable: true type: string message: - description: Human-readable message indicating details about - last transition. + description: Message is a human readable message if some error + occurs type: string reason: - description: Reason is a brief CamelCase string that describes - any failure + description: Reason is the actual reason for the error state type: string - type: - description: Current Condition of cstor volume config. If underlying - persistent volume is being resized then the Condition will - be set to 'ResizeStarted' etc + state: + description: State is the state of reconciliation type: string - required: - - message - - reason - - type type: object - type: array - phase: - description: Phase represents the current phase of CStorVolumeConfig. - type: string - poolInfo: - description: PoolInfo represents current pool names where volume replicas - exists - items: - type: string - type: array - type: object - versionDetails: - description: VersionDetails provides the details for upgrade - properties: - autoUpgrade: - description: If AutoUpgrade is set to true then the resource is upgraded - automatically without any manual steps - type: boolean - desired: - description: Desired is the version that we want to upgrade or the - control plane version - type: string - status: - description: Status gives the status of reconciliation triggered when - the desired and current version are not same - properties: - current: - description: Current is the version of resource - type: string - dependentsUpgraded: - description: DependentsUpgraded gives the details whether all - children of a resource are upgraded to desired version or not - type: boolean - lastUpdateTime: - description: LastUpdateTime is the time the status was last updated - format: date-time - nullable: true - type: string - message: - description: Message is a human readable message if some error - occurs - type: string - reason: - description: Reason is the actual reason for the error state - type: string - state: - description: State is the state of reconciliation - type: string - type: object - type: object - required: - - spec - - status - - versionDetails - type: object - served: true - storage: true - subresources: {} + type: object + required: + - spec + - status + - versionDetails + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorvolumepolicy.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorvolumepolicy.yaml index a706f0bc4..39a97230b 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorvolumepolicy.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorvolumepolicy.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorvolumepolicies.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,525 +11,571 @@ spec: listKind: CStorVolumePolicyList plural: cstorvolumepolicies shortNames: - - cvp + - cvp singular: cstorvolumepolicy scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - description: CStorVolumePolicy describes a configuration required for cstor - volume resources - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - name: v1 + schema: + openAPIV3Schema: + description: CStorVolumePolicy describes a configuration required for cstor + volume resources + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines a configuration info of a cstor volume required - to provisione cstor volume resources - properties: - provision: - description: replicaAffinity is set to true then volume replica resources - need to be distributed across the pool instances - properties: - blockSize: - description: BlockSize is the logical block size in multiple of - 512 bytes BlockSize specifies the block size of the volume. - The blocksize cannot be changed once the volume has been written, - so it should be set at volume creation time. The default blocksize - for volumes is 4 Kbytes. Any power of 2 from 512 bytes to 128 - Kbytes is valid. - format: int32 - type: integer - replicaAffinity: - description: replicaAffinity is set to true then volume replica - resources need to be distributed across the cstor pool instances - based on the given topology - type: boolean - required: - - replicaAffinity - type: object - replica: - description: ReplicaSpec represents configuration related to replicas - resources - properties: - compression: - description: The zle compression algorithm compresses runs of - zeros. - type: string - zvolWorkers: - description: IOWorkers represents number of threads that executes - client IOs - type: string - type: object - replicaPoolInfo: - description: 'ReplicaPoolInfo holds the pool information of volume + type: string + metadata: + type: object + spec: + description: Spec defines a configuration info of a cstor volume required + to provisione cstor volume resources + properties: + provision: + description: replicaAffinity is set to true then volume replica resources + need to be distributed across the pool instances + properties: + blockSize: + description: BlockSize is the logical block size in multiple of + 512 bytes BlockSize specifies the block size of the volume. + The blocksize cannot be changed once the volume has been written, + so it should be set at volume creation time. The default blocksize + for volumes is 4 Kbytes. Any power of 2 from 512 bytes to 128 + Kbytes is valid. + format: int32 + type: integer + replicaAffinity: + description: replicaAffinity is set to true then volume replica + resources need to be distributed across the cstor pool instances + based on the given topology + type: boolean + required: + - replicaAffinity + type: object + replica: + description: ReplicaSpec represents configuration related to replicas + resources + properties: + compression: + description: The zle compression algorithm compresses runs of + zeros. + type: string + zvolWorkers: + description: IOWorkers represents number of threads that executes + client IOs + type: string + type: object + replicaPoolInfo: + description: 'ReplicaPoolInfo holds the pool information of volume replicas. Ex: If volume is provisioned on which CStor pool volume replicas exist' - items: - description: ReplicaPoolInfo represents the pool information of - volume replica + items: + description: ReplicaPoolInfo represents the pool information of + volume replica + properties: + poolName: + description: PoolName represents the pool name where volume + replica exists + type: string + required: + - poolName + type: object + type: array + target: + description: TargetSpec represents configuration related to cstor + target and its resources properties: - poolName: - description: PoolName represents the pool name where volume - replica exists - type: string - required: - - poolName - type: object - type: array - target: - description: TargetSpec represents configuration related to cstor - target and its resources - properties: - affinity: - description: PodAffinity if specified, are the target pod's affinities - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to - nodes that satisfy the affinity expressions specified by - this field, but it may choose a node that violates one or - more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node has - pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: key is the label key that - the selector applies to. - type: string - operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the corresponding - podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this - field are not met at scheduling time, the pod will not be - scheduled onto the node. If the affinity requirements specified - by this field cease to be met at some point during pod execution - (e.g. due to a pod label update), the system may or may - not try to eventually evict the pod from its node. When - there are multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. all terms - must be satisfied. - items: - description: Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not co-located - (anti-affinity) with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on which a pod of the set of - pods is running - properties: - labelSelector: - description: A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied to the - union of the namespaces selected by this field and - the ones listed in the namespaces field. null selector - and null or empty namespaces list means "this pod's - namespace". An empty selector ({}) matches all namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - namespaces: - description: namespaces specifies a static list of namespace - names that the term applies to. The term is applied - to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. null or - empty namespaces list and null namespaceSelector means - "this pod's namespace". - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where - co-located is defined as running on a node whose value - of the label with key topologyKey matches that of - any node on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - auxResources: - description: AuxResources are the compute resources required by - the cstor-target pod side car containers. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - luWorkers: - description: IOWorkers sets the number of threads that are working - on above queue - format: int64 - type: integer - monitor: - description: Monitor enables or disables the target exporter sidecar - type: boolean - nodeSelector: - additionalProperties: - type: string - description: NodeSelector is the labels that will be used to select - a node for target pod scheduleing Required field - type: object - priorityClassName: - description: PriorityClassName if specified applies to this target - pod If left empty, no priority class is applied. - type: string - queueDepth: - description: QueueDepth sets the queue size at iSCSI target which - limits the ongoing IO count from client - type: string - replicationFactor: - description: ReplicationFactor represents maximum number of replicas - that are allowed to connect to the target - format: int64 - type: integer - resources: - description: Resources are the compute resources required by the - cstor-target container. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - tolerations: - description: Tolerations, if specified, are the target pod's tolerations - items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . + affinity: + description: PodAffinity if specified, are the target pod's affinities properties: - effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, allowed - values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match - all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to - the value. Valid operators are Exists and Equal. Defaults - to Equal. Exists is equivalent to wildcard for value, - so that a pod can tolerate all taints of a particular - category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of - time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the taint - forever (do not evict). Zero and negative values will - be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array type: object - type: array - type: object - type: object - status: - description: CStorVolumePolicyStatus is for handling status of CstorVolumePolicy - properties: - phase: - type: string - type: object - required: - - spec - type: object - served: true - storage: true + auxResources: + description: AuxResources are the compute resources required by + the cstor-target pod side car containers. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + luWorkers: + description: IOWorkers sets the number of threads that are working + on above queue + format: int64 + type: integer + monitor: + description: Monitor enables or disables the target exporter sidecar + type: boolean + nodeSelector: + additionalProperties: + type: string + description: NodeSelector is the labels that will be used to select + a node for target pod scheduleing Required field + type: object + priorityClassName: + description: PriorityClassName if specified applies to this target + pod If left empty, no priority class is applied. + type: string + queueDepth: + description: QueueDepth sets the queue size at iSCSI target which + limits the ongoing IO count from client + type: string + replicationFactor: + description: ReplicationFactor represents maximum number of replicas + that are allowed to connect to the target + format: int64 + type: integer + resources: + description: Resources are the compute resources required by the + cstor-target container. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + tolerations: + description: Tolerations, if specified, are the target pod's tolerations + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + status: + description: CStorVolumePolicyStatus is for handling status of CstorVolumePolicy + properties: + phase: + type: string + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/cstorvolumereplica.yaml b/charts/openebs/openebs/charts/cstor/crds/cstorvolumereplica.yaml index 5ce7957aa..5a6ad1fb7 100644 --- a/charts/openebs/openebs/charts/cstor/crds/cstorvolumereplica.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/cstorvolumereplica.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: cstorvolumereplicas.cstor.openebs.io spec: group: cstor.openebs.io @@ -12,199 +11,199 @@ spec: listKind: CStorVolumeReplicaList plural: cstorvolumereplicas shortNames: - - cvr + - cvr singular: cstorvolumereplica scope: Namespaced versions: - - additionalPrinterColumns: - - description: The amount of disk space consumed by a dataset and all its descendents - jsonPath: .status.capacity.total - name: Allocated - type: string - - description: The amount of space that is logically consumed by this dataset - jsonPath: .status.capacity.used - name: Used - type: string - - description: Identifies the current state of the replicas - jsonPath: .status.phase - name: Status - type: string - - description: Age of CStorVolumeReplica - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - description: CStorVolumeReplica describes a cstor volume resource created - as custom resource - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: The amount of disk space consumed by a dataset and all its descendents + jsonPath: .status.capacity.total + name: Allocated + type: string + - description: The amount of space that is logically consumed by this dataset + jsonPath: .status.capacity.used + name: Used + type: string + - description: Identifies the current state of the replicas + jsonPath: .status.phase + name: Status + type: string + - description: Age of CStorVolumeReplica + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: CStorVolumeReplica describes a cstor volume resource created + as custom resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CStorVolumeReplicaSpec is the spec for a CStorVolumeReplica - resource - properties: - blockSize: - description: BlockSize is the logical block size in multiple of 512 - bytes BlockSize specifies the block size of the volume. The blocksize - cannot be changed once the volume has been written, so it should - be set at volume creation time. The default blocksize for volumes - is 4 Kbytes. Any power of 2 from 512 bytes to 128 Kbytes is valid. - format: int32 - type: integer - capacity: - description: Represents the actual capacity of the underlying volume - type: string - compression: - description: 'Controls the compression algorithm used for this volumes + type: string + metadata: + type: object + spec: + description: CStorVolumeReplicaSpec is the spec for a CStorVolumeReplica + resource + properties: + blockSize: + description: BlockSize is the logical block size in multiple of 512 + bytes BlockSize specifies the block size of the volume. The blocksize + cannot be changed once the volume has been written, so it should + be set at volume creation time. The default blocksize for volumes + is 4 Kbytes. Any power of 2 from 512 bytes to 128 Kbytes is valid. + format: int32 + type: integer + capacity: + description: Represents the actual capacity of the underlying volume + type: string + compression: + description: 'Controls the compression algorithm used for this volumes examples: on|off|gzip|gzip-N|lz4|lzjb|zle' - type: string - replicaid: - description: ReplicaID is unique number to identify the replica - type: string - targetIP: - description: TargetIP represents iscsi target IP through which replica - cummunicates IO workloads and other volume operations like snapshot - and resize requests - type: string - zvolWorkers: - description: ZvolWorkers represents number of threads that executes - client IOs - type: string - type: object - status: - description: CStorVolumeReplicaStatus is for handling status of cvr. - properties: - capacity: - description: CStorVolumeCapacityDetails represents capacity info of - replica - properties: - total: - description: The amount of space consumed by this volume replica - and all its descendents - type: string - used: - description: The amount of space that is "logically" accessible - by this dataset. The logical space ignores the effect of the - compression and copies properties, giving a quantity closer - to the amount of data that applications see. However, it does - include space consumed by metadata - type: string - required: - - total - - used - type: object - lastTransitionTime: - description: LastTransitionTime refers to the time when the phase - changes - format: date-time - nullable: true - type: string - lastUpdateTime: - description: The last updated time - format: date-time - nullable: true - type: string - message: - description: A human readable message indicating details about the - transition. - type: string - pendingSnapshots: - additionalProperties: - description: CStorSnapshotInfo represents the snapshot information - related to particular snapshot + type: string + replicaid: + description: ReplicaID is unique number to identify the replica + type: string + targetIP: + description: TargetIP represents iscsi target IP through which replica + cummunicates IO workloads and other volume operations like snapshot + and resize requests + type: string + zvolWorkers: + description: ZvolWorkers represents number of threads that executes + client IOs + type: string + type: object + status: + description: CStorVolumeReplicaStatus is for handling status of cvr. + properties: + capacity: + description: CStorVolumeCapacityDetails represents capacity info of + replica properties: - logicalReferenced: - description: LogicalReferenced describes the amount of space - that is "logically" accessable by this snapshot. This logical - space ignores the effect of the compression and copies properties, - giving a quantity closer to the amount of data that application - see. It also includes space consumed by metadata. - format: int64 - type: integer + total: + description: The amount of space consumed by this volume replica + and all its descendents + type: string + used: + description: The amount of space that is "logically" accessible + by this dataset. The logical space ignores the effect of the + compression and copies properties, giving a quantity closer + to the amount of data that applications see. However, it does + include space consumed by metadata + type: string required: - - logicalReferenced + - total + - used type: object - description: PendingSnapshots contains list of pending snapshots that - are not yet available on this replica - type: object - phase: - description: CStorVolumeReplicaPhase is to holds different phases - of replica - type: string - snapshots: - additionalProperties: - description: CStorSnapshotInfo represents the snapshot information - related to particular snapshot + lastTransitionTime: + description: LastTransitionTime refers to the time when the phase + changes + format: date-time + nullable: true + type: string + lastUpdateTime: + description: The last updated time + format: date-time + nullable: true + type: string + message: + description: A human readable message indicating details about the + transition. + type: string + pendingSnapshots: + additionalProperties: + description: CStorSnapshotInfo represents the snapshot information + related to particular snapshot + properties: + logicalReferenced: + description: LogicalReferenced describes the amount of space + that is "logically" accessable by this snapshot. This logical + space ignores the effect of the compression and copies properties, + giving a quantity closer to the amount of data that application + see. It also includes space consumed by metadata. + format: int64 + type: integer + required: + - logicalReferenced + type: object + description: PendingSnapshots contains list of pending snapshots that + are not yet available on this replica + type: object + phase: + description: CStorVolumeReplicaPhase is to holds different phases + of replica + type: string + snapshots: + additionalProperties: + description: CStorSnapshotInfo represents the snapshot information + related to particular snapshot + properties: + logicalReferenced: + description: LogicalReferenced describes the amount of space + that is "logically" accessable by this snapshot. This logical + space ignores the effect of the compression and copies properties, + giving a quantity closer to the amount of data that application + see. It also includes space consumed by metadata. + format: int64 + type: integer + required: + - logicalReferenced + type: object + description: Snapshots contains list of snapshots, and their properties, + created on CVR + type: object + type: object + versionDetails: + description: VersionDetails provides the details for upgrade + properties: + autoUpgrade: + description: If AutoUpgrade is set to true then the resource is upgraded + automatically without any manual steps + type: boolean + desired: + description: Desired is the version that we want to upgrade or the + control plane version + type: string + status: + description: Status gives the status of reconciliation triggered when + the desired and current version are not same properties: - logicalReferenced: - description: LogicalReferenced describes the amount of space - that is "logically" accessable by this snapshot. This logical - space ignores the effect of the compression and copies properties, - giving a quantity closer to the amount of data that application - see. It also includes space consumed by metadata. - format: int64 - type: integer - required: - - logicalReferenced + current: + description: Current is the version of resource + type: string + dependentsUpgraded: + description: DependentsUpgraded gives the details whether all + children of a resource are upgraded to desired version or not + type: boolean + lastUpdateTime: + description: LastUpdateTime is the time the status was last updated + format: date-time + nullable: true + type: string + message: + description: Message is a human readable message if some error + occurs + type: string + reason: + description: Reason is the actual reason for the error state + type: string + state: + description: State is the state of reconciliation + type: string type: object - description: Snapshots contains list of snapshots, and their properties, - created on CVR - type: object - type: object - versionDetails: - description: VersionDetails provides the details for upgrade - properties: - autoUpgrade: - description: If AutoUpgrade is set to true then the resource is upgraded - automatically without any manual steps - type: boolean - desired: - description: Desired is the version that we want to upgrade or the - control plane version - type: string - status: - description: Status gives the status of reconciliation triggered when - the desired and current version are not same - properties: - current: - description: Current is the version of resource - type: string - dependentsUpgraded: - description: DependentsUpgraded gives the details whether all - children of a resource are upgraded to desired version or not - type: boolean - lastUpdateTime: - description: LastUpdateTime is the time the status was last updated - format: date-time - nullable: true - type: string - message: - description: Message is a human readable message if some error - occurs - type: string - reason: - description: Reason is the actual reason for the error state - type: string - state: - description: State is the state of reconciliation - type: string - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/migrationtask.yaml b/charts/openebs/openebs/charts/cstor/crds/migrationtask.yaml index 4dd2e5432..710cb61ea 100644 --- a/charts/openebs/openebs/charts/cstor/crds/migrationtask.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/migrationtask.yaml @@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: migrationtasks.openebs.io spec: group: openebs.io @@ -12,117 +11,107 @@ spec: listKind: MigrationTaskList plural: migrationtasks shortNames: - - mtask + - mtask singular: migrationtask scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: MigrationTask represents an migration task - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MigrationTask represents an migration task + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec i.e. specifications of the MigrationTask - properties: - cstorPool: - description: MigrateCStorPool contains the details of the cstor pool - to be migrated - properties: - rename: - description: If a CSPC with the same name as SPC already exists - then we can rename SPC during migration using Rename - type: string - spcName: - description: SPCName contains the name of the storage pool claim - to be migrated - type: string - type: object - cstorVolume: - description: MigrateCStorVolume contains the details of the cstor - volume to be migrated - properties: - pvName: - description: PVName contains the name of the pv associated with - the cstor volume to be migrated - type: string - type: object - type: object - status: - description: Status of MigrationTask - properties: - completedTime: - description: CompletedTime of Migrate - format: date-time - nullable: true - type: string - migrationDetailedStatuses: - description: MigrationDetailedStatuses contains the list of statuses - of each step - items: - description: MigrationDetailedStatuses represents the latest available - observations of a MigrationTask current state. + type: string + metadata: + type: object + spec: + description: Spec i.e. specifications of the MigrationTask + properties: + cstorPool: + description: MigrateCStorPool contains the details of the cstor pool + to be migrated properties: - lastUpdatedAt: - description: LastUpdatedTime of a MigrateStep - format: date-time - nullable: true + rename: + description: If a CSPC with the same name as SPC already exists + then we can rename SPC during migration using Rename type: string - message: - description: A human-readable message indicating details about - why the migrationStep is in this state - type: string - phase: - description: Phase indicates if the MigrateStep is waiting, - errored or completed. - type: string - reason: - description: Reason is a brief CamelCase string that describes - any failure and is meant for machine parsing and tidy display - in the CLI - type: string - startTime: - description: StartTime of a MigrateStep - format: date-time - nullable: true - type: string - step: + spcName: + description: SPCName contains the name of the storage pool claim + to be migrated type: string type: object - type: array - phase: - description: Phase indicates if a migrationTask is started, success - or errored - type: string - retries: - description: Retries is the number of times the job attempted to migration - the resource - type: integer - startTime: - description: StartTime of Migrate - format: date-time - nullable: true - type: string - type: object - required: - - spec - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + cstorVolume: + description: MigrateCStorVolume contains the details of the cstor + volume to be migrated + properties: + pvName: + description: PVName contains the name of the pv associated with + the cstor volume to be migrated + type: string + type: object + type: object + status: + description: Status of MigrationTask + properties: + completedTime: + description: CompletedTime of Migrate + format: date-time + type: string + migrationDetailedStatuses: + description: MigrationDetailedStatuses contains the list of statuses + of each step + items: + description: MigrationDetailedStatuses represents the latest available + observations of a MigrationTask current state. + properties: + lastUpdatedAt: + description: LastUpdatedTime of a MigrateStep + format: date-time + type: string + message: + description: A human-readable message indicating details about + why the migrationStep is in this state + type: string + phase: + description: Phase indicates if the MigrateStep is waiting, + errored or completed. + type: string + reason: + description: Reason is a brief CamelCase string that describes + any failure and is meant for machine parsing and tidy display + in the CLI + type: string + startTime: + description: StartTime of a MigrateStep + format: date-time + type: string + step: + type: string + type: object + type: array + phase: + description: Phase indicates if a migrationTask is started, success + or errored + type: string + retries: + description: Retries is the number of times the job attempted to migration + the resource + type: integer + startTime: + description: StartTime of Migrate + format: date-time + type: string + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/upgradetask.yaml b/charts/openebs/openebs/charts/cstor/crds/upgradetask.yaml index ab35065be..029dfffbd 100644 --- a/charts/openebs/openebs/charts/cstor/crds/upgradetask.yaml +++ b/charts/openebs/openebs/charts/cstor/crds/upgradetask.yaml @@ -1,10 +1,8 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: upgradetasks.openebs.io spec: group: openebs.io @@ -247,11 +245,4 @@ spec: - spec type: object served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- + storage: true \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/volumesnapshot.yaml b/charts/openebs/openebs/charts/cstor/templates/volumesnapshot.yaml similarity index 99% rename from charts/openebs/openebs/charts/cstor/crds/volumesnapshot.yaml rename to charts/openebs/openebs/charts/cstor/templates/volumesnapshot.yaml index 3b6399628..50995017f 100644 --- a/charts/openebs/openebs/charts/cstor/crds/volumesnapshot.yaml +++ b/charts/openebs/openebs/charts/cstor/templates/volumesnapshot.yaml @@ -1,3 +1,4 @@ +{{- if .Values.crd.volumeSnapshot }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -309,4 +310,4 @@ status: plural: "" conditions: [] storedVersions: [] ---- \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/volumesnapshotclass.yaml b/charts/openebs/openebs/charts/cstor/templates/volumesnapshotclass.yaml similarity index 99% rename from charts/openebs/openebs/charts/cstor/crds/volumesnapshotclass.yaml rename to charts/openebs/openebs/charts/cstor/templates/volumesnapshotclass.yaml index c509746fd..caf06bee6 100644 --- a/charts/openebs/openebs/charts/cstor/crds/volumesnapshotclass.yaml +++ b/charts/openebs/openebs/charts/cstor/templates/volumesnapshotclass.yaml @@ -1,4 +1,4 @@ ---- +{{- if .Values.crd.volumeSnapshot }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -132,4 +132,4 @@ status: plural: "" conditions: [] storedVersions: [] ---- \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/crds/volumesnapshotcontent.yaml b/charts/openebs/openebs/charts/cstor/templates/volumesnapshotcontent.yaml similarity index 99% rename from charts/openebs/openebs/charts/cstor/crds/volumesnapshotcontent.yaml rename to charts/openebs/openebs/charts/cstor/templates/volumesnapshotcontent.yaml index 4a9f8df38..4142940cf 100644 --- a/charts/openebs/openebs/charts/cstor/crds/volumesnapshotcontent.yaml +++ b/charts/openebs/openebs/charts/cstor/templates/volumesnapshotcontent.yaml @@ -1,4 +1,4 @@ ---- +{{- if .Values.crd.volumeSnapshot }} apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -399,4 +399,4 @@ status: plural: "" conditions: [] storedVersions: [] ---- \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/cstor/values.yaml b/charts/openebs/openebs/charts/cstor/values.yaml index 20b2f5afe..f527345e0 100644 --- a/charts/openebs/openebs/charts/cstor/values.yaml +++ b/charts/openebs/openebs/charts/cstor/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. release: - version: "3.5.0" + version: "3.6.0" # If false, openebs NDM sub-chart will not be installed openebsNDM: @@ -18,23 +18,28 @@ rbac: imagePullSecrets: # - name: "image-pull-secret" +crd: + # Specify installation of the kubernetes-csi volume snapshot CRDs if your Kubernetes distribution + # or another storage operator already manages them. + volumeSnapshot: true + cspcOperator: componentName: cspc-operator poolManager: image: registry: repository: openebs/cstor-pool-manager - tag: 3.5.0 + tag: 3.6.0 cstorPool: image: registry: repository: openebs/cstor-pool - tag: 3.5.0 + tag: 3.6.0 cstorPoolExporter: image: registry: repository: openebs/m-exporter - tag: 3.5.0 + tag: 3.6.0 image: # Make sure that registry name end with a '/'. # For example : quay.io/ is a correct value here and quay.io is incorrect @@ -42,7 +47,7 @@ cspcOperator: repository: openebs/cspc-operator pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.5.0 + tag: 3.6.0 annotations: {} resyncInterval: "30" podAnnotations: {} @@ -60,17 +65,17 @@ cvcOperator: image: registry: repository: openebs/cstor-istgt - tag: 3.5.0 + tag: 3.6.0 volumeMgmt: image: registry: repository: openebs/cstor-volume-manager - tag: 3.5.0 + tag: 3.6.0 volumeExporter: image: registry: repository: openebs/m-exporter - tag: 3.5.0 + tag: 3.6.0 image: # Make sure that registry name end with a '/'. # For example : quay.io/ is a correct value here and quay.io is incorrect @@ -78,7 +83,7 @@ cvcOperator: repository: openebs/cvc-operator pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.5.0 + tag: 3.6.0 annotations: {} resyncInterval: "30" podAnnotations: {} @@ -164,7 +169,7 @@ cstorCSIPlugin: repository: openebs/cstor-csi-driver pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.5.0 + tag: 3.6.0 remount: "true" csiNode: @@ -217,7 +222,7 @@ admissionServer: repository: openebs/cstor-webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.5.0 + tag: 3.6.0 failurePolicy: "Fail" annotations: {} podAnnotations: {} diff --git a/charts/openebs/openebs/charts/jiva/Chart.lock b/charts/openebs/openebs/charts/jiva/Chart.lock index ab10f2f87..13cb41549 100644 --- a/charts/openebs/openebs/charts/jiva/Chart.lock +++ b/charts/openebs/openebs/charts/jiva/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: localpv-provisioner repository: https://openebs.github.io/dynamic-localpv-provisioner - version: 3.4.1 -digest: sha256:44aedfe520f39f2587bf3ea06d225f176ee7b56aa6cb5d3e6b2a16545d2d1222 -generated: "2023-09-05T07:30:05.174651007Z" + version: 3.5.0 +digest: sha256:2248fc1657a5618dbed522597955421ccd2bf2b54127ca70420f2d241dc77f6f +generated: "2023-12-11T17:29:05.663899315Z" diff --git a/charts/openebs/openebs/charts/jiva/Chart.yaml b/charts/openebs/openebs/charts/jiva/Chart.yaml index a0919d40e..dab62d589 100644 --- a/charts/openebs/openebs/charts/jiva/Chart.yaml +++ b/charts/openebs/openebs/charts/jiva/Chart.yaml @@ -1,10 +1,10 @@ apiVersion: v2 -appVersion: 3.5.0 +appVersion: 3.6.0 dependencies: - condition: openebsLocalpv.enabled name: localpv-provisioner repository: https://openebs.github.io/dynamic-localpv-provisioner - version: 3.4.1 + version: 3.5.0 description: Helm chart for OpenEBS Jiva Operator. Jiva provides highly available replication block volumes to Kubernetes stateful workloads using the local storage available on the Kubernetes nodes. @@ -26,4 +26,4 @@ name: jiva sources: - https://github.com/openebs/jiva-operator type: application -version: 3.5.1 +version: 3.6.0 diff --git a/charts/openebs/openebs/charts/jiva/README.md b/charts/openebs/openebs/charts/jiva/README.md index 40724ec21..c05c0a51b 100644 --- a/charts/openebs/openebs/charts/jiva/README.md +++ b/charts/openebs/openebs/charts/jiva/README.md @@ -45,7 +45,7 @@ By default this chart installs additional, dependent charts: | Repository | Name | Version | |------------|------|---------| -| https://openebs.github.io/dynamic-localpv-provisioner | localpv-provisioner | 3.4.1 | +| https://openebs.github.io/dynamic-localpv-provisioner | localpv-provisioner | 3.5.0 | **Note:** Find detailed Dynamic LocalPV Provisioner Helm chart configuration options [here](https://github.com/openebs/dynamic-localpv-provisioner/blob/develop/deploy/helm/charts/README.md). @@ -174,31 +174,31 @@ helm upgrade openebs-jiva openebs-jiva/jiva -n openebs \ | jivaOperator.componentName | string | `"jiva-operator"` | Jiva operator component name | | jivaOperator.controller.image.registry | `nil` | Jiva volume controller container image registry | | jivaOperator.controller.image.repository | `openebs/jiva` | Jiva volume controller container image repository | -| jivaOperator.controller.image.tag | `"3.5.0"` | Jiva volume controller container image tag | +| jivaOperator.controller.image.tag | `"3.6.0"` | Jiva volume controller container image tag | | jivaOperator.exporter.image.registry | `nil` | Jiva volume metrics exporter container image registry | | jivaOperator.exporter.image.repository | `openebs/m-exporter` | Jiva volume metrics exporter container image repository | -| jivaOperator.exporter.image.tag | `"3.5.0"` | Jiva volume metrics exporter container image tag | +| jivaOperator.exporter.image.tag | `"3.6.0"` | Jiva volume metrics exporter container image tag | | jivaOperator.image.pullPolicy | string | `"IfNotPresent"` | Jiva operator image pull policy | | jivaOperator.image.registry | string | `nil` | Jiva operator image registry | | jivaOperator.image.repository | string | `"openebs/jiva-operator"` | Jiva operator image repository | -| jivaOperator.image.tag | string | `"3.5.0"` | Jiva operator image tag | +| jivaOperator.image.tag | string | `"3.6.0"` | Jiva operator image tag | | jivaOperator.nodeSelector | object | `{}` | Jiva operator pod nodeSelector| | jivaOperator.podAnnotations | object | `{}` | Jiva operator pod annotations | | jivaOperator.replica.image.registry | `nil` | Jiva volume replica container image registry | | jivaOperator.replica.image.repository | `openebs/jiva` | Jiva volume replica container image repository | -| jivaOperator.replica.image.tag | `"3.5.0"` | Jiva volume replica container image tag | +| jivaOperator.replica.image.tag | `"3.6.0"` | Jiva volume replica container image tag | | jivaOperator.resources | object | `{}` | Jiva operator pod resources | | jivaOperator.securityContext | object | `{}` | Jiva operator security context | | jivaOperator.tolerations | list | `[]` | Jiva operator pod tolerations | | jivaCSIPlugin.image.pullPolicy | string | `"IfNotPresent"` | Jiva CSI driver image pull policy | | jivaCSIPlugin.image.registry | string | `nil` | Jiva CSI driver image registry | | jivaCSIPlugin.image.repository | string | `"openebs/jiva-csi"` | Jiva CSI driver image repository | -| jivaCSIPlugin.image.tag | string | `"3.5.0"` | Jiva CSI driver image tag | +| jivaCSIPlugin.image.tag | string | `"3.6.0"` | Jiva CSI driver image tag | | jivaCSIPlugin.name | string | `"jiva-csi-plugin"` | Jiva CSI driver container name | | jivaCSIPlugin.remount | string | `"true"` | Jiva CSI driver remount feature, enabled by default | | rbac.create | bool | `true` | Enable RBAC | | rbac.pspEnabled | bool | `false` | Enable PodSecurityPolicy | -| release.version | string | `"3.5.0"` | Openebs Jiva release version | +| release.version | string | `"3.6.0"` | Openebs Jiva release version | | serviceAccount.annotations | object | `{}` | Service Account annotations | | serviceAccount.csiController.create | bool | `true` | Enable CSI Controller ServiceAccount | | serviceAccount.csiController.name | string | `"openebs-jiva-csi-controller-sa"` | CSI Controller ServiceAccount name | diff --git a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.lock b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.lock index 4ff3a5ce0..7e36f8f6c 100644 --- a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.lock +++ b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://openebs.github.io/node-disk-manager version: 2.1.0 digest: sha256:47adcc8a92ea7ce83ca7f37f05f9e2f4c10154adc9551bd92e92c1ca5608f131 -generated: "2023-08-16T16:46:46.773916076Z" +generated: "2023-12-11T16:43:31.314774415Z" diff --git a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.yaml b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.yaml index 4d1e73dc0..3b705c3cc 100644 --- a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.yaml +++ b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.4.0 +appVersion: 3.5.0 dependencies: - condition: openebsNDM.enabled name: openebs-ndm @@ -24,4 +24,4 @@ name: localpv-provisioner sources: - https://github.com/openebs/dynamic-localpv-provisioner type: application -version: 3.4.1 +version: 3.5.0 diff --git a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/README.md b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/README.md index fe321ca37..18ac092c0 100644 --- a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/README.md +++ b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/README.md @@ -103,52 +103,52 @@ helm install openebs-localpv openebs-localpv/localpv-provisioner --namespace ope --set-string deviceClass.blockDeviceSelectors."ndm\.io/fsType"="ext4" ``` -| Parameter | Description | Default | -| ------------------------------------------- | --------------------------------------------- | ----------------------------------------- | -| `release.version` | LocalPV Provisioner release version | `3.4.0` | -| `analytics.enabled` | Enable sending stats to Google Analytics | `true` | -| `analytics.pingInterval` | Duration(hours) between sending ping stat | `24h` | -| `deviceClass.blockDeviceSelectors` | Label key value pairs based on which BlockDevices on the node will be selected for provisioning | `{}` | -| `deviceClass.enabled` | Enables creation of default Device StorageClass | `true` | -| `deviceClass.fsType` | Filesystem type for openebs-device StorageClass | `"ext4"` | -| `deviceClass.isDefaultClass` | Make openebs-device the default StorageClass | `"false"` | -| `deviceClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | -| `deviceClass.reclaimPolicy` | ReclaimPolicy for Device PVs | `"Delete"` | -| `helperPod.image.registry` | Registry for helper image | `""` | -| `helperPod.image.repository` | Image for helper pod | `"openebs/linux-utils"` | -| `helperPod.image.pullPolicy` | Pull policy for helper pod | `"IfNotPresent"` | -| `helperPod.image.tag` | Image tag for helper image | `3.4.0` | -| `hostpathClass.basePath` | BasePath for openebs-hostpath StorageClass | `"/var/openebs/local"` | -| `hostpathClass.enabled` | Enables creation of default Hostpath StorageClass | `true` | -| `hostpathClass.isDefaultClass` | Make openebs-hostpath the default StorageClass | `"false"` | -| `hostpathClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | -| `hostpathClass.xfsQuota.enabled` | Enable XFS Quota (requires XFS filesystem) | `false` | -| `hostpathClass.ext4Quota.enabled` | Enable EXT4 Quota (requires EXT4 filesystem) | `false` | -| `hostpathClass.reclaimPolicy` | ReclaimPolicy for Hostpath PVs | `"Delete"` | -| `imagePullSecrets` | Provides image pull secrect | `""` | -| `localpv.enabled` | Enable LocalPV Provisioner | `true` | -| `localpv.image.registry` | Registry for LocalPV Provisioner image | `""` | -| `localpv.image.repository` | Image repository for LocalPV Provisioner | `openebs/localpv-provisioner` | -| `localpv.image.pullPolicy` | Image pull policy for LocalPV Provisioner | `IfNotPresent` | -| `localpv.image.tag` | Image tag for LocalPV Provisioner | `3.4.0` | -| `localpv.updateStrategy.type` | Update strategy for LocalPV Provisioner | `RollingUpdate` | -| `localpv.annotations` | Annotations for LocalPV Provisioner metadata | `""` | -| `localpv.podAnnotations` | Annotations for LocalPV Provisioner pods metadata | `""` | -| `localpv.privileged` | Run LocalPV Provisioner with extra privileges | `true` | -| `localpv.resources` | Resource and request and limit for containers | `""` | -| `localpv.podLabels` | Appends labels to the pods | `""` | -| `localpv.nodeSelector` | Nodeselector for LocalPV Provisioner pods | `""` | -| `localpv.tolerations` | LocalPV Provisioner pod toleration values | `""` | -| `localpv.securityContext` | Seurity context for container | `""` | -| `localpv.healthCheck.initialDelaySeconds` | Delay before liveness probe is initiated | `30` | -| `localpv.healthCheck.periodSeconds` | How often to perform the liveness probe | `60` | -| `localpv.replicas` | No. of LocalPV Provisioner replica | `1` | -| `localpv.enableLeaderElection` | Enable leader election | `true` | -| `localpv.affinity` | LocalPV Provisioner pod affinity | `{}` | -| `localpv.waitForBDBindTimeoutRetryCount` | This sets the number of times the provisioner should try with a polling interval of 5 seconds, to get the Blockdevice Name from a BlockDeviceClaim, before the BlockDeviceClaim is deleted. | "12" | -| `openebsNDM.enabled` | Install openebs NDM dependency | `true` | -| `rbac.create` | Enable RBAC Resources | `true` | -| `rbac.pspEnabled` | Create pod security policy resources | `false` | +| Parameter | Description | Default | +| ------------------------------------------- | --------------------------------------------- |-------------------------------| +| `release.version` | LocalPV Provisioner release version | `3.5.0` | +| `analytics.enabled` | Enable sending stats to Google Analytics | `true` | +| `analytics.pingInterval` | Duration(hours) between sending ping stat | `24h` | +| `deviceClass.blockDeviceSelectors` | Label key value pairs based on which BlockDevices on the node will be selected for provisioning | `{}` | +| `deviceClass.enabled` | Enables creation of default Device StorageClass | `true` | +| `deviceClass.fsType` | Filesystem type for openebs-device StorageClass | `"ext4"` | +| `deviceClass.isDefaultClass` | Make openebs-device the default StorageClass | `"false"` | +| `deviceClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | +| `deviceClass.reclaimPolicy` | ReclaimPolicy for Device PVs | `"Delete"` | +| `helperPod.image.registry` | Registry for helper image | `""` | +| `helperPod.image.repository` | Image for helper pod | `"openebs/linux-utils"` | +| `helperPod.image.pullPolicy` | Pull policy for helper pod | `"IfNotPresent"` | +| `helperPod.image.tag` | Image tag for helper image | `3.5.0` | +| `hostpathClass.basePath` | BasePath for openebs-hostpath StorageClass | `"/var/openebs/local"` | +| `hostpathClass.enabled` | Enables creation of default Hostpath StorageClass | `true` | +| `hostpathClass.isDefaultClass` | Make openebs-hostpath the default StorageClass | `"false"` | +| `hostpathClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | +| `hostpathClass.xfsQuota.enabled` | Enable XFS Quota (requires XFS filesystem) | `false` | +| `hostpathClass.ext4Quota.enabled` | Enable EXT4 Quota (requires EXT4 filesystem) | `false` | +| `hostpathClass.reclaimPolicy` | ReclaimPolicy for Hostpath PVs | `"Delete"` | +| `imagePullSecrets` | Provides image pull secrect | `""` | +| `localpv.enabled` | Enable LocalPV Provisioner | `true` | +| `localpv.image.registry` | Registry for LocalPV Provisioner image | `""` | +| `localpv.image.repository` | Image repository for LocalPV Provisioner | `openebs/localpv-provisioner` | +| `localpv.image.pullPolicy` | Image pull policy for LocalPV Provisioner | `IfNotPresent` | +| `localpv.image.tag` | Image tag for LocalPV Provisioner | `3.5.0` | +| `localpv.updateStrategy.type` | Update strategy for LocalPV Provisioner | `RollingUpdate` | +| `localpv.annotations` | Annotations for LocalPV Provisioner metadata | `""` | +| `localpv.podAnnotations` | Annotations for LocalPV Provisioner pods metadata | `""` | +| `localpv.privileged` | Run LocalPV Provisioner with extra privileges | `true` | +| `localpv.resources` | Resource and request and limit for containers | `""` | +| `localpv.podLabels` | Appends labels to the pods | `""` | +| `localpv.nodeSelector` | Nodeselector for LocalPV Provisioner pods | `""` | +| `localpv.tolerations` | LocalPV Provisioner pod toleration values | `""` | +| `localpv.securityContext` | Seurity context for container | `""` | +| `localpv.healthCheck.initialDelaySeconds` | Delay before liveness probe is initiated | `30` | +| `localpv.healthCheck.periodSeconds` | How often to perform the liveness probe | `60` | +| `localpv.replicas` | No. of LocalPV Provisioner replica | `1` | +| `localpv.enableLeaderElection` | Enable leader election | `true` | +| `localpv.affinity` | LocalPV Provisioner pod affinity | `{}` | +| `localpv.waitForBDBindTimeoutRetryCount` | This sets the number of times the provisioner should try with a polling interval of 5 seconds, to get the Blockdevice Name from a BlockDeviceClaim, before the BlockDeviceClaim is deleted. | "12" | +| `openebsNDM.enabled` | Install openebs NDM dependency | `true` | +| `rbac.create` | Enable RBAC Resources | `true` | +| `rbac.pspEnabled` | Create pod security policy resources | `false` | A YAML file that specifies the values for the parameters can be provided while installing the chart. For example, diff --git a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/templates/rbac.yaml b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/templates/rbac.yaml index 04cd5409c..d9b894a52 100644 --- a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/templates/rbac.yaml +++ b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/templates/rbac.yaml @@ -40,6 +40,9 @@ rules: - apiGroups: ["openebs.io"] resources: [ "*"] verbs: ["*" ] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- diff --git a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/values.yaml b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/values.yaml index d421232ab..3ea87120b 100644 --- a/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/values.yaml +++ b/charts/openebs/openebs/charts/jiva/charts/localpv-provisioner/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. release: - version: "3.4.0" + version: "3.5.0" rbac: # rbac.create: `true` if rbac resources should be created @@ -23,7 +23,7 @@ localpv: # For example : quay.io/ is a correct value here and quay.io is incorrect registry: repository: openebs/provisioner-localpv - tag: 3.4.0 + tag: 3.5.0 pullPolicy: IfNotPresent updateStrategy: type: RollingUpdate @@ -163,7 +163,7 @@ helperPod: repository: openebs/linux-utils pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.4.0 + tag: 3.5.0 analytics: enabled: true diff --git a/charts/openebs/openebs/charts/jiva/crds/upgradetask.yaml b/charts/openebs/openebs/charts/jiva/crds/upgradetask.yaml index ab35065be..bc2fa70da 100644 --- a/charts/openebs/openebs/charts/jiva/crds/upgradetask.yaml +++ b/charts/openebs/openebs/charts/jiva/crds/upgradetask.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.11.4 name: upgradetasks.openebs.io spec: group: openebs.io @@ -15,243 +14,237 @@ spec: singular: upgradetask scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: UpgradeTask represents an upgrade task - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - name: v1alpha1 + schema: + openAPIV3Schema: + description: UpgradeTask represents an upgrade task + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec i.e. specifications of the UpgradeTask - properties: - cstorPool: - description: CStorPool contains the details of the cstor pool to be - upgraded - properties: - options: - description: Options can be used to change the default behaviour - of upgrade - properties: - ignoreStepsOnError: - description: IgnoreStepsOnError allows to ignore steps which - failed - items: - type: string - type: array - type: object - poolName: - description: PoolName contains the name of the cstor pool to be - upgraded - type: string - type: object - cstorPoolCluster: - description: CStorPoolCluster contains the details of the storage - pool claim to be upgraded - properties: - cspcName: - description: CSPCName contains the name of the storage pool claim - to be upgraded - type: string - options: - description: Options can be used to change the default behaviour - of upgrade - properties: - ignoreStepsOnError: - description: IgnoreStepsOnError allows to ignore steps which - failed - items: - type: string - type: array - type: object - type: object - cstorPoolInstance: - description: CStorPoolInstance contains the details of the cstor pool - to be upgraded - properties: - cspiName: - description: CSPCName contains the name of the storage pool claim - to be upgraded - type: string - options: - description: Options can be used to change the default behaviour - of upgrade - properties: - ignoreStepsOnError: - description: IgnoreStepsOnError allows to ignore steps which - failed - items: - type: string - type: array - type: object - type: object - cstorVolume: - description: CStorVolume contains the details of the cstor volume - to be upgraded - properties: - options: - description: Options can be used to change the default behaviour - of upgrade - properties: - ignoreStepsOnError: - description: IgnoreStepsOnError allows to ignore steps which - failed - items: - type: string - type: array - type: object - pvName: - description: PVName contains the name of the pv associated with - the cstor volume - type: string - type: object - fromVersion: - description: FromVersion is the current version of the resource. - type: string - imagePrefix: - description: ImagePrefix contains the url prefix of the image url. - This field is optional. If not present upgrade takes the previously - present ImagePrefix. - type: string - imageTag: - description: ImageTag contains the customized tag for ToVersion if - any. This field is optional. If not present upgrade takes the ToVersion - as the ImageTag - type: string - jivaVolume: - description: JivaVolume contains the details of the jiva volume to - be upgraded - properties: - options: - description: Options can be used to change the default behaviour - of upgrade - properties: - ignoreStepsOnError: - description: IgnoreStepsOnError allows to ignore steps which - failed - items: - type: string - type: array - type: object - pvName: - description: PVName contains the name of the pv associated with - the jiva volume - type: string - type: object - options: - description: Options contains the optional flags that can be passed - during upgrade. - properties: - timeout: - description: Timeout is maximum seconds to wait at any given step - in the upgrade - type: integer - type: object - storagePoolClaim: - description: StoragePoolClaim contains the details of the storage - pool claim to be upgraded - properties: - options: - description: Options can be used to change the default behaviour - of upgrade - properties: - ignoreStepsOnError: - description: IgnoreStepsOnError allows to ignore steps which - failed - items: - type: string - type: array - type: object - spcName: - description: SPCName contains the name of the storage pool claim - to be upgraded - type: string - type: object - toVersion: - description: ToVersion is the upgraded version of the resource. It - should be same as the version of control plane components version. - type: string - required: - - fromVersion - - toVersion - type: object - status: - description: Status of UpgradeTask - properties: - completedTime: - description: CompletedTime of Upgrade - format: date-time - nullable: true - type: string - phase: - description: Phase indicates if a upgradeTask is started, success - or errored - type: string - retries: - description: Retries is the number of times the job attempted to upgrade - the resource - type: integer - startTime: - description: StartTime of Upgrade - format: date-time - nullable: true - type: string - upgradeDetailedStatuses: - description: UpgradeDetailedStatuses contains the list of statuses - of each step - items: - description: UpgradeDetailedStatuses represents the latest available - observations of a UpgradeTask current state. + type: string + metadata: + type: object + spec: + description: Spec i.e. specifications of the UpgradeTask + properties: + cstorPool: + description: CStorPool contains the details of the cstor pool to be + upgraded + properties: + options: + description: Options can be used to change the default behaviour + of upgrade properties: - lastUpdatedAt: - description: LastUpdatedTime of a UpgradeStep - format: date-time - nullable: true - type: string - message: - description: A human-readable message indicating details about - why the upgradeStep is in this state - type: string - phase: - description: Phase indicates if the UpgradeStep is waiting, - errored or completed. - type: string - reason: - description: Reason is a brief CamelCase string that describes - any failure and is meant for machine parsing and tidy display - in the CLI - type: string - startTime: - description: StartTime of a UpgradeStep - format: date-time - nullable: true - type: string - step: - description: UpgradeStep is the current step being performed - for a particular resource upgrade - type: string + ignoreStepsOnError: + description: IgnoreStepsOnError allows to ignore steps which + failed + items: + type: string + type: array type: object - type: array - type: object - required: - - spec - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- + poolName: + description: PoolName contains the name of the cstor pool to be + upgraded + type: string + type: object + cstorPoolCluster: + description: CStorPoolCluster contains the details of the storage + pool claim to be upgraded + properties: + cspcName: + description: CSPCName contains the name of the storage pool claim + to be upgraded + type: string + options: + description: Options can be used to change the default behaviour + of upgrade + properties: + ignoreStepsOnError: + description: IgnoreStepsOnError allows to ignore steps which + failed + items: + type: string + type: array + type: object + type: object + cstorPoolInstance: + description: CStorPoolInstance contains the details of the cstor pool + to be upgraded + properties: + cspiName: + description: CSPCName contains the name of the storage pool claim + to be upgraded + type: string + options: + description: Options can be used to change the default behaviour + of upgrade + properties: + ignoreStepsOnError: + description: IgnoreStepsOnError allows to ignore steps which + failed + items: + type: string + type: array + type: object + type: object + cstorVolume: + description: CStorVolume contains the details of the cstor volume + to be upgraded + properties: + options: + description: Options can be used to change the default behaviour + of upgrade + properties: + ignoreStepsOnError: + description: IgnoreStepsOnError allows to ignore steps which + failed + items: + type: string + type: array + type: object + pvName: + description: PVName contains the name of the pv associated with + the cstor volume + type: string + type: object + fromVersion: + description: FromVersion is the current version of the resource. + type: string + imagePrefix: + description: ImagePrefix contains the url prefix of the image url. + This field is optional. If not present upgrade takes the previously + present ImagePrefix. + type: string + imageTag: + description: ImageTag contains the customized tag for ToVersion if + any. This field is optional. If not present upgrade takes the ToVersion + as the ImageTag + type: string + jivaVolume: + description: JivaVolume contains the details of the jiva volume to + be upgraded + properties: + options: + description: Options can be used to change the default behaviour + of upgrade + properties: + ignoreStepsOnError: + description: IgnoreStepsOnError allows to ignore steps which + failed + items: + type: string + type: array + type: object + pvName: + description: PVName contains the name of the pv associated with + the jiva volume + type: string + type: object + options: + description: Options contains the optional flags that can be passed + during upgrade. + properties: + timeout: + description: Timeout is maximum seconds to wait at any given step + in the upgrade + type: integer + type: object + storagePoolClaim: + description: StoragePoolClaim contains the details of the storage + pool claim to be upgraded + properties: + options: + description: Options can be used to change the default behaviour + of upgrade + properties: + ignoreStepsOnError: + description: IgnoreStepsOnError allows to ignore steps which + failed + items: + type: string + type: array + type: object + spcName: + description: SPCName contains the name of the storage pool claim + to be upgraded + type: string + type: object + toVersion: + description: ToVersion is the upgraded version of the resource. It + should be same as the version of control plane components version. + type: string + required: + - fromVersion + - toVersion + type: object + status: + description: Status of UpgradeTask + properties: + completedTime: + description: CompletedTime of Upgrade + format: date-time + nullable: true + type: string + phase: + description: Phase indicates if a upgradeTask is started, success + or errored + type: string + retries: + description: Retries is the number of times the job attempted to upgrade + the resource + type: integer + startTime: + description: StartTime of Upgrade + format: date-time + nullable: true + type: string + upgradeDetailedStatuses: + description: UpgradeDetailedStatuses contains the list of statuses + of each step + items: + description: UpgradeDetailedStatuses represents the latest available + observations of a UpgradeTask current state. + properties: + lastUpdatedAt: + description: LastUpdatedTime of a UpgradeStep + format: date-time + nullable: true + type: string + message: + description: A human-readable message indicating details about + why the upgradeStep is in this state + type: string + phase: + description: Phase indicates if the UpgradeStep is waiting, + errored or completed. + type: string + reason: + description: Reason is a brief CamelCase string that describes + any failure and is meant for machine parsing and tidy display + in the CLI + type: string + startTime: + description: StartTime of a UpgradeStep + format: date-time + nullable: true + type: string + step: + description: UpgradeStep is the current step being performed + for a particular resource upgrade + type: string + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true +--- \ No newline at end of file diff --git a/charts/openebs/openebs/charts/jiva/values.yaml b/charts/openebs/openebs/charts/jiva/values.yaml index fe9c175fc..de123304f 100644 --- a/charts/openebs/openebs/charts/jiva/values.yaml +++ b/charts/openebs/openebs/charts/jiva/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. release: - version: "3.4.0" + version: "3.6.0" # If false, openebs localpv sub-chart will not be installed @@ -25,17 +25,17 @@ jivaOperator: image: registry: repository: openebs/jiva - tag: 3.4.0 + tag: 3.6.0 replica: image: registry: repository: openebs/jiva - tag: 3.4.0 + tag: 3.6.0 exporter: image: registry: repository: openebs/m-exporter - tag: 3.4.0 + tag: 3.6.0 image: # Make sure that registry name end with a '/'. # For example : quay.io/ is a correct value here and quay.io is incorrect @@ -43,7 +43,7 @@ jivaOperator: repository: openebs/jiva-operator pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.4.0 + tag: 3.6.0 annotations: {} resyncInterval: "30" podAnnotations: {} @@ -118,7 +118,7 @@ jivaCSIPlugin: repository: openebs/jiva-csi pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.4.0 + tag: 3.6.0 remount: "true" csiNode: diff --git a/charts/openebs/openebs/charts/localpv-provisioner/Chart.lock b/charts/openebs/openebs/charts/localpv-provisioner/Chart.lock index 4ff3a5ce0..7e36f8f6c 100644 --- a/charts/openebs/openebs/charts/localpv-provisioner/Chart.lock +++ b/charts/openebs/openebs/charts/localpv-provisioner/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://openebs.github.io/node-disk-manager version: 2.1.0 digest: sha256:47adcc8a92ea7ce83ca7f37f05f9e2f4c10154adc9551bd92e92c1ca5608f131 -generated: "2023-08-16T16:46:46.773916076Z" +generated: "2023-12-11T16:43:31.314774415Z" diff --git a/charts/openebs/openebs/charts/localpv-provisioner/Chart.yaml b/charts/openebs/openebs/charts/localpv-provisioner/Chart.yaml index 4d1e73dc0..3b705c3cc 100644 --- a/charts/openebs/openebs/charts/localpv-provisioner/Chart.yaml +++ b/charts/openebs/openebs/charts/localpv-provisioner/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.4.0 +appVersion: 3.5.0 dependencies: - condition: openebsNDM.enabled name: openebs-ndm @@ -24,4 +24,4 @@ name: localpv-provisioner sources: - https://github.com/openebs/dynamic-localpv-provisioner type: application -version: 3.4.1 +version: 3.5.0 diff --git a/charts/openebs/openebs/charts/localpv-provisioner/README.md b/charts/openebs/openebs/charts/localpv-provisioner/README.md index fe321ca37..18ac092c0 100644 --- a/charts/openebs/openebs/charts/localpv-provisioner/README.md +++ b/charts/openebs/openebs/charts/localpv-provisioner/README.md @@ -103,52 +103,52 @@ helm install openebs-localpv openebs-localpv/localpv-provisioner --namespace ope --set-string deviceClass.blockDeviceSelectors."ndm\.io/fsType"="ext4" ``` -| Parameter | Description | Default | -| ------------------------------------------- | --------------------------------------------- | ----------------------------------------- | -| `release.version` | LocalPV Provisioner release version | `3.4.0` | -| `analytics.enabled` | Enable sending stats to Google Analytics | `true` | -| `analytics.pingInterval` | Duration(hours) between sending ping stat | `24h` | -| `deviceClass.blockDeviceSelectors` | Label key value pairs based on which BlockDevices on the node will be selected for provisioning | `{}` | -| `deviceClass.enabled` | Enables creation of default Device StorageClass | `true` | -| `deviceClass.fsType` | Filesystem type for openebs-device StorageClass | `"ext4"` | -| `deviceClass.isDefaultClass` | Make openebs-device the default StorageClass | `"false"` | -| `deviceClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | -| `deviceClass.reclaimPolicy` | ReclaimPolicy for Device PVs | `"Delete"` | -| `helperPod.image.registry` | Registry for helper image | `""` | -| `helperPod.image.repository` | Image for helper pod | `"openebs/linux-utils"` | -| `helperPod.image.pullPolicy` | Pull policy for helper pod | `"IfNotPresent"` | -| `helperPod.image.tag` | Image tag for helper image | `3.4.0` | -| `hostpathClass.basePath` | BasePath for openebs-hostpath StorageClass | `"/var/openebs/local"` | -| `hostpathClass.enabled` | Enables creation of default Hostpath StorageClass | `true` | -| `hostpathClass.isDefaultClass` | Make openebs-hostpath the default StorageClass | `"false"` | -| `hostpathClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | -| `hostpathClass.xfsQuota.enabled` | Enable XFS Quota (requires XFS filesystem) | `false` | -| `hostpathClass.ext4Quota.enabled` | Enable EXT4 Quota (requires EXT4 filesystem) | `false` | -| `hostpathClass.reclaimPolicy` | ReclaimPolicy for Hostpath PVs | `"Delete"` | -| `imagePullSecrets` | Provides image pull secrect | `""` | -| `localpv.enabled` | Enable LocalPV Provisioner | `true` | -| `localpv.image.registry` | Registry for LocalPV Provisioner image | `""` | -| `localpv.image.repository` | Image repository for LocalPV Provisioner | `openebs/localpv-provisioner` | -| `localpv.image.pullPolicy` | Image pull policy for LocalPV Provisioner | `IfNotPresent` | -| `localpv.image.tag` | Image tag for LocalPV Provisioner | `3.4.0` | -| `localpv.updateStrategy.type` | Update strategy for LocalPV Provisioner | `RollingUpdate` | -| `localpv.annotations` | Annotations for LocalPV Provisioner metadata | `""` | -| `localpv.podAnnotations` | Annotations for LocalPV Provisioner pods metadata | `""` | -| `localpv.privileged` | Run LocalPV Provisioner with extra privileges | `true` | -| `localpv.resources` | Resource and request and limit for containers | `""` | -| `localpv.podLabels` | Appends labels to the pods | `""` | -| `localpv.nodeSelector` | Nodeselector for LocalPV Provisioner pods | `""` | -| `localpv.tolerations` | LocalPV Provisioner pod toleration values | `""` | -| `localpv.securityContext` | Seurity context for container | `""` | -| `localpv.healthCheck.initialDelaySeconds` | Delay before liveness probe is initiated | `30` | -| `localpv.healthCheck.periodSeconds` | How often to perform the liveness probe | `60` | -| `localpv.replicas` | No. of LocalPV Provisioner replica | `1` | -| `localpv.enableLeaderElection` | Enable leader election | `true` | -| `localpv.affinity` | LocalPV Provisioner pod affinity | `{}` | -| `localpv.waitForBDBindTimeoutRetryCount` | This sets the number of times the provisioner should try with a polling interval of 5 seconds, to get the Blockdevice Name from a BlockDeviceClaim, before the BlockDeviceClaim is deleted. | "12" | -| `openebsNDM.enabled` | Install openebs NDM dependency | `true` | -| `rbac.create` | Enable RBAC Resources | `true` | -| `rbac.pspEnabled` | Create pod security policy resources | `false` | +| Parameter | Description | Default | +| ------------------------------------------- | --------------------------------------------- |-------------------------------| +| `release.version` | LocalPV Provisioner release version | `3.5.0` | +| `analytics.enabled` | Enable sending stats to Google Analytics | `true` | +| `analytics.pingInterval` | Duration(hours) between sending ping stat | `24h` | +| `deviceClass.blockDeviceSelectors` | Label key value pairs based on which BlockDevices on the node will be selected for provisioning | `{}` | +| `deviceClass.enabled` | Enables creation of default Device StorageClass | `true` | +| `deviceClass.fsType` | Filesystem type for openebs-device StorageClass | `"ext4"` | +| `deviceClass.isDefaultClass` | Make openebs-device the default StorageClass | `"false"` | +| `deviceClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | +| `deviceClass.reclaimPolicy` | ReclaimPolicy for Device PVs | `"Delete"` | +| `helperPod.image.registry` | Registry for helper image | `""` | +| `helperPod.image.repository` | Image for helper pod | `"openebs/linux-utils"` | +| `helperPod.image.pullPolicy` | Pull policy for helper pod | `"IfNotPresent"` | +| `helperPod.image.tag` | Image tag for helper image | `3.5.0` | +| `hostpathClass.basePath` | BasePath for openebs-hostpath StorageClass | `"/var/openebs/local"` | +| `hostpathClass.enabled` | Enables creation of default Hostpath StorageClass | `true` | +| `hostpathClass.isDefaultClass` | Make openebs-hostpath the default StorageClass | `"false"` | +| `hostpathClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | +| `hostpathClass.xfsQuota.enabled` | Enable XFS Quota (requires XFS filesystem) | `false` | +| `hostpathClass.ext4Quota.enabled` | Enable EXT4 Quota (requires EXT4 filesystem) | `false` | +| `hostpathClass.reclaimPolicy` | ReclaimPolicy for Hostpath PVs | `"Delete"` | +| `imagePullSecrets` | Provides image pull secrect | `""` | +| `localpv.enabled` | Enable LocalPV Provisioner | `true` | +| `localpv.image.registry` | Registry for LocalPV Provisioner image | `""` | +| `localpv.image.repository` | Image repository for LocalPV Provisioner | `openebs/localpv-provisioner` | +| `localpv.image.pullPolicy` | Image pull policy for LocalPV Provisioner | `IfNotPresent` | +| `localpv.image.tag` | Image tag for LocalPV Provisioner | `3.5.0` | +| `localpv.updateStrategy.type` | Update strategy for LocalPV Provisioner | `RollingUpdate` | +| `localpv.annotations` | Annotations for LocalPV Provisioner metadata | `""` | +| `localpv.podAnnotations` | Annotations for LocalPV Provisioner pods metadata | `""` | +| `localpv.privileged` | Run LocalPV Provisioner with extra privileges | `true` | +| `localpv.resources` | Resource and request and limit for containers | `""` | +| `localpv.podLabels` | Appends labels to the pods | `""` | +| `localpv.nodeSelector` | Nodeselector for LocalPV Provisioner pods | `""` | +| `localpv.tolerations` | LocalPV Provisioner pod toleration values | `""` | +| `localpv.securityContext` | Seurity context for container | `""` | +| `localpv.healthCheck.initialDelaySeconds` | Delay before liveness probe is initiated | `30` | +| `localpv.healthCheck.periodSeconds` | How often to perform the liveness probe | `60` | +| `localpv.replicas` | No. of LocalPV Provisioner replica | `1` | +| `localpv.enableLeaderElection` | Enable leader election | `true` | +| `localpv.affinity` | LocalPV Provisioner pod affinity | `{}` | +| `localpv.waitForBDBindTimeoutRetryCount` | This sets the number of times the provisioner should try with a polling interval of 5 seconds, to get the Blockdevice Name from a BlockDeviceClaim, before the BlockDeviceClaim is deleted. | "12" | +| `openebsNDM.enabled` | Install openebs NDM dependency | `true` | +| `rbac.create` | Enable RBAC Resources | `true` | +| `rbac.pspEnabled` | Create pod security policy resources | `false` | A YAML file that specifies the values for the parameters can be provided while installing the chart. For example, diff --git a/charts/openebs/openebs/charts/localpv-provisioner/templates/rbac.yaml b/charts/openebs/openebs/charts/localpv-provisioner/templates/rbac.yaml index 04cd5409c..d9b894a52 100644 --- a/charts/openebs/openebs/charts/localpv-provisioner/templates/rbac.yaml +++ b/charts/openebs/openebs/charts/localpv-provisioner/templates/rbac.yaml @@ -40,6 +40,9 @@ rules: - apiGroups: ["openebs.io"] resources: [ "*"] verbs: ["*" ] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- diff --git a/charts/openebs/openebs/charts/localpv-provisioner/values.yaml b/charts/openebs/openebs/charts/localpv-provisioner/values.yaml index d421232ab..3ea87120b 100644 --- a/charts/openebs/openebs/charts/localpv-provisioner/values.yaml +++ b/charts/openebs/openebs/charts/localpv-provisioner/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. release: - version: "3.4.0" + version: "3.5.0" rbac: # rbac.create: `true` if rbac resources should be created @@ -23,7 +23,7 @@ localpv: # For example : quay.io/ is a correct value here and quay.io is incorrect registry: repository: openebs/provisioner-localpv - tag: 3.4.0 + tag: 3.5.0 pullPolicy: IfNotPresent updateStrategy: type: RollingUpdate @@ -163,7 +163,7 @@ helperPod: repository: openebs/linux-utils pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.4.0 + tag: 3.5.0 analytics: enabled: true diff --git a/charts/openebs/openebs/charts/lvm-localpv/Chart.yaml b/charts/openebs/openebs/charts/lvm-localpv/Chart.yaml index 05e861b59..c57135e0c 100644 --- a/charts/openebs/openebs/charts/lvm-localpv/Chart.yaml +++ b/charts/openebs/openebs/charts/lvm-localpv/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.3.0 +appVersion: 1.4.0 description: CSI Driver for dynamic provisioning of LVM Persistent Local Volumes. home: https://openebs.io/ icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/openebs/icon/color/openebs-icon-color.png @@ -20,4 +20,4 @@ maintainers: name: lvm-localpv sources: - https://github.com/openebs/lvm-localpv -version: 1.3.0 +version: 1.4.0 diff --git a/charts/openebs/openebs/charts/lvm-localpv/templates/rbac.yaml b/charts/openebs/openebs/charts/lvm-localpv/templates/rbac.yaml index 2d87a9d53..edf3a3495 100644 --- a/charts/openebs/openebs/charts/lvm-localpv/templates/rbac.yaml +++ b/charts/openebs/openebs/charts/lvm-localpv/templates/rbac.yaml @@ -14,9 +14,6 @@ metadata: labels: {{- include "lvmlocalpv.lvmController.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "watch"] @@ -123,7 +120,8 @@ roleRef: apiGroup: rbac.authorization.k8s.io --- {{- end }} -{{- if .Values.serviceAccount.lvmNode.create -}} + +{{- if .Values.serviceAccount.lvmNode.create }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshotclasses-crd.yaml b/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshotclasses-crd.yaml index 5c89653ad..0a6b30fde 100644 --- a/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshotclasses-crd.yaml +++ b/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshotclasses-crd.yaml @@ -42,8 +42,8 @@ spec: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string deletionPolicy: description: deletionPolicy determines whether a VolumeSnapshotContent @@ -63,8 +63,8 @@ spec: type: string kind: description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string parameters: additionalProperties: diff --git a/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshots-crd.yaml b/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshots-crd.yaml index b303fa9cf..d262fbd55 100644 --- a/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshots-crd.yaml +++ b/charts/openebs/openebs/charts/lvm-localpv/templates/volumesnapshots-crd.yaml @@ -67,18 +67,18 @@ spec: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string spec: description: 'spec defines the desired characteristics of a snapshot requested - by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots - Required.' + by a user. More info: https://kubernetes.io/docs/concepts/storage/volume-snapshots#volumesnapshots + Required.' properties: source: description: source specifies where a snapshot will be created from. @@ -105,16 +105,16 @@ spec: - required: ["volumeSnapshotContentName"] volumeSnapshotClassName: description: 'VolumeSnapshotClassName is the name of the VolumeSnapshotClass - requested by the VolumeSnapshot. VolumeSnapshotClassName may be - left nil to indicate that the default SnapshotClass should be used. - A given cluster may have multiple default Volume SnapshotClasses: - one default per CSI Driver. If a VolumeSnapshot does not specify - a SnapshotClass, VolumeSnapshotSource will be checked to figure - out what the associated CSI Driver is, and the default VolumeSnapshotClass - associated with that CSI Driver will be used. If more than one VolumeSnapshotClass - exist for a given CSI Driver and more than one have been marked - as default, CreateSnapshot will fail and generate an event. Empty - string is not allowed for this field.' + requested by the VolumeSnapshot. VolumeSnapshotClassName may be + left nil to indicate that the default SnapshotClass should be used. + A given cluster may have multiple default Volume SnapshotClasses: + one default per CSI Driver. If a VolumeSnapshot does not specify + a SnapshotClass, VolumeSnapshotSource will be checked to figure + out what the associated CSI Driver is, and the default VolumeSnapshotClass + associated with that CSI Driver will be used. If more than one VolumeSnapshotClass + exist for a given CSI Driver and more than one have been marked + as default, CreateSnapshot will fail and generate an event. Empty + string is not allowed for this field.' type: string required: - source @@ -127,13 +127,13 @@ spec: properties: boundVolumeSnapshotContentName: description: 'boundVolumeSnapshotContentName is the name of the VolumeSnapshotContent - object to which this VolumeSnapshot object intends to bind to. If - not specified, it indicates that the VolumeSnapshot object has not - been successfully bound to a VolumeSnapshotContent object yet. NOTE: - To avoid possible security issues, consumers must verify binding - between VolumeSnapshot and VolumeSnapshotContent objects is successful - (by validating that both VolumeSnapshot and VolumeSnapshotContent - point at each other) before using this object.' + object to which this VolumeSnapshot object intends to bind to. If + not specified, it indicates that the VolumeSnapshot object has not + been successfully bound to a VolumeSnapshotContent object yet. NOTE: + To avoid possible security issues, consumers must verify binding + between VolumeSnapshot and VolumeSnapshotContent objects is successful + (by validating that both VolumeSnapshot and VolumeSnapshotContent + point at each other) before using this object.' type: string creationTime: description: creationTime is the timestamp when the point-in-time @@ -157,8 +157,8 @@ spec: properties: message: description: 'message is a string detailing the encountered error - during snapshot creation if specified. NOTE: message may be - logged, and it should not contain sensitive information.' + during snapshot creation if specified. NOTE: message may be + logged, and it should not contain sensitive information.' type: string time: description: time is the timestamp when the error was encountered. diff --git a/charts/openebs/openebs/charts/lvm-localpv/values.yaml b/charts/openebs/openebs/charts/lvm-localpv/values.yaml index f6c4da6b2..ea2be28d6 100644 --- a/charts/openebs/openebs/charts/lvm-localpv/values.yaml +++ b/charts/openebs/openebs/charts/lvm-localpv/values.yaml @@ -2,7 +2,7 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. release: - version: "1.3.0" + version: "1.4.0" imagePullSecrets: # - name: "image-pull-secret" @@ -149,7 +149,7 @@ lvmPlugin: repository: openebs/lvm-driver pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.3.0 + tag: 1.4.0 ioLimits: enabled: false containerRuntime: containerd diff --git a/charts/openebs/openebs/charts/mayastor/.helmignore b/charts/openebs/openebs/charts/mayastor/.helmignore index 7ba69a71f..27c82af97 100644 --- a/charts/openebs/openebs/charts/mayastor/.helmignore +++ b/charts/openebs/openebs/charts/mayastor/.helmignore @@ -22,3 +22,5 @@ *.tmproj .vscode/ *.md +# Nix Shell +*.nix diff --git a/charts/openebs/openebs/charts/mayastor/Chart.lock b/charts/openebs/openebs/charts/mayastor/Chart.lock index a204cbf41..6e4562d0c 100644 --- a/charts/openebs/openebs/charts/mayastor/Chart.lock +++ b/charts/openebs/openebs/charts/mayastor/Chart.lock @@ -13,6 +13,6 @@ dependencies: version: 0.19.14 - name: localpv-provisioner repository: https://openebs.github.io/dynamic-localpv-provisioner - version: 3.4.1 -digest: sha256:0a43736883b9088fad4cd9e013abc88a470fb9d0e5cba50ce63c98172522a3fc -generated: "2023-09-05T10:04:06.785720699Z" + version: 3.5.0 +digest: sha256:be4bff044f5efc6009797eb98526b5b1aed9f6881dff64fc28a5dcc348144c92 +generated: "2023-12-18T06:41:04.445802395Z" diff --git a/charts/openebs/openebs/charts/mayastor/Chart.yaml b/charts/openebs/openebs/charts/mayastor/Chart.yaml index ac485194b..43f259747 100644 --- a/charts/openebs/openebs/charts/mayastor/Chart.yaml +++ b/charts/openebs/openebs/charts/mayastor/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.4.0 +appVersion: 2.5.0 dependencies: - name: etcd repository: https://charts.bitnami.com/bitnami @@ -19,8 +19,8 @@ dependencies: - condition: localpv-provisioner.enabled name: localpv-provisioner repository: https://openebs.github.io/dynamic-localpv-provisioner - version: 3.4.1 + version: 3.5.0 description: Mayastor Helm chart for Kubernetes name: mayastor type: application -version: 2.4.0 +version: 2.5.0 diff --git a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.lock b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.lock index 4ff3a5ce0..7e36f8f6c 100644 --- a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.lock +++ b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.lock @@ -3,4 +3,4 @@ dependencies: repository: https://openebs.github.io/node-disk-manager version: 2.1.0 digest: sha256:47adcc8a92ea7ce83ca7f37f05f9e2f4c10154adc9551bd92e92c1ca5608f131 -generated: "2023-08-16T16:46:46.773916076Z" +generated: "2023-12-11T16:43:31.314774415Z" diff --git a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.yaml b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.yaml index 4d1e73dc0..3b705c3cc 100644 --- a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.yaml +++ b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.4.0 +appVersion: 3.5.0 dependencies: - condition: openebsNDM.enabled name: openebs-ndm @@ -24,4 +24,4 @@ name: localpv-provisioner sources: - https://github.com/openebs/dynamic-localpv-provisioner type: application -version: 3.4.1 +version: 3.5.0 diff --git a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/README.md b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/README.md index fe321ca37..18ac092c0 100644 --- a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/README.md +++ b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/README.md @@ -103,52 +103,52 @@ helm install openebs-localpv openebs-localpv/localpv-provisioner --namespace ope --set-string deviceClass.blockDeviceSelectors."ndm\.io/fsType"="ext4" ``` -| Parameter | Description | Default | -| ------------------------------------------- | --------------------------------------------- | ----------------------------------------- | -| `release.version` | LocalPV Provisioner release version | `3.4.0` | -| `analytics.enabled` | Enable sending stats to Google Analytics | `true` | -| `analytics.pingInterval` | Duration(hours) between sending ping stat | `24h` | -| `deviceClass.blockDeviceSelectors` | Label key value pairs based on which BlockDevices on the node will be selected for provisioning | `{}` | -| `deviceClass.enabled` | Enables creation of default Device StorageClass | `true` | -| `deviceClass.fsType` | Filesystem type for openebs-device StorageClass | `"ext4"` | -| `deviceClass.isDefaultClass` | Make openebs-device the default StorageClass | `"false"` | -| `deviceClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | -| `deviceClass.reclaimPolicy` | ReclaimPolicy for Device PVs | `"Delete"` | -| `helperPod.image.registry` | Registry for helper image | `""` | -| `helperPod.image.repository` | Image for helper pod | `"openebs/linux-utils"` | -| `helperPod.image.pullPolicy` | Pull policy for helper pod | `"IfNotPresent"` | -| `helperPod.image.tag` | Image tag for helper image | `3.4.0` | -| `hostpathClass.basePath` | BasePath for openebs-hostpath StorageClass | `"/var/openebs/local"` | -| `hostpathClass.enabled` | Enables creation of default Hostpath StorageClass | `true` | -| `hostpathClass.isDefaultClass` | Make openebs-hostpath the default StorageClass | `"false"` | -| `hostpathClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | -| `hostpathClass.xfsQuota.enabled` | Enable XFS Quota (requires XFS filesystem) | `false` | -| `hostpathClass.ext4Quota.enabled` | Enable EXT4 Quota (requires EXT4 filesystem) | `false` | -| `hostpathClass.reclaimPolicy` | ReclaimPolicy for Hostpath PVs | `"Delete"` | -| `imagePullSecrets` | Provides image pull secrect | `""` | -| `localpv.enabled` | Enable LocalPV Provisioner | `true` | -| `localpv.image.registry` | Registry for LocalPV Provisioner image | `""` | -| `localpv.image.repository` | Image repository for LocalPV Provisioner | `openebs/localpv-provisioner` | -| `localpv.image.pullPolicy` | Image pull policy for LocalPV Provisioner | `IfNotPresent` | -| `localpv.image.tag` | Image tag for LocalPV Provisioner | `3.4.0` | -| `localpv.updateStrategy.type` | Update strategy for LocalPV Provisioner | `RollingUpdate` | -| `localpv.annotations` | Annotations for LocalPV Provisioner metadata | `""` | -| `localpv.podAnnotations` | Annotations for LocalPV Provisioner pods metadata | `""` | -| `localpv.privileged` | Run LocalPV Provisioner with extra privileges | `true` | -| `localpv.resources` | Resource and request and limit for containers | `""` | -| `localpv.podLabels` | Appends labels to the pods | `""` | -| `localpv.nodeSelector` | Nodeselector for LocalPV Provisioner pods | `""` | -| `localpv.tolerations` | LocalPV Provisioner pod toleration values | `""` | -| `localpv.securityContext` | Seurity context for container | `""` | -| `localpv.healthCheck.initialDelaySeconds` | Delay before liveness probe is initiated | `30` | -| `localpv.healthCheck.periodSeconds` | How often to perform the liveness probe | `60` | -| `localpv.replicas` | No. of LocalPV Provisioner replica | `1` | -| `localpv.enableLeaderElection` | Enable leader election | `true` | -| `localpv.affinity` | LocalPV Provisioner pod affinity | `{}` | -| `localpv.waitForBDBindTimeoutRetryCount` | This sets the number of times the provisioner should try with a polling interval of 5 seconds, to get the Blockdevice Name from a BlockDeviceClaim, before the BlockDeviceClaim is deleted. | "12" | -| `openebsNDM.enabled` | Install openebs NDM dependency | `true` | -| `rbac.create` | Enable RBAC Resources | `true` | -| `rbac.pspEnabled` | Create pod security policy resources | `false` | +| Parameter | Description | Default | +| ------------------------------------------- | --------------------------------------------- |-------------------------------| +| `release.version` | LocalPV Provisioner release version | `3.5.0` | +| `analytics.enabled` | Enable sending stats to Google Analytics | `true` | +| `analytics.pingInterval` | Duration(hours) between sending ping stat | `24h` | +| `deviceClass.blockDeviceSelectors` | Label key value pairs based on which BlockDevices on the node will be selected for provisioning | `{}` | +| `deviceClass.enabled` | Enables creation of default Device StorageClass | `true` | +| `deviceClass.fsType` | Filesystem type for openebs-device StorageClass | `"ext4"` | +| `deviceClass.isDefaultClass` | Make openebs-device the default StorageClass | `"false"` | +| `deviceClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | +| `deviceClass.reclaimPolicy` | ReclaimPolicy for Device PVs | `"Delete"` | +| `helperPod.image.registry` | Registry for helper image | `""` | +| `helperPod.image.repository` | Image for helper pod | `"openebs/linux-utils"` | +| `helperPod.image.pullPolicy` | Pull policy for helper pod | `"IfNotPresent"` | +| `helperPod.image.tag` | Image tag for helper image | `3.5.0` | +| `hostpathClass.basePath` | BasePath for openebs-hostpath StorageClass | `"/var/openebs/local"` | +| `hostpathClass.enabled` | Enables creation of default Hostpath StorageClass | `true` | +| `hostpathClass.isDefaultClass` | Make openebs-hostpath the default StorageClass | `"false"` | +| `hostpathClass.nodeAffinityLabels` | Custom node label(or labels) key to uniquely identify nodes. `kubernetes.io/hostname` is the default label key for node selection. | `[]` | +| `hostpathClass.xfsQuota.enabled` | Enable XFS Quota (requires XFS filesystem) | `false` | +| `hostpathClass.ext4Quota.enabled` | Enable EXT4 Quota (requires EXT4 filesystem) | `false` | +| `hostpathClass.reclaimPolicy` | ReclaimPolicy for Hostpath PVs | `"Delete"` | +| `imagePullSecrets` | Provides image pull secrect | `""` | +| `localpv.enabled` | Enable LocalPV Provisioner | `true` | +| `localpv.image.registry` | Registry for LocalPV Provisioner image | `""` | +| `localpv.image.repository` | Image repository for LocalPV Provisioner | `openebs/localpv-provisioner` | +| `localpv.image.pullPolicy` | Image pull policy for LocalPV Provisioner | `IfNotPresent` | +| `localpv.image.tag` | Image tag for LocalPV Provisioner | `3.5.0` | +| `localpv.updateStrategy.type` | Update strategy for LocalPV Provisioner | `RollingUpdate` | +| `localpv.annotations` | Annotations for LocalPV Provisioner metadata | `""` | +| `localpv.podAnnotations` | Annotations for LocalPV Provisioner pods metadata | `""` | +| `localpv.privileged` | Run LocalPV Provisioner with extra privileges | `true` | +| `localpv.resources` | Resource and request and limit for containers | `""` | +| `localpv.podLabels` | Appends labels to the pods | `""` | +| `localpv.nodeSelector` | Nodeselector for LocalPV Provisioner pods | `""` | +| `localpv.tolerations` | LocalPV Provisioner pod toleration values | `""` | +| `localpv.securityContext` | Seurity context for container | `""` | +| `localpv.healthCheck.initialDelaySeconds` | Delay before liveness probe is initiated | `30` | +| `localpv.healthCheck.periodSeconds` | How often to perform the liveness probe | `60` | +| `localpv.replicas` | No. of LocalPV Provisioner replica | `1` | +| `localpv.enableLeaderElection` | Enable leader election | `true` | +| `localpv.affinity` | LocalPV Provisioner pod affinity | `{}` | +| `localpv.waitForBDBindTimeoutRetryCount` | This sets the number of times the provisioner should try with a polling interval of 5 seconds, to get the Blockdevice Name from a BlockDeviceClaim, before the BlockDeviceClaim is deleted. | "12" | +| `openebsNDM.enabled` | Install openebs NDM dependency | `true` | +| `rbac.create` | Enable RBAC Resources | `true` | +| `rbac.pspEnabled` | Create pod security policy resources | `false` | A YAML file that specifies the values for the parameters can be provided while installing the chart. For example, diff --git a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/templates/rbac.yaml b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/templates/rbac.yaml index 04cd5409c..d9b894a52 100644 --- a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/templates/rbac.yaml +++ b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/templates/rbac.yaml @@ -40,6 +40,9 @@ rules: - apiGroups: ["openebs.io"] resources: [ "*"] verbs: ["*" ] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- diff --git a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/values.yaml b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/values.yaml index d421232ab..3ea87120b 100644 --- a/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/values.yaml +++ b/charts/openebs/openebs/charts/mayastor/charts/localpv-provisioner/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. release: - version: "3.4.0" + version: "3.5.0" rbac: # rbac.create: `true` if rbac resources should be created @@ -23,7 +23,7 @@ localpv: # For example : quay.io/ is a correct value here and quay.io is incorrect registry: repository: openebs/provisioner-localpv - tag: 3.4.0 + tag: 3.5.0 pullPolicy: IfNotPresent updateStrategy: type: RollingUpdate @@ -163,7 +163,7 @@ helperPod: repository: openebs/linux-utils pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 3.4.0 + tag: 3.5.0 analytics: enabled: true diff --git a/charts/openebs/openebs/charts/mayastor/doc.yaml b/charts/openebs/openebs/charts/mayastor/doc.yaml index b161af4e8..71c47aded 100644 --- a/charts/openebs/openebs/charts/mayastor/doc.yaml +++ b/charts/openebs/openebs/charts/mayastor/doc.yaml @@ -8,7 +8,7 @@ repository: name: mayastor chart: name: mayastor - version: 2.4.0 + version: 2.5.0 values: "-- generate from values file --" valuesExample: "-- generate from values file --" prerequisites: diff --git a/charts/openebs/openebs/charts/mayastor/templates/_helpers.tpl b/charts/openebs/openebs/charts/mayastor/templates/_helpers.tpl index dad53949d..d2d71e6e2 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/_helpers.tpl +++ b/charts/openebs/openebs/charts/mayastor/templates/_helpers.tpl @@ -142,8 +142,6 @@ Usage: {{- print $product.domain -}} {{- end -}} -<<<<<<< HEAD - {{/* Creates the tolerations based on the global and component wise tolerations, with early eviction Usage: @@ -207,3 +205,30 @@ Usage: {{- end -}} {{- end -}} {{- end -}} + +{{/* + Generate the default StorageClass parameters. + This is required because StorageClass parameters cannot be patched after creation. + If the StorageClass already exists, the default StorageClass carries the parameters and values + of that StorageClass. Else, it carries the default parameters and values. +*/}} +{{- define "storageClass.parameters" -}} + {{- $scName := index . 0 -}} + {{- $valuesParams := index . 1 -}} + + {{/* Check to see if a default StorageClass already exists */}} + {{- $sc := lookup "storage.k8s.io/v1" "StorageClass" "" $scName -}} + + {{- if $sc -}} + {{/* Existing defaults */}} + {{ range $param, $val := $sc.parameters }} +{{ $param | quote }}: {{ $val | quote }} + {{- end -}} + + {{- else -}} + {{/* Current defaults */}} + {{ range $param, $val := $valuesParams }} +{{ $param | quote }}: {{ $val | quote }} + {{- end -}} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/core/agent-core-deployment.yaml b/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/core/agent-core-deployment.yaml index 0dbed16f7..d023243ca 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/core/agent-core-deployment.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/core/agent-core-deployment.yaml @@ -57,6 +57,8 @@ spec: - "--volume-commitment={{ .Values.agents.core.capacity.thin.volumeCommitment }}"{{ if .Values.agents.core.partialRebuildWaitPeriod }} - "--faulted-child-wait-period={{ .Values.agents.core.partialRebuildWaitPeriod }}"{{ end }}{{ if .Values.eventing.enabled }} - "--events-url=nats://{{ .Release.Name }}-nats:4222"{{ end }} + {{- if not .Values.agents.ha.enabled }} + - "--disable-ha"{{ end }} ports: - containerPort: 50051 env: @@ -88,7 +90,8 @@ spec: - "-g=0.0.0.0:50052" - "--store=http://{{ .Release.Name }}-etcd:{{ .Values.etcd.service.port }}" - "--core-grpc=https://{{ .Release.Name }}-agent-core:50051"{{ if .Values.base.jaeger.enabled }} - - "--jaeger={{ .Values.base.jaeger.agent.name }}:{{ .Values.base.jaeger.agent.port }}"{{ end }} + - "--jaeger={{ .Values.base.jaeger.agent.name }}:{{ .Values.base.jaeger.agent.port }}"{{ end }}{{ if .Values.eventing.enabled }} + - "--events-url=nats://{{ .Release.Name }}-nats:4222"{{ end }} ports: - containerPort: 50052 env: diff --git a/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/ha/ha-node-daemonset.yaml b/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/ha/ha-node-daemonset.yaml index 3b1d550eb..04fbe7fda 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/ha/ha-node-daemonset.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/mayastor/agents/ha/ha-node-daemonset.yaml @@ -74,7 +74,8 @@ spec: - "--csi-socket={{ .Values.csi.node.pluginMounthPath }}/{{ .Values.csi.node.socketPath }}" - "--grpc-endpoint=$(MY_POD_IP):50053" - "--cluster-agent=https://{{ .Release.Name }}-agent-core:50052"{{ if .Values.base.jaeger.enabled }} - - "--jaeger={{ .Values.base.jaeger.agent.name }}:{{ .Values.base.jaeger.agent.port }}"{{ end }} + - "--jaeger={{ .Values.base.jaeger.agent.name }}:{{ .Values.base.jaeger.agent.port }}"{{ end }}{{ if .Values.eventing.enabled }} + - "--events-url=nats://{{ .Release.Name }}-nats:4222"{{ end }} volumeMounts: - name: device mountPath: /dev diff --git a/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-controller-deployment.yaml b/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-controller-deployment.yaml index 1a664f076..c012b08e3 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-controller-deployment.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-controller-deployment.yaml @@ -49,6 +49,9 @@ spec: - "--extra-create-metadata" # This is needed for volume group feature to work - "--timeout=36s" - "--worker-threads=10" # 10 for create and 10 for delete + {{- if default .Values.csi.controller.preventVolumeModeConversion }} + - "--prevent-volume-mode-conversion" + {{- end }} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock @@ -84,6 +87,9 @@ spec: args: - "--v=2" - "--leader-election=false" # since we are running single container + {{- if default .Values.csi.controller.preventVolumeModeConversion }} + - "--prevent-volume-mode-conversion" + {{- end }} image: "{{ .Values.csi.image.registry }}/{{ .Values.csi.image.repo }}/snapshot-controller:{{ .Values.csi.image.snapshotControllerTag }}" imagePullPolicy: {{ .Values.csi.image.pullPolicy }} - name: csi-controller diff --git a/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-node-daemonset.yaml b/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-node-daemonset.yaml index 71e33986d..e7fbfd86b 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-node-daemonset.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/mayastor/csi/csi-node-daemonset.yaml @@ -78,7 +78,10 @@ spec: - "--csi-socket={{ .Values.csi.node.pluginMounthPath }}/{{ .Values.csi.node.socketPath }}" - "--node-name=$(MY_NODE_NAME)" - "--grpc-endpoint=$(MY_POD_IP):10199"{{ if .Values.csi.node.nvme.io_timeout }} - - "--nvme-core-io-timeout={{ .Values.csi.node.nvme.io_timeout }}"{{ end }}{{ if .Values.csi.node.nvme.ctrl_loss_tmo }} + - "--nvme-io-timeout={{ .Values.csi.node.nvme.io_timeout }}" + - "--nvme-core-io-timeout={{ .Values.csi.node.nvme.io_timeout }}"{{ else }} + - "--nvme-io-timeout={{ .Values.io_engine.nvme.ioTimeout }}10s" + - "--nvme-core-io-timeout={{ .Values.io_engine.nvme.ioTimeout }}10s"{{ end }}{{ if .Values.csi.node.nvme.ctrl_loss_tmo }} - "--nvme-ctrl-loss-tmo={{ .Values.csi.node.nvme.ctrl_loss_tmo }}"{{ end }}{{ if .Values.csi.node.nvme.keep_alive_tmo }} - "--nvme-keep-alive-tmo={{ .Values.csi.node.nvme.keep_alive_tmo }}"{{ end }} - "--nvme-nr-io-queues={{ include "coreCount" . }}" diff --git a/charts/openebs/openebs/charts/mayastor/templates/mayastor/io/io-engine-daemonset.yaml b/charts/openebs/openebs/charts/mayastor/templates/mayastor/io/io-engine-daemonset.yaml index e005309a2..64372d8d1 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/mayastor/io/io-engine-daemonset.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/mayastor/io/io-engine-daemonset.yaml @@ -38,8 +38,8 @@ spec: {{- include "base_init_containers" . }} containers: {{- if .Values.base.metrics.enabled }} - - name: metrics-exporter-pool - image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}/{{ .Chart.Name }}-metrics-exporter-pool:{{ default .Values.image.tag .Values.image.repoTags.extensions }}" + - name: metrics-exporter-io-engine + image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}/{{ .Chart.Name }}-metrics-exporter-io-engine:{{ default .Values.image.tag .Values.image.repoTags.extensions }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: MY_NODE_NAME @@ -53,8 +53,6 @@ spec: args: - "-p{{ .Values.base.metrics.pollingInterval }}" - "--api-versions={{ .Values.io_engine.api }}" - command: - - metrics-exporter-pool ports: - containerPort: 9502 protocol: TCP @@ -66,10 +64,14 @@ spec: env: - name: RUST_LOG value: {{ .Values.io_engine.logLevel }} - - name: NVME_QPAIR_CONNECT_ASYNC - value: "true" - name: NVMF_TCP_MAX_QUEUE_DEPTH - value: "32" + value: "{{ .Values.io_engine.nvme.tcp.maxQueueDepth }}" + - name: NVME_TIMEOUT + value: "{{ .Values.io_engine.nvme.ioTimeout }}" + - name: NVME_TIMEOUT_ADMIN + value: "{{ .Values.io_engine.nvme.adminTimeout }}" + - name: NVME_KATO + value: "{{ .Values.io_engine.nvme.keepAliveTimeout }}" - name: MY_NODE_NAME valueFrom: fieldRef: @@ -90,15 +92,16 @@ spec: - "-g$(MY_POD_IP)" - "-N$(MY_NODE_NAME)" - "-Rhttps://{{ .Release.Name }}-agent-core:50051" - - "-y/var/local/io-engine/config.yaml" + - "-y/var/local/{{ .Release.Name }}/io-engine/config.yaml" - "-l{{ include "cpuFlag" . }}" - "-p={{ .Release.Name }}-etcd:{{ .Values.etcd.service.port }}"{{ if .Values.io_engine.target.nvmf.ptpl }} - - "--ptpl-dir=/var/local/io-engine/ptpl/"{{ end }} + - "--ptpl-dir=/var/local/{{ .Release.Name }}/io-engine/ptpl/"{{ end }} - "--api-versions={{ .Values.io_engine.api }}"{{ if .Values.io_engine.target.nvmf.iface }} - "-T={{ .Values.io_engine.target.nvmf.iface }}"{{ end }}{{ if .Values.io_engine.envcontext }} - "--env-context=--{{ .Values.io_engine.envcontext }}"{{ end }}{{ if .Values.io_engine.reactorFreezeDetection.enabled }} - "--reactor-freeze-detection"{{ end }} - - "--tgt-crdt={{ .Values.io_engine.target.nvmf.hostCmdRetryDelay.crdt1 }}" + - "--tgt-crdt={{ .Values.io_engine.target.nvmf.hostCmdRetryDelay.crdt1 }}"{{ if .Values.eventing.enabled }} + - "--events-url=nats://{{ .Release.Name }}-nats:4222"{{ end }} command: - io-engine securityContext: @@ -111,7 +114,7 @@ spec: - name: dshm mountPath: /dev/shm - name: configlocation - mountPath: /var/local/io-engine/ + mountPath: /var/local/{{ .Release.Name }}/io-engine/ - name: hugepage mountPath: /dev/hugepages resources: @@ -145,5 +148,5 @@ spec: medium: HugePages - name: configlocation hostPath: - path: /var/local/io-engine/ + path: /var/local/{{ .Release.Name }}/io-engine/ type: DirectoryOrCreate diff --git a/charts/openebs/openebs/charts/mayastor/templates/mayastor/metrics/metrics-exporter-pool-service.yaml b/charts/openebs/openebs/charts/mayastor/templates/mayastor/metrics/metrics-exporter-io-engine-service.yaml similarity index 82% rename from charts/openebs/openebs/charts/mayastor/templates/mayastor/metrics/metrics-exporter-pool-service.yaml rename to charts/openebs/openebs/charts/mayastor/templates/mayastor/metrics/metrics-exporter-io-engine-service.yaml index cc0024830..286a7089c 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/mayastor/metrics/metrics-exporter-pool-service.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/mayastor/metrics/metrics-exporter-io-engine-service.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ .Release.Name }}-metrics-exporter-pool + name: {{ .Release.Name }}-metrics-exporter-io-engine labels: - app: metrics-exporter-pool + app: metrics-exporter-io-engine {{ include "label_prefix" . }}/release: {{ .Release.Name }} {{ include "label_prefix" . }}/version: {{ .Chart.Version }} spec: diff --git a/charts/openebs/openebs/charts/mayastor/templates/mayastor/rbac/rbac.yaml b/charts/openebs/openebs/charts/mayastor/templates/mayastor/rbac/rbac.yaml index 7cbd98bb5..c3af246a9 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/mayastor/rbac/rbac.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/mayastor/rbac/rbac.yaml @@ -51,7 +51,7 @@ rules: verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] - apiGroups: [""] resources: ["nodes"] - verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch", "patch"] # external provisioner - apiGroups: [""] diff --git a/charts/openebs/openebs/charts/mayastor/templates/storageclass.yaml b/charts/openebs/openebs/charts/mayastor/templates/storageclass.yaml index 398f80adc..b5ac6c225 100644 --- a/charts/openebs/openebs/charts/mayastor/templates/storageclass.yaml +++ b/charts/openebs/openebs/charts/mayastor/templates/storageclass.yaml @@ -1,9 +1,21 @@ +{{ if .Values.storageClass.enabled }} +{{- $scName := (printf "%s-%s" .Release.Name .Values.storageClass.nameSuffix | trunc 63) }} kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: - name: {{ .Release.Name }}-single-replica + name: {{ $scName }} + {{- if .Values.storageClass.default }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" + {{- end }} parameters: - repl: '1' - protocol: 'nvmf' - ioTimeout: '60' +{{/* + Set StorageClass parameters by adding to the values.yaml 'storageClass.parameters' map. + Don't add the parameters to this template directly. + This is done so that during an upgrade, an existing default StorageClass's config can + be given preference over this chart's defaults. +*/}} +{{ $valuesParams := .Values.storageClass.parameters }} +{{ (include "storageClass.parameters" (list $scName $valuesParams)) | indent 2 }} provisioner: io.openebs.csi-mayastor +{{ end }} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/mayastor/values.yaml b/charts/openebs/openebs/charts/mayastor/values.yaml index 6ff190fa2..fde295de6 100644 --- a/charts/openebs/openebs/charts/mayastor/values.yaml +++ b/charts/openebs/openebs/charts/mayastor/values.yaml @@ -4,7 +4,7 @@ image: # -- Image registry's namespace repo: openebs # -- Release tag for our images - tag: v2.4.0 + tag: v2.5.0 repoTags: # Note: Below image tag configuration is optional and typically should never be # used. Setting specific image tags for the different repositories proves useful @@ -269,11 +269,11 @@ csi: # -- csi-attacher image release tag attacherTag: v4.3.0 # -- csi-snapshotter image release tag - snapshotterTag: v6.2.1 + snapshotterTag: v6.3.1 # -- csi-snapshot-controller image release tag - snapshotControllerTag: v6.2.1 + snapshotControllerTag: v6.3.1 # -- csi-node-driver-registrar image release tag - registrarTag: v2.8.0 + registrarTag: v2.9.0 controller: # -- Log level for the csi controller @@ -293,6 +293,8 @@ csi: tolerations: [] # -- Set PriorityClass, overrides global priorityClassName: "" + # -- Prevent modifying the volume mode when creating a PVC from an existing VolumeSnapshot + preventVolumeModeConversion: true node: logLevel: info topology: @@ -312,8 +314,10 @@ csi: # -- Memory requests for csi node plugin memory: "64Mi" nvme: - # -- The nvme_core module io timeout in seconds - io_timeout: "30" + # The nvme_core module and nvme block io timeout in humantime + # By default it uses the "io_engine.nvme.ioTimeout" + 10s + # Do not modify this unless you're really sure about its effects + io_timeout: "" # -- The ctrl_loss_tmo (controller loss timeout) in seconds ctrl_loss_tmo: "1980" # Kato (keep alive timeout) in seconds @@ -339,8 +343,24 @@ io_engine: ptpl: true # NVMF target Command Retry Delay for volume target initiators hostCmdRetryDelay: - # A command retry delay in seconds. A value of 0 means no delay, host may retry immediately + # A command retry delay in milliseconds. A value of 0 means no delay, host may retry immediately crdt1: 30 + nvme: + # -- Timeout for IOs + # The default here is exaggerated for local disks but we've observed that in + # shared virtual environments having a higher timeout value is beneficial. + # In certain cases, you may have to set this to an even higher value. For example, + # in Hetzner we've had better results setting it to 300s. + # Please adjust this according to your hardware and needs. + ioTimeout: "110s" + # Timeout for admin commands + adminTimeout: "30s" + # Timeout for keep alives + keepAliveTimeout: "10s" + tcp: + # -- Max size setting (both initiator and target) for an NVMe queue + # -- You may need to increase this for a higher outstanding IOs per volume + maxQueueDepth: "32" # -- Pass additional arguments to the Environment Abstraction Layer. # Example: --set {product}.envcontext=iova-mode=pa @@ -384,7 +404,7 @@ etcd: # Name of etcd's localpv hostpath storage class. name: "mayastor-etcd-localpv" # -- Host path where local etcd data is stored in. - basePath: "/var/local/localpv-hostpath/{{ .Release.Name }}/etcd" + basePath: "/var/local/{{ .Release.Name }}/localpv-hostpath/etcd" # -- ReclaimPolicy of etcd's localpv hostpath storage class. reclaimPolicy: Delete # -- VolumeBindingMode of etcd's localpv hostpath storage class. @@ -484,7 +504,7 @@ loki-stack: # Name of loki's localpv hostpath storage class. name: "mayastor-loki-localpv" # -- Host path where local etcd data is stored in. - basePath: "/var/local/localpv-hostpath/{{ .Release.Name }}/loki" + basePath: "/var/local/{{ .Release.Name }}/localpv-hostpath/loki" # -- ReclaimPolicy of loki's localpv hostpath storage class. reclaimPolicy: Delete # -- VolumeBindingMode of loki's localpv hostpath storage class. @@ -584,6 +604,15 @@ loki-stack: - job_name: {{ .Release.Name }}-pods-name pipeline_stages: - docker: {} + - replace: + expression: '(\n)' + replace: '' + - multiline: + firstline: '^ \x1b\[2m(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2}).(\d{6})Z' + max_wait_time: 3s + - multiline: + firstline: '^ (\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2}).(\d{6})Z' + max_wait_time: 3s kubernetes_sd_configs: - role: pod relabel_configs: @@ -694,6 +723,14 @@ obs: # NodePort associated with https port https: 90010 +storageClass: + enabled: true + nameSuffix: single-replica + default: false + parameters: + protocol: nvmf + repl: 1 + localpv-provisioner: # -- Enables the openebs dynamic-localpv provisioner. If disabled, modify etcd and loki-stack storage class accordingly. enabled: true diff --git a/charts/openebs/openebs/charts/nfs-provisioner/Chart.yaml b/charts/openebs/openebs/charts/nfs-provisioner/Chart.yaml index a0ffe88a9..63efec96a 100644 --- a/charts/openebs/openebs/charts/nfs-provisioner/Chart.yaml +++ b/charts/openebs/openebs/charts/nfs-provisioner/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.10.0 +appVersion: 0.11.0 description: Helm chart for OpenEBS Dynamic NFS PV. For instructions to install OpenEBS Dynamic NFS PV using helm chart, refer to https://openebs.github.io/dynamic-nfs-provisioner. home: http://www.openebs.io/ @@ -22,4 +22,4 @@ name: nfs-provisioner sources: - https://github.com/openebs/dynamic-nfs-provisioner type: application -version: 0.10.0 +version: 0.11.0 diff --git a/charts/openebs/openebs/charts/nfs-provisioner/README.md b/charts/openebs/openebs/charts/nfs-provisioner/README.md index 6ef311704..7d11c515c 100644 --- a/charts/openebs/openebs/charts/nfs-provisioner/README.md +++ b/charts/openebs/openebs/charts/nfs-provisioner/README.md @@ -117,13 +117,13 @@ helm install openebs-nfs openebs-nfs/nfs-provisioner --namespace openebs --creat | `nfsProvisioner.healthCheck.periodSeconds` | How often to perform the liveness probe | `60` | | `nfsProvisioner.image.registry` | Registry for NFS Provisioner image | `""` | | `nfsProvisioner.image.repository` | Image repository for NFS Provisioner | `openebs/provisioner-nfs` | -| `nfsProvisioner.image.tag` | Image tag for NFS Provisioner | `0.10.0` | +| `nfsProvisioner.image.tag` | Image tag for NFS Provisioner | `0.11.0` | | `nfsProvisioner.image.pullPolicy` | Image pull policy for NFS Provisioner image | `IfNotPresent` | | `nfsProvisioner.annotations` | Annotations for NFS Provisioner metadata | `""` | | `nfsProvisioner.nodeSelector` | Nodeselector for NFS Provisioner pod | `""` | | `nfsProvisioner.nfsServerAlpineImage.registry` | Registry for nfs-server-alpine | `""` | | `nfsProvisioner.nfsServerAlpineImage.repository` | Image repository for nfs-server-alpine | `openebs/nfs-server-alpine` | -| `nfsProvisioner.nfsServerAlpineImage.tag` | Image tag for nfs-server-alpine | `0.10.0` | +| `nfsProvisioner.nfsServerAlpineImage.tag` | Image tag for nfs-server-alpine | `0.11.0` | | `nfsProvisioner.resources` | Resource request and limit for the container | `true` | | `nfsProvisioner.securityContext` | Security context for container | `""` | | `nfsProvisioner.tolerations` | NFS Provisioner pod toleration values | `""` | @@ -131,7 +131,9 @@ helm install openebs-nfs openebs-nfs/nfs-provisioner --namespace openebs --creat | `nfsProvisioner.nfsServerNodeAffinity` | NFS Server node affinity rules | `""` | | `nfsProvisioner.nfsBackendPvcTimeout` | Timeout for backend PVC binding in seconds | `"60"` | | `nfsProvisioner.nfsHookConfigMap` | Existing Configmap name to load hook configuration | `""` | +| `nfsProvisioner.enableGarbageCollection` | Enable garbage collection for the backend PVC | `true` | | `nfsStorageClass.backendStorageClass` | StorageClass to be used to provision the backend volume. If not specified, the default StorageClass is used. | `""` | +| `nfsStorageClass.mountOptions` | NFS mount options to be passed on to storageclass | `[]` | `nfsStorageClass.isDefaultClass` | Make 'openebs-kernel-nfs' the default StorageClass | `"false"` | | `nfsStorageClass.reclaimPolicy` | ReclaimPolicy for NFS PVs | `"Delete"` | | `nfsStorageClass.leaseTime` | Renewal period(in seconds) for NFS client state | `90` | diff --git a/charts/openebs/openebs/charts/nfs-provisioner/templates/deployment.yaml b/charts/openebs/openebs/charts/nfs-provisioner/templates/deployment.yaml index c2a00a155..2d02f7392 100644 --- a/charts/openebs/openebs/charts/nfs-provisioner/templates/deployment.yaml +++ b/charts/openebs/openebs/charts/nfs-provisioner/templates/deployment.yaml @@ -103,7 +103,13 @@ spec: - name: OPENEBS_IO_NFS_SERVER_NODE_AFFINITY value: "{{ .Values.nfsProvisioner.nfsServerNodeAffinity }}" {{- end }} - {{- if .Values.nfsProvisioner.nfsBackendPvcTimeout }} + # Provide a switch to turn off the function of clearing stale pvc to avoid + # garbage collecting an NFS backend PVC if the NFS PVC is deleted. + {{- if .Values.nfsProvisioner.enableGarbageCollection }} + - name: OPENEBS_IO_NFS_SERVER_GARBAGE_COLLECTION_ENABLED + value: {{ quote .Values.nfsProvisioner.enableGarbageCollection }} + {{- end }} + {{- if .Values.nfsProvisioner.nfsBackendPvcTimeout }} - name: OPENEBS_IO_NFS_SERVER_BACKEND_PVC_TIMEOUT value: "{{ .Values.nfsProvisioner.nfsBackendPvcTimeout }}" {{- end }} diff --git a/charts/openebs/openebs/charts/nfs-provisioner/templates/kernel-nfs-storageclass.yaml b/charts/openebs/openebs/charts/nfs-provisioner/templates/kernel-nfs-storageclass.yaml index da77f5256..1d76141f1 100644 --- a/charts/openebs/openebs/charts/nfs-provisioner/templates/kernel-nfs-storageclass.yaml +++ b/charts/openebs/openebs/charts/nfs-provisioner/templates/kernel-nfs-storageclass.yaml @@ -1,5 +1,6 @@ --- # Storage classes for OpenEBS NFS Dynamic PV +{{- if .Values.nfsStorageClass.enabled }} apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: @@ -55,3 +56,10 @@ metadata: {{- end }} provisioner: openebs.io/nfsrwx reclaimPolicy: {{ .Values.nfsStorageClass.reclaimPolicy }} +{{- if .Values.nfsStorageClass.mountOptions }} +mountOptions: + {{- range .Values.nfsStorageClass.mountOptions }} + - {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/openebs/openebs/charts/nfs-provisioner/values.yaml b/charts/openebs/openebs/charts/nfs-provisioner/values.yaml index 7d1f226a1..bcd1846bd 100644 --- a/charts/openebs/openebs/charts/nfs-provisioner/values.yaml +++ b/charts/openebs/openebs/charts/nfs-provisioner/values.yaml @@ -40,6 +40,9 @@ nfsProvisioner: tag: pullPolicy: IfNotPresent enableLeaderElection: "true" + # Provide a switch to turn off the function of clearing stale pvc to avoid + # garbage collecting an NFS backend PVC if the NFS PVC is deleted. + enableGarbageCollection: true # Specify image name of nfs-server-alpine used for creating nfs server deployment # If not mentioned, default value openebs/nfs-server-alpine:tag will be used where # the tag will be the same as a provisioner-nfs image tag @@ -89,10 +92,15 @@ nfsProvisioner: nfsStorageClass: name: openebs-kernel-nfs + # If true, enables creation of the openebs-kernel-nfs StorageClass + enabled: true reclaimPolicy: Delete nfsServerType: kernel isDefaultClass: false backendStorageClass: "" + # NFS Mount Options to be applied to the storage class. + # For more information: https://linux.die.net/man/5/nfs + mountOptions: [] # The customServerConfig key passes a custom /etc/exports configuration to # the NFS servers created using this StorageClass. # The configuration settings are not validated, and can lead to security @@ -108,7 +116,7 @@ nfsStorageClass: # for the NFS server's shared filesystem volume. # File permission changes are applied recursively if the root of the # volume's filesystem does not match the specified value. - # For more information: https://github.com/openebs/dynamic-nfs-provisioner/blob/develop/docs/tutorial/file-permissions.md + # For more info: https://github.com/openebs/dynamic-nfs-provisioner/blob/develop/docs/tutorial/file-permissions.md filePermissions: {} # The UID value is used to set the user-owner of NFS shared directory. Only valid # UIDs are accepted. diff --git a/charts/openebs/openebs/charts/zfs-localpv/Chart.yaml b/charts/openebs/openebs/charts/zfs-localpv/Chart.yaml index c3e843d25..b6252d1b3 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/Chart.yaml +++ b/charts/openebs/openebs/charts/zfs-localpv/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.3.0 +appVersion: 2.4.0 description: Helm chart for CSI Driver for dynamic provisioning of ZFS Persistent Local Volumes. For instructions on how to use this helm chart, see - https://openebs.github.io/zfs-localpv/ home: https://openebs.io/ @@ -21,4 +21,4 @@ maintainers: name: zfs-localpv sources: - https://github.com/openebs/zfs-localpv -version: 2.3.1 +version: 2.4.0 diff --git a/charts/openebs/openebs/charts/zfs-localpv/README.md b/charts/openebs/openebs/charts/zfs-localpv/README.md index d30f55026..038ab71b2 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/README.md +++ b/charts/openebs/openebs/charts/zfs-localpv/README.md @@ -86,6 +86,7 @@ The following table lists the configurable parameters of the OpenEBS ZFS Localpv | `zfsNode.driverRegistrar.image.tag`| Image tag for csi-node-driver-registrar| `v2.8.0`| | `zfsNode.updateStrategy.type`| Update strategy for zfsnode daemonset | `RollingUpdate` | | `zfsNode.kubeletDir`| Kubelet mount point for zfsnode daemonset| `"/var/lib/kubelet/"` | +| `zfsNode.encrKeysDir` | Zfs encryption key directory| `"/home/keys"` | | `zfsNode.annotations` | Annotations for zfsnode daemonset metadata| `""`| | `zfsNode.podAnnotations`| Annotations for zfsnode daemonset's pods metadata | `""`| | `zfsNode.resources`| Resource and request and limit for zfsnode daemonset containers | `""`| diff --git a/charts/openebs/openebs/charts/zfs-localpv/crds/zfsnode.yaml b/charts/openebs/openebs/charts/zfs-localpv/crds/zfsnode.yaml index db0540d4b..065827955 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/crds/zfsnode.yaml +++ b/charts/openebs/openebs/charts/zfs-localpv/crds/zfsnode.yaml @@ -60,6 +60,13 @@ spec: description: Free specifies the available capacity of zfs pool. pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true + used: + anyOf: + - type: integer + - type: string + description: Used specifies the used capacity of zfs pool. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true name: description: Name of the zfs pool. minLength: 1 @@ -70,6 +77,7 @@ spec: type: string required: - free + - used - name - uuid type: object diff --git a/charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshotclasses.yaml b/charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshotclasses.yaml similarity index 98% rename from charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshotclasses.yaml rename to charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshotclasses.yaml index 3500b8bb4..dd6d0c5f7 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshotclasses.yaml +++ b/charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshotclasses.yaml @@ -1,3 +1,4 @@ +{{- if .Values.crd.volumeSnapshot }} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -131,4 +132,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshotcontents.yaml b/charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshotcontents.yaml similarity index 99% rename from charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshotcontents.yaml rename to charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshotcontents.yaml index f69459064..b6d587fea 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshotcontents.yaml +++ b/charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshotcontents.yaml @@ -1,3 +1,4 @@ +{{- if .Values.crd.volumeSnapshot }} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -398,4 +399,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshots.yaml b/charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshots.yaml similarity index 99% rename from charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshots.yaml rename to charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshots.yaml index bf534c4bd..ac8ce780f 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/crds/volumesnapshots.yaml +++ b/charts/openebs/openebs/charts/zfs-localpv/templates/volumesnapshots.yaml @@ -1,3 +1,4 @@ +{{- if .Values.crd.volumeSnapshot }} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -309,4 +310,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} \ No newline at end of file diff --git a/charts/openebs/openebs/charts/zfs-localpv/templates/zfs-node.yaml b/charts/openebs/openebs/charts/zfs-localpv/templates/zfs-node.yaml index 58762c8b7..74859dd7a 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/templates/zfs-node.yaml +++ b/charts/openebs/openebs/charts/zfs-localpv/templates/zfs-node.yaml @@ -118,7 +118,7 @@ spec: type: Directory - name: encr-keys hostPath: - path: /home/keys + path: {{ .Values.zfsNode.encrKeysDir }} type: DirectoryOrCreate - name: chroot-zfs configMap: diff --git a/charts/openebs/openebs/charts/zfs-localpv/values.yaml b/charts/openebs/openebs/charts/zfs-localpv/values.yaml index ae0e21dfe..e57bfcfba 100644 --- a/charts/openebs/openebs/charts/zfs-localpv/values.yaml +++ b/charts/openebs/openebs/charts/zfs-localpv/values.yaml @@ -2,7 +2,7 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. release: - version: "2.3.1" + version: "2.4.0" imagePullSecrets: # - name: "image-pull-secret" @@ -38,6 +38,7 @@ zfsNode: # This can be configured to run on various different k8s distributions like # microk8s where kubelet dir is different kubeletDir: "/var/lib/kubelet/" + encrKeysDir: "/home/keys" # limits: # cpu: 10m # memory: 32Mi @@ -143,13 +144,15 @@ zfsPlugin: repository: openebs/zfs-driver pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 2.3.0 + tag: 2.4.0 role: openebs-zfs crd: enableInstall: true - + # Specify installation of the kubernetes-csi volume snapshot CRDs if your Kubernetes distribution + # or another storage operator already manages them. + volumeSnapshot: true serviceAccount: zfsController: # Specifies whether a service account should be created diff --git a/charts/openebs/openebs/templates/clusterrole.yaml b/charts/openebs/openebs/templates/clusterrole.yaml index 3a8d3ced8..73e260011 100644 --- a/charts/openebs/openebs/templates/clusterrole.yaml +++ b/charts/openebs/openebs/templates/clusterrole.yaml @@ -45,6 +45,9 @@ rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "create", "list", "delete", "update", "patch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update"] - nonResourceURLs: ["/metrics"] verbs: ["get"] {{- end }} diff --git a/charts/openebs/openebs/values.yaml b/charts/openebs/openebs/values.yaml index a5afbf887..8229dc44e 100644 --- a/charts/openebs/openebs/values.yaml +++ b/charts/openebs/openebs/values.yaml @@ -18,7 +18,7 @@ imagePullSecrets: [] release: # "openebs.io/version" label for control plane components - version: "3.9.0" + version: "3.10.0" # Legacy components will be installed if it is enabled. # Legacy components are - admission-server, maya api-server, snapshot-operator @@ -95,7 +95,7 @@ provisioner: localprovisioner: enabled: true image: "openebs/provisioner-localpv" - imageTag: "3.4.0" + imageTag: "3.5.0" replicas: 1 enableLeaderElection: true # These fields are deprecated. Please use the fields (see below) @@ -356,7 +356,7 @@ webhook: # then put this configuration under `localpv-provisioner` and `openebs-ndm` key. helper: image: "openebs/linux-utils" - imageTag: "3.4.0" + imageTag: "3.5.0" # These are ndm related configuration. If you want to enable openebs as a dependency # chart then set `ndm.enabled: false`, `ndmOperator.enabled: false` and enable it as @@ -404,7 +404,7 @@ mayastor: # Sample configuration, if you want to configure mayastor with custom values. # This is a small part of the full configuration. Full configuration available - # here - https://github.com/openebs/mayastor-extensions/blob/v2.4.0/chart/values.yaml + # here - https://github.com/openebs/mayastor-extensions/blob/v2.5.0/chart/values.yaml image: # -- Image registry to pull Mayastor product images @@ -412,7 +412,7 @@ mayastor: # -- Image registry's namespace repo: openebs # -- Release tag for Mayastor images - tag: v2.4.0 + tag: v2.5.0 # -- ImagePullPolicy for Mayastor images pullPolicy: IfNotPresent @@ -502,11 +502,11 @@ mayastor: # # -- csi-attacher image release tag # attacherTag: v4.3.0 # # -- csi-snapshotter image release tag - # snapshotterTag: v6.2.1 + # snapshotterTag: v6.3.1 # # -- csi-snapshot-controller image release tag - # snapshotControllerTag: v6.2.1 + # snapshotControllerTag: v6.3.1 # # -- csi-node-driver-registrar image release tag - # registrarTag: v2.8.0 + # registrarTag: v2.9.0 # controller: # # -- Log level for the csi controller @@ -526,6 +526,8 @@ mayastor: # tolerations: [] # # -- Set PriorityClass, overrides global # priorityClassName: "" + # # -- Prevent modifying the volume mode when creating a PVC from an existing VolumeSnapshot + # preventVolumeModeConversion: true # node: # logLevel: info # topology: @@ -545,8 +547,10 @@ mayastor: # # -- Memory requests for csi node plugin # memory: "64Mi" # nvme: - # # -- The nvme_core module io timeout in seconds - # io_timeout: "30" + # # The nvme_core module and nvme block io timeout in humantime + # # By default it uses the "io_engine.nvme.ioTimeout" + 10s + # # Do not modify this unless you're really sure about its effects + # io_timeout: "" # # -- The ctrl_loss_tmo (controller loss timeout) in seconds # ctrl_loss_tmo: "1980" # # Kato (keep alive timeout) in seconds @@ -593,6 +597,23 @@ mayastor: # size: 2Gi # podAntiAffinityPreset: "hard" + # nvme: + # # -- Timeout for IOs + # # The default here is exaggerated for local disks but we've observed that in + # # shared virtual environments having a higher timeout value is beneficial. + # # In certain cases, you may have to set this to an even higher value. For example, + # # in Hetzner we've had better results setting it to 300s. + # # Please adjust this according to your hardware and needs. + # ioTimeout: "110s" + # # Timeout for admin commands + # adminTimeout: "30s" + # # Timeout for keep alives + # keepAliveTimeout: "10s" + # tcp: + # # -- Max size setting (both initiator and target) for an NVMe queue + # # -- You may need to increase this for a higher outstanding IOs per volume + # maxQueueDepth: "32" + # loki-stack: # # -- Enable loki log collection for Mayastor components # enabled: true @@ -663,17 +684,17 @@ jiva: # image: # registry: quay.io/ # repository: openebs/jiva -# tag: 3.5.0 +# tag: 3.6.0 # replica: # image: # registry: quay.io/ # repository: openebs/jiva -# tag: 3.5.0 +# tag: 3.6.0 # image: # registry: quay.io/ # repository: openebs/jiva-operator # pullPolicy: IfNotPresent -# tag: 3.5.0 +# tag: 3.6.0 # # jivaCSIPlugin: # remount: "true" @@ -681,7 +702,7 @@ jiva: # registry: quay.io/ # repository: openebs/jiva-csi # pullPolicy: IfNotPresent -# tag: 3.5.0 +# tag: 3.6.0 cstor: @@ -732,51 +753,51 @@ cstor: # image: # registry: quay.io/ # repository: openebs/cstor-pool-manager -# tag: 3.5.0 +# tag: 3.6.0 # cstorPool: # image: # registry: quay.io/ # repository: openebs/cstor-pool -# tag: 3.5.0 +# tag: 3.6.0 # cstorPoolExporter: # image: # registry: quay.io/ # repository: openebs/m-exporter -# tag: 3.5.0 +# tag: 3.6.0 # image: # registry: quay.io/ # repository: openebs/cspc-operator # pullPolicy: IfNotPresent -# tag: 3.5.0 +# tag: 3.6.0 # # cvcOperator: # target: # image: # registry: quay.io/ # repository: openebs/cstor-istgt -# tag: 3.5.0 +# tag: 3.6.0 # volumeMgmt: # image: # registry: quay.io/ # repository: openebs/cstor-volume-manager -# tag: 3.5.0 +# tag: 3.6.0 # volumeExporter: # image: # registry: quay.io/ # repository: openebs/m-exporter -# tag: 3.5.0 +# tag: 3.6.0 # image: # registry: quay.io/ # repository: openebs/cvc-operator # pullPolicy: IfNotPresent -# tag: 3.5.0 +# tag: 3.6.0 # # cstorCSIPlugin: # image: # registry: quay.io/ # repository: openebs/cstor-csi-driver # pullPolicy: IfNotPresent -# tag: 3.5.0 +# tag: 3.6.0 # # admissionServer: # componentName: cstor-admission-webhook @@ -784,7 +805,7 @@ cstor: # registry: quay.io/ # repository: openebs/cstor-webhook # pullPolicy: IfNotPresent -# tag: 3.5.0 +# tag: 3.6.0 # ndm configuration goes here # https://openebs.github.io/node-disk-manager @@ -832,7 +853,7 @@ openebs-ndm: # registry: quay.io/ # repository: openebs/linux-utils # pullPolicy: IfNotPresent -# tag: 3.4.0 +# tag: 3.5.0 # # featureGates: # enabled: true @@ -885,7 +906,7 @@ localpv-provisioner: # image: # registry: quay.io/ # repository: openebs/provisioner-localpv -# tag: 3.4.0 +# tag: 3.5.0 # pullPolicy: IfNotPresent # healthCheck: # initialDelaySeconds: 30 @@ -899,7 +920,7 @@ localpv-provisioner: # registry: quay.io/ # repository: openebs/linux-utils # pullPolicy: IfNotPresent -# tag: 3.4.0 +# tag: 3.5.0 # zfs local pv configuration goes here # ref - https://openebs.github.io/zfs-localpv @@ -920,7 +941,7 @@ zfs-localpv: # registry: quay.io/ # repository: openebs/zfs-driver # pullPolicy: IfNotPresent -# tag: 2.3.0 +# tag: 2.4.0 # lvm local pv configuration goes here # ref - https://openebs.github.io/lvm-localpv @@ -941,7 +962,7 @@ lvm-localpv: # registry: quay.io/ # repository: openebs/lvm-driver # pullPolicy: IfNotPresent -# tag: 1.3.0 +# tag: 1.4.0 # openebs nfs provisioner configuration goes here # ref - https://openebs.github.io/dynamic-nfs-provisioner @@ -961,13 +982,13 @@ nfs-provisioner: # image: # registry: # repository: openebs/provisioner-nfs -# tag: 0.10.0 +# tag: 0.11.0 # pullPolicy: IfNotPresent # enableLeaderElection: "true" # nfsServerAlpineImage: # registry: # repository: openebs/nfs-server-alpine -# tag: 0.10.0 +# tag: 0.11.0 cleanup: image: diff --git a/charts/percona/psmdb-db/Chart.yaml b/charts/percona/psmdb-db/Chart.yaml index 4e9377ad0..3ceb9823a 100644 --- a/charts/percona/psmdb-db/Chart.yaml +++ b/charts/percona/psmdb-db/Chart.yaml @@ -15,4 +15,4 @@ maintainers: - email: natalia.marukovich@percona.com name: nmarukovich name: psmdb-db -version: 1.15.0 +version: 1.15.1 diff --git a/charts/percona/psmdb-db/README.md b/charts/percona/psmdb-db/README.md index 1c6755001..129dde515 100644 --- a/charts/percona/psmdb-db/README.md +++ b/charts/percona/psmdb-db/README.md @@ -24,208 +24,208 @@ helm install my-db percona/psmdb-db --version 1.15.0 --namespace my-namespace The chart can be customized using the following configurable parameters: -| Parameter | Description | Default | -| ------------------------------- | ------------------------------------------------------------------------------| ------------------------------------------| -| `crVersion` | CR Cluster Manifest version | `1.15.0` | -| `pause` | Stop PSMDB Database safely | `false` | -| `unmanaged` | Start cluster and don't manage it (cross cluster replication) | `false` | -| `allowUnsafeConfigurations` | Allows forbidden configurations like even number of PSMDB cluster pods | `false` | -| `clusterServiceDNSSuffix` | The (non-standard) cluster domain to be used as a suffix of the Service name | `""` | -| `clusterServiceDNSMode` | Mode for the cluster service dns (Internal/ServiceMesh) | `""` | -| `ignoreAnnotations` | The list of annotations to be ignored by the Operator | `[]` | -| `ignoreLabels` | The list of labels to be ignored by the Operator | `[]` | -| `multiCluster.enabled` | Enable Multi Cluster Services (MCS) cluster mode | `false` | -| `multiCluster.DNSSuffix` | The cluster domain to be used as a suffix for multi-cluster Services used by Kubernetes | `""` | -| `updateStrategy` | Regulates the way how PSMDB Cluster Pods will be updated after setting a new image | `SmartUpdate` | +| Parameter | Description | Default | +| ------------------------------- | ------------------------------------------------------------------------------|---------------------------------------| +| `crVersion` | CR Cluster Manifest version | `1.15.0` | +| `pause` | Stop PSMDB Database safely | `false` | +| `unmanaged` | Start cluster and don't manage it (cross cluster replication) | `false` | +| `allowUnsafeConfigurations` | Allows forbidden configurations like even number of PSMDB cluster pods | `false` | +| `clusterServiceDNSSuffix` | The (non-standard) cluster domain to be used as a suffix of the Service name | `""` | +| `clusterServiceDNSMode` | Mode for the cluster service dns (Internal/ServiceMesh) | `""` | +| `ignoreAnnotations` | The list of annotations to be ignored by the Operator | `[]` | +| `ignoreLabels` | The list of labels to be ignored by the Operator | `[]` | +| `multiCluster.enabled` | Enable Multi Cluster Services (MCS) cluster mode | `false` | +| `multiCluster.DNSSuffix` | The cluster domain to be used as a suffix for multi-cluster Services used by Kubernetes | `""` | +| `updateStrategy` | Regulates the way how PSMDB Cluster Pods will be updated after setting a new image | `SmartUpdate` | | `upgradeOptions.versionServiceEndpoint` | Endpoint for actual PSMDB Versions provider | `https://check.percona.com/versions/` | -| `upgradeOptions.apply` | PSMDB image to apply from version service - recommended, latest, actual version like 4.4.2-4 | `disabled` | -| `upgradeOptions.schedule` | Cron formatted time to execute the update | `"0 2 * * *"` | -| `upgradeOptions.setFCV` | Set feature compatibility version on major upgrade | `false` | -| `finalizers:delete-psmdb-pvc` | Set this if you want to delete database persistent volumes on cluster deletion | `[]` | -| `finalizers:delete-psmdb-pods-in-order` | Set this if you want to delete PSMDB pods in order (primary last) | `[]` | -| `image.repository` | PSMDB Container image repository | `percona/percona-server-mongodb` | -| `image.tag` | PSMDB Container image tag | `6.0.9-7` | -| `imagePullPolicy` | The policy used to update images | `Always` | -| `imagePullSecrets` | PSMDB Container pull secret | `[]` | -| `initImage.repository` | Repository for custom init image | `""` | -| `initImage.tag` | Tag for custom init image | `""` | -| `initContainerSecurityContext` | A custom Kubernetes Security Context for a Container for the initImage | `{}` | -| `tls.certValidityDuration` | The validity duration of the external certificate for cert manager | `""` | -| `secrets` | Operator secrets section | `{}` | -| `pmm.enabled` | Enable integration with [Percona Monitoring and Management software](https://www.percona.com/blog/2020/07/23/using-percona-kubernetes-operators-with-percona-monitoring-and-management/) | `false` | -| `pmm.image.repository` | PMM Container image repository | `percona/pmm-client` | -| `pmm.image.tag` | PMM Container image tag | `2.39.0` | -| `pmm.serverHost` | PMM server related K8S service hostname | `monitoring-service` | +| `upgradeOptions.apply` | PSMDB image to apply from version service - recommended, latest, actual version like 4.4.2-4 | `disabled` | +| `upgradeOptions.schedule` | Cron formatted time to execute the update | `"0 2 * * *"` | +| `upgradeOptions.setFCV` | Set feature compatibility version on major upgrade | `false` | +| `finalizers:delete-psmdb-pvc` | Set this if you want to delete database persistent volumes on cluster deletion | `[]` | +| `finalizers:delete-psmdb-pods-in-order` | Set this if you want to delete PSMDB pods in order (primary last) | `[]` | +| `image.repository` | PSMDB Container image repository | `percona/percona-server-mongodb` | +| `image.tag` | PSMDB Container image tag | `6.0.9-7` | +| `imagePullPolicy` | The policy used to update images | `Always` | +| `imagePullSecrets` | PSMDB Container pull secret | `[]` | +| `initImage.repository` | Repository for custom init image | `""` | +| `initImage.tag` | Tag for custom init image | `""` | +| `initContainerSecurityContext` | A custom Kubernetes Security Context for a Container for the initImage | `{}` | +| `tls.certValidityDuration` | The validity duration of the external certificate for cert manager | `""` | +| `secrets` | Operator secrets section | `{}` | +| `pmm.enabled` | Enable integration with [Percona Monitoring and Management software](https://www.percona.com/blog/2020/07/23/using-percona-kubernetes-operators-with-percona-monitoring-and-management/) | `false` | +| `pmm.image.repository` | PMM Container image repository | `percona/pmm-client` | +| `pmm.image.tag` | PMM Container image tag | `2.41.0` | +| `pmm.serverHost` | PMM server related K8S service hostname | `monitoring-service` | || -| `replsets[0].name` | ReplicaSet name | `rs0` | -| `replsets[0].size` | ReplicaSet size (pod quantity) | `3` | -| `replsets[0].terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean replica set Pods termination | `""` | -| `replsets[0].externalNodes` | ReplicaSet external nodes (cross cluster replication) | `[]` | -| `replsets[0].configuration` | Custom config for mongod in replica set | `""` | -| `replsets[0].topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | -| `replsets[0].serviceAccountName` | Run replicaset Containers under specified K8S SA | `""` | -| `replsets[0].affinity.antiAffinityTopologyKey` | ReplicaSet Pod affinity | `kubernetes.io/hostname` | -| `replsets[0].affinity.advanced` | ReplicaSet Pod advanced affinity | `{}` | -| `replsets[0].tolerations` | ReplicaSet Pod tolerations | `[]` | -| `replsets[0].priorityClass` | ReplicaSet Pod priorityClassName | `""` | -| `replsets[0].annotations` | ReplicaSet Pod annotations | `{}` | -| `replsets[0].labels` | ReplicaSet Pod labels | `{}` | -| `replsets[0].nodeSelector` | ReplicaSet Pod nodeSelector labels | `{}` | -| `replsets[0].livenessProbe` | ReplicaSet Pod livenessProbe structure | `{}` | -| `replsets[0].readinessProbe` | ReplicaSet Pod readinessProbe structure | `{}` | -| `replsets[0].storage` | Set cacheSizeRatio or other custom MongoDB storage options | `{}` | -| `replsets[0].podSecurityContext` | Set the security context for a Pod | `{}` | -| `replsets[0].containerSecurityContext` | Set the security context for a Container | `{}` | -| `replsets[0].runtimeClass` | ReplicaSet Pod runtimeClassName | `""` | -| `replsets[0].sidecars` | ReplicaSet Pod sidecars | `{}` | -| `replsets[0].sidecarVolumes` | ReplicaSet Pod sidecar volumes | `[]` | -| `replsets[0].sidecarPVCs` | ReplicaSet Pod sidecar PVCs | `[]` | -| `replsets[0].podDisruptionBudget.maxUnavailable` | ReplicaSet failed Pods maximum quantity | `1` | -| `replsets[0].splitHorizons` | External URI for Split-horizon for replica set Pods of the exposed cluster | `{}` | -| `replsets[0].expose.enabled` | Allow access to replicaSet from outside of Kubernetes | `false` | -| `replsets[0].expose.exposeType` | Network service access point type | `ClusterIP` | -| `replsets[0].expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | -| `replsets[0].expose.serviceAnnotations` | ReplicaSet service annotations | `{}` | -| `replsets[0].expose.serviceLabels` | ReplicaSet service labels | `{}` | -| `replsets[0].schedulerName` | ReplicaSet Pod schedulerName | `""` | -| `replsets[0].resources` | ReplicaSet Pods resource requests and limits | `{}` | -| `replsets[0].volumeSpec` | ReplicaSet Pods storage resources | `{}` | -| `replsets[0].volumeSpec.emptyDir` | ReplicaSet Pods emptyDir K8S storage | `{}` | -| `replsets[0].volumeSpec.hostPath` | ReplicaSet Pods hostPath K8S storage | | -| `replsets[0].volumeSpec.hostPath.path` | ReplicaSet Pods hostPath K8S storage path | `""` | -| `replsets[0].volumeSpec.pvc` | ReplicaSet Pods PVC request parameters | | -| `replsets[0].volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | -| `replsets[0].volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | -| `replsets[0].volumeSpec.pvc.storageClassName` | ReplicaSet Pods PVC target storageClass | `""` | -| `replsets[0].volumeSpec.pvc.accessModes` | ReplicaSet Pods PVC access policy | `[]` | -| `replsets[0].volumeSpec.pvc.resources.requests.storage` | ReplicaSet Pods PVC storage size | `3Gi` | -| `replsets[0].hostAliases` | The IP address for Kubernetes host aliases | `[]` | -| `replsets[0].nonvoting.enabled` | Add MongoDB nonvoting Pods | `false` | -| `replsets[0].nonvoting.podSecurityContext` | Set the security context for a Pod | `{}` | -| `replsets[0].nonvoting.containerSecurityContext` | Set the security context for a Container | `{}` | -| `replsets[0].nonvoting.size` | Number of nonvoting Pods | `1` | -| `replsets[0].nonvoting.configuration` | Custom config for mongod nonvoting member | `""` | -| `replsets[0].nonvoting.serviceAccountName` | Run replicaset nonvoting Container under specified K8S SA | `""` | -| `replsets[0].nonvoting.affinity.antiAffinityTopologyKey` | Nonvoting Pods affinity | `kubernetes.io/hostname` | -| `replsets[0].nonvoting.affinity.advanced` | Nonvoting Pods advanced affinity | `{}` | -| `replsets[0].nonvoting.tolerations` | Nonvoting Pod tolerations | `[]` | -| `replsets[0].nonvoting.priorityClass` | Nonvoting Pod priorityClassName | `""` | -| `replsets[0].nonvoting.annotations` | Nonvoting Pod annotations | `{}` | -| `replsets[0].nonvoting.labels` | Nonvoting Pod labels | `{}` | -| `replsets[0].nonvoting.nodeSelector` | Nonvoting Pod nodeSelector labels | `{}` | -| `replsets[0].nonvoting.podDisruptionBudget.maxUnavailable` | Nonvoting failed Pods maximum quantity | `1` | -| `replsets[0].nonvoting.resources` | Nonvoting Pods resource requests and limits | `{}` | -| `replsets[0].nonvoting.volumeSpec` | Nonvoting Pods storage resources | `{}` | -| `replsets[0].nonvoting.volumeSpec.emptyDir` | Nonvoting Pods emptyDir K8S storage | `{}` | -| `replsets[0].nonvoting.volumeSpec.hostPath` | Nonvoting Pods hostPath K8S storage | | -| `replsets[0].nonvoting.volumeSpec.hostPath.path` | Nonvoting Pods hostPath K8S storage path | `""` | -| `replsets[0].nonvoting.volumeSpec.pvc` | Nonvoting Pods PVC request parameters | | -| `replsets[0].nonvoting.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | -| `replsets[0].nonvoting.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | -| `replsets[0].nonvoting.volumeSpec.pvc.storageClassName` | Nonvoting Pods PVC target storageClass | `""` | -| `replsets[0].nonvoting.volumeSpec.pvc.accessModes` | Nonvoting Pods PVC access policy | `[]` | -| `replsets[0].nonvoting.volumeSpec.pvc.resources.requests.storage` | Nonvoting Pods PVC storage size | `3Gi` | -| `replsets[0].arbiter.enabled` | Create MongoDB arbiter service | `false` | -| `replsets[0].arbiter.size` | MongoDB arbiter Pod quantity | `1` | -| `replsets[0].arbiter.serviceAccountName` | Run replicaset arbiter Container under specified K8S SA | `""` | -| `replsets[0].arbiter.affinity.antiAffinityTopologyKey` | MongoDB arbiter Pod affinity | `kubernetes.io/hostname` | -| `replsets[0].arbiter.affinity.advanced` | MongoDB arbiter Pod advanced affinity | `{}` | -| `replsets[0].arbiter.tolerations` | MongoDB arbiter Pod tolerations | `[]` | -| `replsets[0].arbiter.priorityClass` | MongoDB arbiter priorityClassName | `""` | -| `replsets[0].arbiter.annotations` | MongoDB arbiter Pod annotations | `{}` | -| `replsets[0].arbiter.labels` | MongoDB arbiter Pod labels | `{}` | -| `replsets[0].arbiter.nodeSelector` | MongoDB arbiter Pod nodeSelector labels | `{}` | +| `replsets[0].name` | ReplicaSet name | `rs0` | +| `replsets[0].size` | ReplicaSet size (pod quantity) | `3` | +| `replsets[0].terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean replica set Pods termination | `""` | +| `replsets[0].externalNodes` | ReplicaSet external nodes (cross cluster replication) | `[]` | +| `replsets[0].configuration` | Custom config for mongod in replica set | `""` | +| `replsets[0].topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | +| `replsets[0].serviceAccountName` | Run replicaset Containers under specified K8S SA | `""` | +| `replsets[0].affinity.antiAffinityTopologyKey` | ReplicaSet Pod affinity | `kubernetes.io/hostname` | +| `replsets[0].affinity.advanced` | ReplicaSet Pod advanced affinity | `{}` | +| `replsets[0].tolerations` | ReplicaSet Pod tolerations | `[]` | +| `replsets[0].priorityClass` | ReplicaSet Pod priorityClassName | `""` | +| `replsets[0].annotations` | ReplicaSet Pod annotations | `{}` | +| `replsets[0].labels` | ReplicaSet Pod labels | `{}` | +| `replsets[0].nodeSelector` | ReplicaSet Pod nodeSelector labels | `{}` | +| `replsets[0].livenessProbe` | ReplicaSet Pod livenessProbe structure | `{}` | +| `replsets[0].readinessProbe` | ReplicaSet Pod readinessProbe structure | `{}` | +| `replsets[0].storage` | Set cacheSizeRatio or other custom MongoDB storage options | `{}` | +| `replsets[0].podSecurityContext` | Set the security context for a Pod | `{}` | +| `replsets[0].containerSecurityContext` | Set the security context for a Container | `{}` | +| `replsets[0].runtimeClass` | ReplicaSet Pod runtimeClassName | `""` | +| `replsets[0].sidecars` | ReplicaSet Pod sidecars | `{}` | +| `replsets[0].sidecarVolumes` | ReplicaSet Pod sidecar volumes | `[]` | +| `replsets[0].sidecarPVCs` | ReplicaSet Pod sidecar PVCs | `[]` | +| `replsets[0].podDisruptionBudget.maxUnavailable` | ReplicaSet failed Pods maximum quantity | `1` | +| `replsets[0].splitHorizons` | External URI for Split-horizon for replica set Pods of the exposed cluster | `{}` | +| `replsets[0].expose.enabled` | Allow access to replicaSet from outside of Kubernetes | `false` | +| `replsets[0].expose.exposeType` | Network service access point type | `ClusterIP` | +| `replsets[0].expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | +| `replsets[0].expose.serviceAnnotations` | ReplicaSet service annotations | `{}` | +| `replsets[0].expose.serviceLabels` | ReplicaSet service labels | `{}` | +| `replsets[0].schedulerName` | ReplicaSet Pod schedulerName | `""` | +| `replsets[0].resources` | ReplicaSet Pods resource requests and limits | `{}` | +| `replsets[0].volumeSpec` | ReplicaSet Pods storage resources | `{}` | +| `replsets[0].volumeSpec.emptyDir` | ReplicaSet Pods emptyDir K8S storage | `{}` | +| `replsets[0].volumeSpec.hostPath` | ReplicaSet Pods hostPath K8S storage | | +| `replsets[0].volumeSpec.hostPath.path` | ReplicaSet Pods hostPath K8S storage path | `""` | +| `replsets[0].volumeSpec.pvc` | ReplicaSet Pods PVC request parameters | | +| `replsets[0].volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | +| `replsets[0].volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | +| `replsets[0].volumeSpec.pvc.storageClassName` | ReplicaSet Pods PVC target storageClass | `""` | +| `replsets[0].volumeSpec.pvc.accessModes` | ReplicaSet Pods PVC access policy | `[]` | +| `replsets[0].volumeSpec.pvc.resources.requests.storage` | ReplicaSet Pods PVC storage size | `3Gi` | +| `replsets[0].hostAliases` | The IP address for Kubernetes host aliases | `[]` | +| `replsets[0].nonvoting.enabled` | Add MongoDB nonvoting Pods | `false` | +| `replsets[0].nonvoting.podSecurityContext` | Set the security context for a Pod | `{}` | +| `replsets[0].nonvoting.containerSecurityContext` | Set the security context for a Container | `{}` | +| `replsets[0].nonvoting.size` | Number of nonvoting Pods | `1` | +| `replsets[0].nonvoting.configuration` | Custom config for mongod nonvoting member | `""` | +| `replsets[0].nonvoting.serviceAccountName` | Run replicaset nonvoting Container under specified K8S SA | `""` | +| `replsets[0].nonvoting.affinity.antiAffinityTopologyKey` | Nonvoting Pods affinity | `kubernetes.io/hostname` | +| `replsets[0].nonvoting.affinity.advanced` | Nonvoting Pods advanced affinity | `{}` | +| `replsets[0].nonvoting.tolerations` | Nonvoting Pod tolerations | `[]` | +| `replsets[0].nonvoting.priorityClass` | Nonvoting Pod priorityClassName | `""` | +| `replsets[0].nonvoting.annotations` | Nonvoting Pod annotations | `{}` | +| `replsets[0].nonvoting.labels` | Nonvoting Pod labels | `{}` | +| `replsets[0].nonvoting.nodeSelector` | Nonvoting Pod nodeSelector labels | `{}` | +| `replsets[0].nonvoting.podDisruptionBudget.maxUnavailable` | Nonvoting failed Pods maximum quantity | `1` | +| `replsets[0].nonvoting.resources` | Nonvoting Pods resource requests and limits | `{}` | +| `replsets[0].nonvoting.volumeSpec` | Nonvoting Pods storage resources | `{}` | +| `replsets[0].nonvoting.volumeSpec.emptyDir` | Nonvoting Pods emptyDir K8S storage | `{}` | +| `replsets[0].nonvoting.volumeSpec.hostPath` | Nonvoting Pods hostPath K8S storage | | +| `replsets[0].nonvoting.volumeSpec.hostPath.path` | Nonvoting Pods hostPath K8S storage path | `""` | +| `replsets[0].nonvoting.volumeSpec.pvc` | Nonvoting Pods PVC request parameters | | +| `replsets[0].nonvoting.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | +| `replsets[0].nonvoting.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | +| `replsets[0].nonvoting.volumeSpec.pvc.storageClassName` | Nonvoting Pods PVC target storageClass | `""` | +| `replsets[0].nonvoting.volumeSpec.pvc.accessModes` | Nonvoting Pods PVC access policy | `[]` | +| `replsets[0].nonvoting.volumeSpec.pvc.resources.requests.storage` | Nonvoting Pods PVC storage size | `3Gi` | +| `replsets[0].arbiter.enabled` | Create MongoDB arbiter service | `false` | +| `replsets[0].arbiter.size` | MongoDB arbiter Pod quantity | `1` | +| `replsets[0].arbiter.serviceAccountName` | Run replicaset arbiter Container under specified K8S SA | `""` | +| `replsets[0].arbiter.affinity.antiAffinityTopologyKey` | MongoDB arbiter Pod affinity | `kubernetes.io/hostname` | +| `replsets[0].arbiter.affinity.advanced` | MongoDB arbiter Pod advanced affinity | `{}` | +| `replsets[0].arbiter.tolerations` | MongoDB arbiter Pod tolerations | `[]` | +| `replsets[0].arbiter.priorityClass` | MongoDB arbiter priorityClassName | `""` | +| `replsets[0].arbiter.annotations` | MongoDB arbiter Pod annotations | `{}` | +| `replsets[0].arbiter.labels` | MongoDB arbiter Pod labels | `{}` | +| `replsets[0].arbiter.nodeSelector` | MongoDB arbiter Pod nodeSelector labels | `{}` | | | -| `sharding.enabled` | Enable sharding setup | `true` | -| `sharding.balancer.enabled` | Enable/disable balancer | `true` | -| `sharding.configrs.size` | Config ReplicaSet size (pod quantity) | `3` | -| `sharding.configrs.terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean replica set Pods termination | `""` | -| `sharding.configrs.externalNodes` | Config ReplicaSet external nodes (cross cluster replication) | `[]` | -| `sharding.configrs.configuration` | Custom config for mongod in config replica set | `""` | -| `sharding.configrs.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | -| `sharding.configrs.serviceAccountName` | Run sharding configrs Containers under specified K8S SA | `""` | -| `sharding.configrs.affinity.antiAffinityTopologyKey` | Config ReplicaSet Pod affinity | `kubernetes.io/hostname` | -| `sharding.configrs.affinity.advanced` | Config ReplicaSet Pod advanced affinity | `{}` | -| `sharding.configrs.tolerations` | Config ReplicaSet Pod tolerations | `[]` | -| `sharding.configrs.priorityClass` | Config ReplicaSet Pod priorityClassName | `""` | -| `sharding.configrs.annotations` | Config ReplicaSet Pod annotations | `{}` | -| `sharding.configrs.labels` | Config ReplicaSet Pod labels | `{}` | -| `sharding.configrs.nodeSelector` | Config ReplicaSet Pod nodeSelector labels | `{}` | -| `sharding.configrs.livenessProbe` | Config ReplicaSet Pod livenessProbe structure | `{}` | -| `sharding.configrs.readinessProbe` | Config ReplicaSet Pod readinessProbe structure | `{}` | -| `sharding.configrs.storage` | Set cacheSizeRatio or other custom MongoDB storage options | `{}` | -| `sharding.configrs.podSecurityContext` | Set the security context for a Pod | `{}` | -| `sharding.configrs.containerSecurityContext` | Set the security context for a Container | `{}` | -| `sharding.configrs.runtimeClass` | Config ReplicaSet Pod runtimeClassName | `""` | -| `sharding.configrs.sidecars` | Config ReplicaSet Pod sidecars | `{}` | -| `sharding.configrs.sidecarVolumes` | Config ReplicaSet Pod sidecar volumes | `[]` | -| `sharding.configrs.sidecarPVCs` | Config ReplicaSet Pod sidecar PVCs | `[]` | -| `sharding.configrs.podDisruptionBudget.maxUnavailable` | Config ReplicaSet failed Pods maximum quantity | `1` | -| `sharding.configrs.expose.enabled` | Allow access to cfg replica from outside of Kubernetes | `false` | -| `sharding.configrs.expose.exposeType` | Network service access point type | `ClusterIP` | -| `sharding.configrs.expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | -| `sharding.configrs.expose.serviceAnnotations` | Config ReplicaSet service annotations | `{}` | -| `sharding.configrs.expose.serviceLabels` | Config ReplicaSet service labels | `{}` | -| `sharding.configrs.resources.limits.cpu` | Config ReplicaSet resource limits CPU | `300m` | -| `sharding.configrs.resources.limits.memory` | Config ReplicaSet resource limits memory | `0.5G` | -| `sharding.configrs.resources.requests.cpu` | Config ReplicaSet resource requests CPU | `300m` | -| `sharding.configrs.resources.requests.memory` | Config ReplicaSet resource requests memory | `0.5G` | -| `sharding.configrs.volumeSpec.hostPath` | Config ReplicaSet hostPath K8S storage | | -| `sharding.configrs.volumeSpec.hostPath.path` | Config ReplicaSet hostPath K8S storage path | `""` | -| `sharding.configrs.volumeSpec.emptyDir` | Config ReplicaSet Pods emptyDir K8S storage | | -| `sharding.configrs.volumeSpec.pvc` | Config ReplicaSet Pods PVC request parameters | | -| `sharding.configrs.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | -| `sharding.configrs.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | -| `sharding.configrs.volumeSpec.pvc.storageClassName` | Config ReplicaSet Pods PVC storageClass | `""` | -| `sharding.configrs.volumeSpec.pvc.accessModes` | Config ReplicaSet Pods PVC access policy | `[]` | -| `sharding.configrs.volumeSpec.pvc.resources.requests.storage` | Config ReplicaSet Pods PVC storage size | `3Gi` | -| `sharding.configrs.hostAliases` | The IP address for Kubernetes host aliases | `[]` | -| `sharding.mongos.size` | Mongos size (pod quantity) | `3` | -| `sharding.mongos.terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean mongos Pods termination | `""` | -| `sharding.mongos.configuration` | Custom config for mongos | `""` | -| `sharding.mongos.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | -| `sharding.mongos.serviceAccountName` | Run sharding mongos Containers under specified K8S SA | `""` | -| `sharding.mongos.affinity.antiAffinityTopologyKey` | Mongos Pods affinity | `kubernetes.io/hostname` | -| `sharding.mongos.affinity.advanced` | Mongos Pods advanced affinity | `{}` | -| `sharding.mongos.tolerations` | Mongos Pods tolerations | `[]` | -| `sharding.mongos.priorityClass` | Mongos Pods priorityClassName | `""` | -| `sharding.mongos.annotations` | Mongos Pods annotations | `{}` | -| `sharding.mongos.labels` | Mongos Pods labels | `{}` | -| `sharding.mongos.nodeSelector` | Mongos Pods nodeSelector labels | `{}` | -| `sharding.mongos.livenessProbe` | Mongos Pod livenessProbe structure | `{}` | -| `sharding.mongos.readinessProbe` | Mongos Pod readinessProbe structure | `{}` | -| `sharding.mongos.podSecurityContext` | Set the security context for a Pod | `{}` | -| `sharding.mongos.containerSecurityContext` | Set the security context for a Container | `{}` | -| `sharding.mongos.runtimeClass` | Mongos Pod runtimeClassName | `""` | -| `sharding.mongos.sidecars` | Mongos Pod sidecars | `{}` | -| `sharding.mongos.sidecarVolumes` | Mongos Pod sidecar volumes | `[]` | -| `sharding.mongos.sidecarPVCs` | Mongos Pod sidecar PVCs | `[]` | -| `sharding.mongos.podDisruptionBudget.maxUnavailable` | Mongos failed Pods maximum quantity | `1` | -| `sharding.mongos.resources.limits.cpu` | Mongos Pods resource limits CPU | `300m` | -| `sharding.mongos.resources.limits.memory` | Mongos Pods resource limits memory | `0.5G` | -| `sharding.mongos.resources.requests.cpu` | Mongos Pods resource requests CPU | `300m` | -| `sharding.mongos.resources.requests.memory` | Mongos Pods resource requests memory | `0.5G` | -| `sharding.mongos.expose.exposeType` | Mongos service exposeType | `ClusterIP` | -| `sharding.mongos.expose.servicePerPod` | Create a separate ClusterIP Service for each mongos instance | `false` | -| `sharding.mongos.expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | -| `sharding.mongos.expose.serviceAnnotations` | Mongos service annotations | `{}` | -| `sharding.mongos.expose.serviceLabels` | Mongos service labels | `{}` | -| `sharding.mongos.hostAliases` | The IP address for Kubernetes host aliases | `[]` | +| `sharding.enabled` | Enable sharding setup | `true` | +| `sharding.balancer.enabled` | Enable/disable balancer | `true` | +| `sharding.configrs.size` | Config ReplicaSet size (pod quantity) | `3` | +| `sharding.configrs.terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean replica set Pods termination | `""` | +| `sharding.configrs.externalNodes` | Config ReplicaSet external nodes (cross cluster replication) | `[]` | +| `sharding.configrs.configuration` | Custom config for mongod in config replica set | `""` | +| `sharding.configrs.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | +| `sharding.configrs.serviceAccountName` | Run sharding configrs Containers under specified K8S SA | `""` | +| `sharding.configrs.affinity.antiAffinityTopologyKey` | Config ReplicaSet Pod affinity | `kubernetes.io/hostname` | +| `sharding.configrs.affinity.advanced` | Config ReplicaSet Pod advanced affinity | `{}` | +| `sharding.configrs.tolerations` | Config ReplicaSet Pod tolerations | `[]` | +| `sharding.configrs.priorityClass` | Config ReplicaSet Pod priorityClassName | `""` | +| `sharding.configrs.annotations` | Config ReplicaSet Pod annotations | `{}` | +| `sharding.configrs.labels` | Config ReplicaSet Pod labels | `{}` | +| `sharding.configrs.nodeSelector` | Config ReplicaSet Pod nodeSelector labels | `{}` | +| `sharding.configrs.livenessProbe` | Config ReplicaSet Pod livenessProbe structure | `{}` | +| `sharding.configrs.readinessProbe` | Config ReplicaSet Pod readinessProbe structure | `{}` | +| `sharding.configrs.storage` | Set cacheSizeRatio or other custom MongoDB storage options | `{}` | +| `sharding.configrs.podSecurityContext` | Set the security context for a Pod | `{}` | +| `sharding.configrs.containerSecurityContext` | Set the security context for a Container | `{}` | +| `sharding.configrs.runtimeClass` | Config ReplicaSet Pod runtimeClassName | `""` | +| `sharding.configrs.sidecars` | Config ReplicaSet Pod sidecars | `{}` | +| `sharding.configrs.sidecarVolumes` | Config ReplicaSet Pod sidecar volumes | `[]` | +| `sharding.configrs.sidecarPVCs` | Config ReplicaSet Pod sidecar PVCs | `[]` | +| `sharding.configrs.podDisruptionBudget.maxUnavailable` | Config ReplicaSet failed Pods maximum quantity | `1` | +| `sharding.configrs.expose.enabled` | Allow access to cfg replica from outside of Kubernetes | `false` | +| `sharding.configrs.expose.exposeType` | Network service access point type | `ClusterIP` | +| `sharding.configrs.expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | +| `sharding.configrs.expose.serviceAnnotations` | Config ReplicaSet service annotations | `{}` | +| `sharding.configrs.expose.serviceLabels` | Config ReplicaSet service labels | `{}` | +| `sharding.configrs.resources.limits.cpu` | Config ReplicaSet resource limits CPU | `300m` | +| `sharding.configrs.resources.limits.memory` | Config ReplicaSet resource limits memory | `0.5G` | +| `sharding.configrs.resources.requests.cpu` | Config ReplicaSet resource requests CPU | `300m` | +| `sharding.configrs.resources.requests.memory` | Config ReplicaSet resource requests memory | `0.5G` | +| `sharding.configrs.volumeSpec.hostPath` | Config ReplicaSet hostPath K8S storage | | +| `sharding.configrs.volumeSpec.hostPath.path` | Config ReplicaSet hostPath K8S storage path | `""` | +| `sharding.configrs.volumeSpec.emptyDir` | Config ReplicaSet Pods emptyDir K8S storage | | +| `sharding.configrs.volumeSpec.pvc` | Config ReplicaSet Pods PVC request parameters | | +| `sharding.configrs.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | +| `sharding.configrs.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | +| `sharding.configrs.volumeSpec.pvc.storageClassName` | Config ReplicaSet Pods PVC storageClass | `""` | +| `sharding.configrs.volumeSpec.pvc.accessModes` | Config ReplicaSet Pods PVC access policy | `[]` | +| `sharding.configrs.volumeSpec.pvc.resources.requests.storage` | Config ReplicaSet Pods PVC storage size | `3Gi` | +| `sharding.configrs.hostAliases` | The IP address for Kubernetes host aliases | `[]` | +| `sharding.mongos.size` | Mongos size (pod quantity) | `3` | +| `sharding.mongos.terminationGracePeriodSeconds` | The amount of seconds Kubernetes will wait for a clean mongos Pods termination | `""` | +| `sharding.mongos.configuration` | Custom config for mongos | `""` | +| `sharding.mongos.topologySpreadConstraints` | Control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains | `{}` | +| `sharding.mongos.serviceAccountName` | Run sharding mongos Containers under specified K8S SA | `""` | +| `sharding.mongos.affinity.antiAffinityTopologyKey` | Mongos Pods affinity | `kubernetes.io/hostname` | +| `sharding.mongos.affinity.advanced` | Mongos Pods advanced affinity | `{}` | +| `sharding.mongos.tolerations` | Mongos Pods tolerations | `[]` | +| `sharding.mongos.priorityClass` | Mongos Pods priorityClassName | `""` | +| `sharding.mongos.annotations` | Mongos Pods annotations | `{}` | +| `sharding.mongos.labels` | Mongos Pods labels | `{}` | +| `sharding.mongos.nodeSelector` | Mongos Pods nodeSelector labels | `{}` | +| `sharding.mongos.livenessProbe` | Mongos Pod livenessProbe structure | `{}` | +| `sharding.mongos.readinessProbe` | Mongos Pod readinessProbe structure | `{}` | +| `sharding.mongos.podSecurityContext` | Set the security context for a Pod | `{}` | +| `sharding.mongos.containerSecurityContext` | Set the security context for a Container | `{}` | +| `sharding.mongos.runtimeClass` | Mongos Pod runtimeClassName | `""` | +| `sharding.mongos.sidecars` | Mongos Pod sidecars | `{}` | +| `sharding.mongos.sidecarVolumes` | Mongos Pod sidecar volumes | `[]` | +| `sharding.mongos.sidecarPVCs` | Mongos Pod sidecar PVCs | `[]` | +| `sharding.mongos.podDisruptionBudget.maxUnavailable` | Mongos failed Pods maximum quantity | `1` | +| `sharding.mongos.resources.limits.cpu` | Mongos Pods resource limits CPU | `300m` | +| `sharding.mongos.resources.limits.memory` | Mongos Pods resource limits memory | `0.5G` | +| `sharding.mongos.resources.requests.cpu` | Mongos Pods resource requests CPU | `300m` | +| `sharding.mongos.resources.requests.memory` | Mongos Pods resource requests memory | `0.5G` | +| `sharding.mongos.expose.exposeType` | Mongos service exposeType | `ClusterIP` | +| `sharding.mongos.expose.servicePerPod` | Create a separate ClusterIP Service for each mongos instance | `false` | +| `sharding.mongos.expose.loadBalancerSourceRanges` | Limit client IP's access to Load Balancer | `{}` | +| `sharding.mongos.expose.serviceAnnotations` | Mongos service annotations | `{}` | +| `sharding.mongos.expose.serviceLabels` | Mongos service labels | `{}` | +| `sharding.mongos.hostAliases` | The IP address for Kubernetes host aliases | `[]` | | | -| `backup.enabled` | Enable backup PBM agent | `true` | -| `backup.annotations` | Backup job annotations | `{}` | -| `backup.restartOnFailure` | Backup Pods restart policy | `true` | -| `backup.image.repository` | PBM Container image repository | `percona/percona-backup-mongodb` | -| `backup.image.tag` | PBM Container image tag | `2.3.0` | -| `backup.serviceAccountName` | Run PBM Container under specified K8S SA | `percona-server-mongodb-operator` | -| `backup.storages` | Local/remote backup storages settings | `{}` | -| `backup.pitr.enabled` | Enable point in time recovery for backup | `false` | -| `backup.pitr.oplogOnly` | Start collecting oplogs even if full logical backup doesn't exist | `false` | -| `backup.pitr.oplogSpanMin` | Number of minutes between the uploads of oplogs | `10` | -| `backup.pitr.compressionType` | The point-in-time-recovery chunks compression format | `""` | -| `backup.pitr.compressionLevel` | The point-in-time-recovery chunks compression level | `""` | -| `backup.tasks` | Backup working schedule | `{}` | -| `users` | PSMDB essential users | `{}` | +| `backup.enabled` | Enable backup PBM agent | `true` | +| `backup.annotations` | Backup job annotations | `{}` | +| `backup.restartOnFailure` | Backup Pods restart policy | `true` | +| `backup.image.repository` | PBM Container image repository | `percona/percona-backup-mongodb` | +| `backup.image.tag` | PBM Container image tag | `2.3.0` | +| `backup.serviceAccountName` | Run PBM Container under specified K8S SA | `percona-server-mongodb-operator` | +| `backup.storages` | Local/remote backup storages settings | `{}` | +| `backup.pitr.enabled` | Enable point in time recovery for backup | `false` | +| `backup.pitr.oplogOnly` | Start collecting oplogs even if full logical backup doesn't exist | `false` | +| `backup.pitr.oplogSpanMin` | Number of minutes between the uploads of oplogs | `10` | +| `backup.pitr.compressionType` | The point-in-time-recovery chunks compression format | `""` | +| `backup.pitr.compressionLevel` | The point-in-time-recovery chunks compression level | `""` | +| `backup.tasks` | Backup working schedule | `{}` | +| `users` | PSMDB essential users | `{}` | Specify parameters using `--set key=value[,key=value]` argument to `helm install` diff --git a/charts/percona/psmdb-db/values.yaml b/charts/percona/psmdb-db/values.yaml index d7e88ac45..4b9ee8ac3 100644 --- a/charts/percona/psmdb-db/values.yaml +++ b/charts/percona/psmdb-db/values.yaml @@ -59,7 +59,7 @@ pmm: enabled: false image: repository: percona/pmm-client - tag: 2.39.0 + tag: 2.41.0 serverHost: monitoring-service replsets: diff --git a/charts/percona/pxc-db/Chart.yaml b/charts/percona/pxc-db/Chart.yaml index 4e6f434f3..25ee4572d 100644 --- a/charts/percona/pxc-db/Chart.yaml +++ b/charts/percona/pxc-db/Chart.yaml @@ -17,4 +17,4 @@ maintainers: - email: natalia.marukovich@percona.com name: nmarukovich name: pxc-db -version: 1.13.2 +version: 1.13.4 diff --git a/charts/percona/pxc-db/README.md b/charts/percona/pxc-db/README.md index 7df44a8bc..490736ede 100644 --- a/charts/percona/pxc-db/README.md +++ b/charts/percona/pxc-db/README.md @@ -25,233 +25,233 @@ helm install my-db percona/pxc-db --version 1.13.0 --namespace my-namespace The chart can be customized using the following configurable parameters: -| Parameter | Description | Default | -| ------------------------------- | ------------------------------------------------------------------------------| ------------------------------------------| -| `crVersion` | Version of the Operator the Custom Resource belongs to | `1.13.0` | -| `ignoreAnnotations` | Operator will not remove following annotations | `[]` | -| `ignoreLabels` | Operator will not remove following labels | `[]` | -| `pause` | Stop PXC Database safely | `false` | -| `allowUnsafeConfigurations` | Allows forbidden configurations like even number of PXC cluster pods | `false` | -| `enableCRValidationWebhook` | Enables or disables schema validation before applying custom resource | `false` | -| `initImage` | An alternative image for the initial Operator installation | `""` | -| `updateStrategy` | Regulates the way how PXC Cluster Pods will be updated after setting a new image | `SmartUpdate` | -| `upgradeOptions.versionServiceEndpoint` | Endpoint for actual PXC Versions provider | `https://check.percona.com/versions` | -| `upgradeOptions.apply` | PXC image to apply from version service - `recommended`, `latest`, actual version like `8.0.19-10.1` | `disabled` | -| `upgradeOptions.schedule` | Cron formatted time to execute the update | `"0 4 * * *"` | -| `finalizers:delete-pxc-pods-in-order` | Set this if you want to delete PXC pods in order on cluster deletion | [] | -| `finalizers:delete-proxysql-pvc` | Set this if you want to delete proxysql persistent volumes on cluster deletion | [] | -| `finalizers:delete-pxc-pvc` | Set this if you want to delete database persistent volumes on cluster deletion | [] | -| `finalizers:delete-ssl` | Deletes objects created for SSL (Secret, certificate, and issuer) after the cluster deletion | [] | -| `tls.SANs` | Additional domains (SAN) to be added to the TLS certificate within the extended cert-manager configuration | `[]` | -| `tls.issuerConf.name` | A cert-manager issuer name | `""` | -| `tls.issuerConf.kind` | A cert-manager issuer type | `""` | -| `tls.issuerConf.group` | A cert-manager issuer group | `""` | -| `pxc.size` | PXC Cluster target member (pod) quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | -| `pxc.clusterSecretName` | Specify if you want to use custom or Operator generated users secret (if the one specified doesn't exist) | `` | -| `pxc.image.repository` | PXC Container image repository | `percona/percona-xtradb-cluster` | -| `pxc.image.tag` | PXC Container image tag | `8.0.32-24.2` | -| `pxc.imagePullPolicy` | The policy used to update images | `` | -| `pxc.autoRecovery` | Enable full cluster crash auto recovery | `true` | -| `pxc.expose.enabled` | Enable or disable exposing `Percona XtraDB Cluster` nodes with dedicated IP addresses | `true` | -| `pxc.expose.type` | The Kubernetes Service Type used for exposure | `LoadBalancer` | -| `pxc.expose.loadBalancerSourceRanges` | The range of client IP addresses from which the load balancer should be reachable (if not set, there is no limitations) | `10.0.0.0/8` | -| `pxc.expose.annotations` | The Kubernetes annotations | `true` | -| `pxc.replicationChannels.name` | Name of the replication channel for cross-site replication | `pxc1_to_pxc2` | -| `pxc.replicationChannels.isSource` | Should the cluster act as Source (true) or Replica (false) in cross-site replication | `false` | -| `pxc.replicationChannels.sourcesList.host` | For the cross-site replication Replica cluster, this key should contain the hostname or IP address of the Source cluster | `10.95.251.101` | -| `pxc.replicationChannels.sourcesList.port` | For the cross-site replication Replica cluster, this key should contain the Source port number | `3306` | -| `pxc.replicationChannels.sourcesList.weight`| For the cross-site replication Replica cluster, this key should contain the Source cluster weight | `100` | -| `pxc.imagePullSecrets` | PXC Container pull secret | `[]` | -| `pxc.annotations` | PXC Pod user-defined annotations | `{}` | -| `pxc.priorityClassName` | PXC Pod priority Class defined by user | | -| `pxc.runtimeClassName` | Name of the Kubernetes Runtime Class for PXC Pods | | -| `pxc.labels` | PXC Pod user-defined labels | `{}` | -| `pxc.schedulerName` | The Kubernetes Scheduler | | -| `pxc.readinessDelaySec` | PXC Pod delay for readiness probe in seconds | `15` | -| `pxc.livenessDelaySec` | PXC Pod delay for liveness probe in seconds | `300` | -| `pxc.configuration` | User defined MySQL options according to MySQL configuration file syntax | `` | -| `pxc.envVarsSecret` | A secret with environment variables | `` | -| `pxc.resources.requests` | PXC Pods resource requests | `{"memory": "1G", "cpu": "600m"}`| -| `pxc.resources.limits` | PXC Pods resource limits | `{}` | -| `pxc.sidecars` | PXC Pods sidecars | `[]` | -| `pxc.sidecarVolumes` | PXC Pods sidecarVolumes | `[]` | -| `pxc.sidecarPVCs` | PXC Pods sidecar PVCs | `[]` | -| `pxc.sidecarResources.requests` | PXC sidecar resource requests | `{}` | -| `pxc.sidecarResources.limits` | PXC sidecar resource limits | `{}` | -| `pxc.nodeSelector` | PXC Pods key-value pairs setting for K8S node assingment | `{}` | -| `pxc.affinity.antiAffinityTopologyKey` | PXC Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | -| `pxc.affinity.advanced` | PXC Pods advanced scheduling restriction with match expression engine | `{}` | -| `pxc.tolerations` | List of node taints to tolerate for PXC Pods | `[]` | -| `pxc.gracePeriod` | Allowed time for graceful shutdown | `600` | -| `pxc.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | -| `pxc.persistence.enabled` | Requests a persistent storage (`hostPath` or `storageClass`) from K8S for PXC Pods datadir | `true` | -| `pxc.persistence.hostPath` | Sets datadir path on K8S node for all PXC Pods. Available only when `pxc.persistence.enabled: true` | | -| `pxc.persistence.storageClass` | Sets K8S storageClass name for all PXC Pods PVC. Available only when `pxc.persistence.enabled: true` | `-` | -| `pxc.persistence.accessMode` | Sets K8S persistent storage access policy for all PXC Pods | `ReadWriteOnce` | -| `pxc.persistence.size` | Sets K8S persistent storage size for all PXC Pods | `8Gi` | -| `pxc.disableTLS` | Disable PXC Pod communication with TLS | `false` | -| `pxc.certManager` | Enable this option if you want the operator to request certificates from `cert-manager` | `false` | -| `pxc.readinessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `5` | -| `pxc.readinessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `15` | -| `pxc.readinessProbes.periodSeconds` | How often (in seconds) to perform the probe | `30` | -| `pxc.readinessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | -| `pxc.readinessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `15` | -| `pxc.livenessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `3` | -| `pxc.livenessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `300` | -| `pxc.livenessProbes.periodSeconds` | How often (in seconds) to perform the probe | `10` | -| `pxc.livenessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | -| `pxc.livenessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `5` | -| `pxc.containerSecurityContext` | A custom Kubernetes Security Context for a Container to be used instead of the default one | `{}` | -| `pxc.podSecurityContext` | A custom Kubernetes Security Context for a Pod to be used instead of the default one | `{}` | +| Parameter | Description | Default | +| ------------------------------- | ------------------------------------------------------------------------------|--------------------------------------------------------------------------| +| `crVersion` | Version of the Operator the Custom Resource belongs to | `1.13.0` | +| `ignoreAnnotations` | Operator will not remove following annotations | `[]` | +| `ignoreLabels` | Operator will not remove following labels | `[]` | +| `pause` | Stop PXC Database safely | `false` | +| `allowUnsafeConfigurations` | Allows forbidden configurations like even number of PXC cluster pods | `false` | +| `enableCRValidationWebhook` | Enables or disables schema validation before applying custom resource | `false` | +| `initImage` | An alternative image for the initial Operator installation | `""` | +| `updateStrategy` | Regulates the way how PXC Cluster Pods will be updated after setting a new image | `SmartUpdate` | +| `upgradeOptions.versionServiceEndpoint` | Endpoint for actual PXC Versions provider | `https://check.percona.com/versions` | +| `upgradeOptions.apply` | PXC image to apply from version service - `recommended`, `latest`, actual version like `8.0.19-10.1` | `disabled` | +| `upgradeOptions.schedule` | Cron formatted time to execute the update | `"0 4 * * *"` | +| `finalizers:delete-pxc-pods-in-order` | Set this if you want to delete PXC pods in order on cluster deletion | [] | +| `finalizers:delete-proxysql-pvc` | Set this if you want to delete proxysql persistent volumes on cluster deletion | [] | +| `finalizers:delete-pxc-pvc` | Set this if you want to delete database persistent volumes on cluster deletion | [] | +| `finalizers:delete-ssl` | Deletes objects created for SSL (Secret, certificate, and issuer) after the cluster deletion | [] | +| `tls.SANs` | Additional domains (SAN) to be added to the TLS certificate within the extended cert-manager configuration | `[]` | +| `tls.issuerConf.name` | A cert-manager issuer name | `""` | +| `tls.issuerConf.kind` | A cert-manager issuer type | `""` | +| `tls.issuerConf.group` | A cert-manager issuer group | `""` | +| `pxc.size` | PXC Cluster target member (pod) quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | +| `pxc.clusterSecretName` | Specify if you want to use custom or Operator generated users secret (if the one specified doesn't exist) | `` | +| `pxc.image.repository` | PXC Container image repository | `percona/percona-xtradb-cluster` | +| `pxc.image.tag` | PXC Container image tag | `8.0.32-24.2` | +| `pxc.imagePullPolicy` | The policy used to update images | `` | +| `pxc.autoRecovery` | Enable full cluster crash auto recovery | `true` | +| `pxc.expose.enabled` | Enable or disable exposing `Percona XtraDB Cluster` nodes with dedicated IP addresses | `true` | +| `pxc.expose.type` | The Kubernetes Service Type used for exposure | `LoadBalancer` | +| `pxc.expose.loadBalancerSourceRanges` | The range of client IP addresses from which the load balancer should be reachable (if not set, there is no limitations) | `10.0.0.0/8` | +| `pxc.expose.annotations` | The Kubernetes annotations | `true` | +| `pxc.replicationChannels.name` | Name of the replication channel for cross-site replication | `pxc1_to_pxc2` | +| `pxc.replicationChannels.isSource` | Should the cluster act as Source (true) or Replica (false) in cross-site replication | `false` | +| `pxc.replicationChannels.sourcesList.host` | For the cross-site replication Replica cluster, this key should contain the hostname or IP address of the Source cluster | `10.95.251.101` | +| `pxc.replicationChannels.sourcesList.port` | For the cross-site replication Replica cluster, this key should contain the Source port number | `3306` | +| `pxc.replicationChannels.sourcesList.weight`| For the cross-site replication Replica cluster, this key should contain the Source cluster weight | `100` | +| `pxc.imagePullSecrets` | PXC Container pull secret | `[]` | +| `pxc.annotations` | PXC Pod user-defined annotations | `{}` | +| `pxc.priorityClassName` | PXC Pod priority Class defined by user | | +| `pxc.runtimeClassName` | Name of the Kubernetes Runtime Class for PXC Pods | | +| `pxc.labels` | PXC Pod user-defined labels | `{}` | +| `pxc.schedulerName` | The Kubernetes Scheduler | | +| `pxc.readinessDelaySec` | PXC Pod delay for readiness probe in seconds | `15` | +| `pxc.livenessDelaySec` | PXC Pod delay for liveness probe in seconds | `300` | +| `pxc.configuration` | User defined MySQL options according to MySQL configuration file syntax | `` | +| `pxc.envVarsSecret` | A secret with environment variables | `` | +| `pxc.resources.requests` | PXC Pods resource requests | `{"memory": "1G", "cpu": "600m"}` | +| `pxc.resources.limits` | PXC Pods resource limits | `{}` | +| `pxc.sidecars` | PXC Pods sidecars | `[]` | +| `pxc.sidecarVolumes` | PXC Pods sidecarVolumes | `[]` | +| `pxc.sidecarPVCs` | PXC Pods sidecar PVCs | `[]` | +| `pxc.sidecarResources.requests` | PXC sidecar resource requests | `{}` | +| `pxc.sidecarResources.limits` | PXC sidecar resource limits | `{}` | +| `pxc.nodeSelector` | PXC Pods key-value pairs setting for K8S node assingment | `{}` | +| `pxc.affinity.antiAffinityTopologyKey` | PXC Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | +| `pxc.affinity.advanced` | PXC Pods advanced scheduling restriction with match expression engine | `{}` | +| `pxc.tolerations` | List of node taints to tolerate for PXC Pods | `[]` | +| `pxc.gracePeriod` | Allowed time for graceful shutdown | `600` | +| `pxc.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | +| `pxc.persistence.enabled` | Requests a persistent storage (`hostPath` or `storageClass`) from K8S for PXC Pods datadir | `true` | +| `pxc.persistence.hostPath` | Sets datadir path on K8S node for all PXC Pods. Available only when `pxc.persistence.enabled: true` | | +| `pxc.persistence.storageClass` | Sets K8S storageClass name for all PXC Pods PVC. Available only when `pxc.persistence.enabled: true` | `-` | +| `pxc.persistence.accessMode` | Sets K8S persistent storage access policy for all PXC Pods | `ReadWriteOnce` | +| `pxc.persistence.size` | Sets K8S persistent storage size for all PXC Pods | `8Gi` | +| `pxc.disableTLS` | Disable PXC Pod communication with TLS | `false` | +| `pxc.certManager` | Enable this option if you want the operator to request certificates from `cert-manager` | `false` | +| `pxc.readinessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `5` | +| `pxc.readinessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `15` | +| `pxc.readinessProbes.periodSeconds` | How often (in seconds) to perform the probe | `30` | +| `pxc.readinessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | +| `pxc.readinessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `15` | +| `pxc.livenessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `3` | +| `pxc.livenessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `300` | +| `pxc.livenessProbes.periodSeconds` | How often (in seconds) to perform the probe | `10` | +| `pxc.livenessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | +| `pxc.livenessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `5` | +| `pxc.containerSecurityContext` | A custom Kubernetes Security Context for a Container to be used instead of the default one | `{}` | +| `pxc.podSecurityContext` | A custom Kubernetes Security Context for a Pod to be used instead of the default one | `{}` | | | -| `haproxy.enabled` | Use HAProxy as TCP proxy for PXC cluster | `true` | -| `haproxy.size` | HAProxy target pod quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | -| `haproxy.image` | HAProxy Container image repository | `percona/percona-xtradb-cluster-operator:1.13.0-haproxy` | -| `haproxy.imagePullPolicy` | The policy used to update images | `` | -| `haproxy.imagePullSecrets` | HAProxy Container pull secret | `[]` | -| `haproxy.configuration` | User defined HAProxy options according to HAProxy configuration file syntax | `` | -| `haproxy.priorityClassName` | HAProxy Pod priority Class defined by user | | -| `haproxy.runtimeClassName` | Name of the Kubernetes Runtime Class for HAProxy Pods | | -| `haproxy.externalTrafficPolicy` | Desire service to route external traffic for HAProxy to node-local or cluster-wide endpoints | | -| `haproxy.loadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer | `[]` | -| `haproxy.loadBalancerIP` | The static IP-address for the load balancer | `` | -| `haproxy.serviceType` | Specify what kind of Service you want for HAProxy | `ClusterIP` | -| `haproxy.replicasServiceEnabled` | Allow disabling k8s service for haproxy-replicas | `true` | -| `haproxy.replicasLoadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer for HAProxy Replicas | `[]` | -| `haproxy.replicasLoadBalancerIP` | The static IP-address for the load balancer for HAProxy Replicas | `` | -| `haproxy.replicasServiceType` | Specify what kind of Service you want for HAProxy Replicas | `ClusterIP` | -| `haproxy.replicasExternalTrafficPolicy` | Desire service to route external traffic for HAProxy replicas to node-local or cluster-wide endpoints | | -| `haproxy.replicasServiceAnnotations` | The Kubernetes annotations metadata for the haproxy-replicas Service | {} | -| `haproxy.replicasServiceLabels` | The Kubernetes labels for the haproxy-replicas Service | {} | -| `haproxy.serviceAnnotations` | Specify service annotations | `{}` | -| `haproxy.serviceLabels` | Specify service labels | `{}` | -| `haproxy.annotations` | HAProxy Pod user-defined annotations | `{}` | -| `haproxy.labels` | HAProxy Pod user-defined labels | `{}` | -| `haproxy.schedulerName` | The Kubernetes Scheduler | | -| `haproxy.readinessDelaySec` | HAProxy Pod delay for readiness probe in seconds | `15` | -| `haproxy.livenessDelaySec` | HAProxy Pod delay for liveness probe in seconds | `300` | -| `haproxy.envVarsSecret` | A secret with environment variables | `` | -| `haproxy.resources.requests` | HAProxy Pods resource requests | `{"memory": "1G", "cpu": "600m"}` | -| `haproxy.resources.limits` | HAProxy Pods resource limits | `{}` | -| `haproxy.sidecars` | HAProxy Pods sidecars | `[]` | -| `haproxy.sidecarVolumes` | HAProxy Pods sidecarVolumes | `[]` | -| `haproxy.sidecarPVCs` | HAProxy Pods sidecar PVCs | `[]` | -| `haproxy.sidecarResources.requests` | HAProxy sidecar resource requests | `{}` | -| `haproxy.sidecarResources.limits` | HAProxy sidecar resource limits | `{}` | -| `haproxy.nodeSelector` | HAProxy Pods key-value pairs setting for K8S node assingment | `{}` | -| `haproxy.affinity.antiAffinityTopologyKey` | HAProxy Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | -| `haproxy.affinity.advanced` | HAProxy Pods advanced scheduling restriction with match expression engine | `{}` | -| `haproxy.tolerations` | List of node taints to tolerate for HAProxy Pods | `[]` | -| `haproxy.gracePeriod` | Allowed time for graceful shutdown | `600` | -| `haproxy.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | -| `haproxy.readinessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `5` | -| `haproxy.readinessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `15` | -| `haproxy.readinessProbes.periodSeconds` | How often (in seconds) to perform the probe | `30` | -| `haproxy.readinessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | -| `haproxy.readinessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `15` | -| `haproxy.livenessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `3` | -| `haproxy.livenessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `300` | -| `haproxy.livenessProbes.periodSeconds` | How often (in seconds) to perform the probe | `10` | -| `haproxy.livenessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | -| `haproxy.livenessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `5` | -| `haproxy.containerSecurityContext` | A custom Kubernetes Security Context for a Container to be used instead of the default one | `{}` | -| `haproxy.podSecurityContext` | A custom Kubernetes Security Context for a Pod to be used instead of the default one | `{}` | +| `haproxy.enabled` | Use HAProxy as TCP proxy for PXC cluster | `true` | +| `haproxy.size` | HAProxy target pod quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | +| `haproxy.image` | HAProxy Container image repository | `percona/percona-xtradb-cluster-operator:1.13.0-haproxy` | +| `haproxy.imagePullPolicy` | The policy used to update images | `` | +| `haproxy.imagePullSecrets` | HAProxy Container pull secret | `[]` | +| `haproxy.configuration` | User defined HAProxy options according to HAProxy configuration file syntax | `` | +| `haproxy.priorityClassName` | HAProxy Pod priority Class defined by user | | +| `haproxy.runtimeClassName` | Name of the Kubernetes Runtime Class for HAProxy Pods | | +| `haproxy.externalTrafficPolicy` | Desire service to route external traffic for HAProxy to node-local or cluster-wide endpoints | | +| `haproxy.loadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer | `[]` | +| `haproxy.loadBalancerIP` | The static IP-address for the load balancer | `` | +| `haproxy.serviceType` | Specify what kind of Service you want for HAProxy | `ClusterIP` | +| `haproxy.replicasServiceEnabled` | Allow disabling k8s service for haproxy-replicas | `true` | +| `haproxy.replicasLoadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer for HAProxy Replicas | `[]` | +| `haproxy.replicasLoadBalancerIP` | The static IP-address for the load balancer for HAProxy Replicas | `` | +| `haproxy.replicasServiceType` | Specify what kind of Service you want for HAProxy Replicas | `ClusterIP` | +| `haproxy.replicasExternalTrafficPolicy` | Desire service to route external traffic for HAProxy replicas to node-local or cluster-wide endpoints | | +| `haproxy.replicasServiceAnnotations` | The Kubernetes annotations metadata for the haproxy-replicas Service | {} | +| `haproxy.replicasServiceLabels` | The Kubernetes labels for the haproxy-replicas Service | {} | +| `haproxy.serviceAnnotations` | Specify service annotations | `{}` | +| `haproxy.serviceLabels` | Specify service labels | `{}` | +| `haproxy.annotations` | HAProxy Pod user-defined annotations | `{}` | +| `haproxy.labels` | HAProxy Pod user-defined labels | `{}` | +| `haproxy.schedulerName` | The Kubernetes Scheduler | | +| `haproxy.readinessDelaySec` | HAProxy Pod delay for readiness probe in seconds | `15` | +| `haproxy.livenessDelaySec` | HAProxy Pod delay for liveness probe in seconds | `300` | +| `haproxy.envVarsSecret` | A secret with environment variables | `` | +| `haproxy.resources.requests` | HAProxy Pods resource requests | `{"memory": "1G", "cpu": "600m"}` | +| `haproxy.resources.limits` | HAProxy Pods resource limits | `{}` | +| `haproxy.sidecars` | HAProxy Pods sidecars | `[]` | +| `haproxy.sidecarVolumes` | HAProxy Pods sidecarVolumes | `[]` | +| `haproxy.sidecarPVCs` | HAProxy Pods sidecar PVCs | `[]` | +| `haproxy.sidecarResources.requests` | HAProxy sidecar resource requests | `{}` | +| `haproxy.sidecarResources.limits` | HAProxy sidecar resource limits | `{}` | +| `haproxy.nodeSelector` | HAProxy Pods key-value pairs setting for K8S node assingment | `{}` | +| `haproxy.affinity.antiAffinityTopologyKey` | HAProxy Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | +| `haproxy.affinity.advanced` | HAProxy Pods advanced scheduling restriction with match expression engine | `{}` | +| `haproxy.tolerations` | List of node taints to tolerate for HAProxy Pods | `[]` | +| `haproxy.gracePeriod` | Allowed time for graceful shutdown | `600` | +| `haproxy.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | +| `haproxy.readinessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `5` | +| `haproxy.readinessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `15` | +| `haproxy.readinessProbes.periodSeconds` | How often (in seconds) to perform the probe | `30` | +| `haproxy.readinessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | +| `haproxy.readinessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `15` | +| `haproxy.livenessProbes.failureThreshold` | When a probe fails, Kubernetes will try failureThreshold times before giving up | `3` | +| `haproxy.livenessProbes.initialDelaySeconds` | Number of seconds after the container has started before liveness or readiness probes are initiated | `300` | +| `haproxy.livenessProbes.periodSeconds` | How often (in seconds) to perform the probe | `10` | +| `haproxy.livenessProbes.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | `1` | +| `haproxy.livenessProbes.timeoutSeconds` | Number of seconds after which the probe times out | `5` | +| `haproxy.containerSecurityContext` | A custom Kubernetes Security Context for a Container to be used instead of the default one | `{}` | +| `haproxy.podSecurityContext` | A custom Kubernetes Security Context for a Pod to be used instead of the default one | `{}` | | | -| `proxysql.enabled` | Use ProxySQL as TCP proxy for PXC cluster | `false` | -| `proxysql.size` | ProxySQL target pod quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | -| `proxysql.image` | ProxySQL Container image | `percona/percona-xtradb-cluster-operator:1.13.0-proxysql` | -| `proxysql.imagePullPolicy` | The policy used to update images | `` | -| `proxysql.imagePullSecrets` | ProxySQL Container pull secret | `[]` | -| `proxysql.configuration` | User defined ProxySQL options according to ProxySQL configuration file syntax | `` | -| `proxysql.priorityClassName` | ProxySQL Pod priority Class defined by user | | -| `proxysql.runtimeClassName` | Name of the Kubernetes Runtime Class for ProxySQL Pods | | -| `proxysql.externalTrafficPolicy` | Desire service to route external traffic to node-local or cluster-wide endpoints | | -| `proxysql.loadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer | `[]` | -| `proxysql.loadBalancerIP` | The static IP-address for the load balancer | `` | -| `proxysql.serviceType` | Specify what kind of Service you want | `ClusterIP` | -| `proxysql.serviceAnnotations` | Specify service annotations | `{}` | -| `proxysql.serviceLabels` | Specify service labels | `{}` | -| `proxysql.annotations` | ProxySQL Pod user-defined annotations | `{}` | -| `proxysql.labels` | ProxySQL Pod user-defined labels | `{}` | -| `proxysql.schedulerName` | The Kubernetes Scheduler | | -| `proxysql.readinessDelaySec` | ProxySQL Pod delay for readiness probe in seconds | `15` | -| `proxysql.livenessDelaySec` | ProxySQL Pod delay for liveness probe in seconds | `300` | -| `proxysql.envVarsSecret` | A secret with environment variables | `` | -| `proxysql.resources.requests` | ProxySQL Pods resource requests | `{"memory": "1G", "cpu": "600m"}` | -| `proxysql.resources.limits` | ProxySQL Pods resource limits | `{}` | -| `proxysql.sidecars` | ProxySQL Pods sidecars | `[]` | -| `proxysql.sidecarVolumes` | ProxySQL Pods sidecarVolumes | `[]` | -| `proxysql.sidecarPVCs` | ProxySQL Pods sidecar PVCs | `[]` | -| `proxysql.sidecarResources.requests` | ProxySQL sidecar resource requests | `{}` | -| `proxysql.sidecarResources.limits` | ProxySQL sidecar resource limits | `{}` | -| `proxysql.nodeSelector` | ProxySQL Pods key-value pairs setting for K8S node assingment | `{}` | -| `proxysql.affinity.antiAffinityTopologyKey` | ProxySQL Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | -| `proxysql.affinity.advanced` | ProxySQL Pods advanced scheduling restriction with match expression engine | `{}` | -| `proxysql.tolerations` | List of node taints to tolerate for ProxySQL Pods | `[]` | -| `proxysql.gracePeriod` | Allowed time for graceful shutdown | `600` | -| `proxysql.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | -| `proxysql.persistence.enabled` | Requests a persistent storage (`hostPath` or `storageClass`) from K8S for ProxySQL Pods | `true` | -| `proxysql.persistence.hostPath` | Sets datadir path on K8S node for all ProxySQL Pods. Available only when `proxysql.persistence.enabled: true` | | -| `proxysql.persistence.storageClass` | Sets K8S storageClass name for all ProxySQL Pods PVC. Available only when `proxysql.persistence.enabled: true` | `-` | -| `proxysql.persistence.accessMode` | Sets K8S persistent storage access policy for all ProxySQL Pods | `ReadWriteOnce` | -| `proxysql.persistence.size` | Sets K8S persistent storage size for all ProxySQL Pods | `8Gi` | -| `proxysql.containerSecurityContext` | A custom Kubernetes Security Context for a Container to be used instead of the default one | `{}` | -| `proxysql.podSecurityContext` | A custom Kubernetes Security Context for a Pod to be used instead of the default one | `{}` | +| `proxysql.enabled` | Use ProxySQL as TCP proxy for PXC cluster | `false` | +| `proxysql.size` | ProxySQL target pod quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | +| `proxysql.image` | ProxySQL Container image | `percona/percona-xtradb-cluster-operator:1.13.0-proxysql` | +| `proxysql.imagePullPolicy` | The policy used to update images | `` | +| `proxysql.imagePullSecrets` | ProxySQL Container pull secret | `[]` | +| `proxysql.configuration` | User defined ProxySQL options according to ProxySQL configuration file syntax | `` | +| `proxysql.priorityClassName` | ProxySQL Pod priority Class defined by user | | +| `proxysql.runtimeClassName` | Name of the Kubernetes Runtime Class for ProxySQL Pods | | +| `proxysql.externalTrafficPolicy` | Desire service to route external traffic to node-local or cluster-wide endpoints | | +| `proxysql.loadBalancerSourceRanges` | Limit which client IP's can access the Network Load Balancer | `[]` | +| `proxysql.loadBalancerIP` | The static IP-address for the load balancer | `` | +| `proxysql.serviceType` | Specify what kind of Service you want | `ClusterIP` | +| `proxysql.serviceAnnotations` | Specify service annotations | `{}` | +| `proxysql.serviceLabels` | Specify service labels | `{}` | +| `proxysql.annotations` | ProxySQL Pod user-defined annotations | `{}` | +| `proxysql.labels` | ProxySQL Pod user-defined labels | `{}` | +| `proxysql.schedulerName` | The Kubernetes Scheduler | | +| `proxysql.readinessDelaySec` | ProxySQL Pod delay for readiness probe in seconds | `15` | +| `proxysql.livenessDelaySec` | ProxySQL Pod delay for liveness probe in seconds | `300` | +| `proxysql.envVarsSecret` | A secret with environment variables | `` | +| `proxysql.resources.requests` | ProxySQL Pods resource requests | `{"memory": "1G", "cpu": "600m"}` | +| `proxysql.resources.limits` | ProxySQL Pods resource limits | `{}` | +| `proxysql.sidecars` | ProxySQL Pods sidecars | `[]` | +| `proxysql.sidecarVolumes` | ProxySQL Pods sidecarVolumes | `[]` | +| `proxysql.sidecarPVCs` | ProxySQL Pods sidecar PVCs | `[]` | +| `proxysql.sidecarResources.requests` | ProxySQL sidecar resource requests | `{}` | +| `proxysql.sidecarResources.limits` | ProxySQL sidecar resource limits | `{}` | +| `proxysql.nodeSelector` | ProxySQL Pods key-value pairs setting for K8S node assingment | `{}` | +| `proxysql.affinity.antiAffinityTopologyKey` | ProxySQL Pods simple scheduling restriction on/off for host, zone, region | `"kubernetes.io/hostname"` | +| `proxysql.affinity.advanced` | ProxySQL Pods advanced scheduling restriction with match expression engine | `{}` | +| `proxysql.tolerations` | List of node taints to tolerate for ProxySQL Pods | `[]` | +| `proxysql.gracePeriod` | Allowed time for graceful shutdown | `600` | +| `proxysql.podDisruptionBudget.maxUnavailable` | Instruct Kubernetes about the failed pods allowed quantity | `1` | +| `proxysql.persistence.enabled` | Requests a persistent storage (`hostPath` or `storageClass`) from K8S for ProxySQL Pods | `true` | +| `proxysql.persistence.hostPath` | Sets datadir path on K8S node for all ProxySQL Pods. Available only when `proxysql.persistence.enabled: true` | | +| `proxysql.persistence.storageClass` | Sets K8S storageClass name for all ProxySQL Pods PVC. Available only when `proxysql.persistence.enabled: true` | `-` | +| `proxysql.persistence.accessMode` | Sets K8S persistent storage access policy for all ProxySQL Pods | `ReadWriteOnce` | +| `proxysql.persistence.size` | Sets K8S persistent storage size for all ProxySQL Pods | `8Gi` | +| `proxysql.containerSecurityContext` | A custom Kubernetes Security Context for a Container to be used instead of the default one | `{}` | +| `proxysql.podSecurityContext` | A custom Kubernetes Security Context for a Pod to be used instead of the default one | `{}` | | | -| `logcollector.enabled` | Enable log collector container | `true` | -| `logcollector.image` | Log collector image repository | `percona/percona-xtradb-cluster-operator:1.13.0-logcollector` | -| `logcollector.imagePullSecrets` | Log collector pull secret | `[]` | -| `logcollector.imagePullPolicy` | The policy used to update images | `` | -| `logcollector.configuration` | User defined configuration for logcollector | `` | -| `logcollector.resources.requests` | Log collector resource requests | `{"memory": "100M", "cpu": "200m"}` | -| `logcollector.resources.limits` | Log collector resource limits | `{}` | +| `logcollector.enabled` | Enable log collector container | `true` | +| `logcollector.image` | Log collector image repository | `percona/percona-xtradb-cluster-operator:1.13.0-logcollector` | +| `logcollector.imagePullSecrets` | Log collector pull secret | `[]` | +| `logcollector.imagePullPolicy` | The policy used to update images | `` | +| `logcollector.configuration` | User defined configuration for logcollector | `` | +| `logcollector.resources.requests` | Log collector resource requests | `{"memory": "100M", "cpu": "200m"}` | +| `logcollector.resources.limits` | Log collector resource limits | `{}` | | | -| `pmm.enabled` | Enable integration with [Percona Monitoring and Management software](https://www.percona.com/doc/kubernetes-operator-for-pxc/monitoring.html) | `false` | -| `pmm.image.repository` | PMM Container image repository | `percona/pmm-client` | -| `pmm.image.tag` | PMM Container image tag | `2.38.0` | -| `pmm.imagePullSecrets` | PMM Container pull secret | `[]` | -| `pmm.imagePullPolicy` | The policy used to update images | `` | -| `pmm.serverHost` | PMM server related K8S service hostname | `monitoring-service` | -| `pmm.serverUser` | Username for accessing PXC database internals | `admin` | -| `pmm.resources.requests` | PMM Container resource requests | `{"memory": "150M", "cpu": "300m"}` | -| `pmm.resources.limits` | PMM Container resource limits | `{}` | +| `pmm.enabled` | Enable integration with [Percona Monitoring and Management software](https://www.percona.com/doc/kubernetes-operator-for-pxc/monitoring.html) | `false` | +| `pmm.image.repository` | PMM Container image repository | `percona/pmm-client` | +| `pmm.image.tag` | PMM Container image tag | `2.41.0` | +| `pmm.imagePullSecrets` | PMM Container pull secret | `[]` | +| `pmm.imagePullPolicy` | The policy used to update images | `` | +| `pmm.serverHost` | PMM server related K8S service hostname | `monitoring-service` | +| `pmm.serverUser` | Username for accessing PXC database internals | `admin` | +| `pmm.resources.requests` | PMM Container resource requests | `{"memory": "150M", "cpu": "300m"}` | +| `pmm.resources.limits` | PMM Container resource limits | `{}` | | | -| `backup.enabled` | Enables backups for PXC cluster | `true` | -| `backup.allowParallel` | Allow taking multiple backups in parallel | `true` | +| `backup.enabled` | Enables backups for PXC cluster | `true` | +| `backup.allowParallel` | Allow taking multiple backups in parallel | `true` | | `backup.image` | Backup Container image | `percona/percona-xtradb-cluster-operator:1.13.0-pxc8.0-backup-pxb8.0.32` | -| `backup.backoffLimit` | The number of retries to make a backup | `10` | -| `backup.imagePullSecrets` | Backup Container pull secret | `[]` | -| `backup.imagePullPolicy` | The policy used to update images | `` | -| `backup.pitr.enabled` | Enable point in time recovery | `false` | -| `backup.pitr.storageName` | Storage name for PITR | `s3-us-west-binlogs` | -| `backup.pitr.timeBetweenUploads` | Time between uploads for PITR | `60` | -| `backup.pitr.resources.requests` | PITR Container resource requests | `{}` | -| `backup.pitr.resources.limits` | PITR Container resource limits | `{}` | -| `backup.storages.fs-pvc` | Backups storage configuration, where `storages:` is a high-level key for the underlying structure. `fs-pvc` is a user-defined storage name. | | -| `backup.storages.fs-pvc.type` | Backup storage type | `filysystem` | -| `backup.storages.fs-pvc.verifyTLS` | Enable or disable verification of the storage server TLS certificate | `true` | -| `backup.storages.fs-pvc.volume.persistentVolumeClaim.accessModes` | Backup PVC access policy | `["ReadWriteOnce"]` | -| `backup.storages.fs-pvc.volume.persistentVolumeClaim.resources` | Backup Pod resources specification | `{}` | -| `backup.storages.fs-pvc.volume.persistentVolumeClaim.resources.requests.storage` | Backup Pod datadir backups size | `6Gi` | -| `backup.schedule` | Backup execution timetable | `[]` | -| `backup.schedule.0.name` | Backup execution timetable name | `daily-backup` | -| `backup.schedule.0.schedule` | Backup execution timetable cron timing | `0 0 * * *` | -| `backup.schedule.0.keep` | Backup items to keep | `5` | -| `backup.schedule.0.storageName` | Backup target storage | `fs-pvc` | +| `backup.backoffLimit` | The number of retries to make a backup | `10` | +| `backup.imagePullSecrets` | Backup Container pull secret | `[]` | +| `backup.imagePullPolicy` | The policy used to update images | `` | +| `backup.pitr.enabled` | Enable point in time recovery | `false` | +| `backup.pitr.storageName` | Storage name for PITR | `s3-us-west-binlogs` | +| `backup.pitr.timeBetweenUploads` | Time between uploads for PITR | `60` | +| `backup.pitr.resources.requests` | PITR Container resource requests | `{}` | +| `backup.pitr.resources.limits` | PITR Container resource limits | `{}` | +| `backup.storages.fs-pvc` | Backups storage configuration, where `storages:` is a high-level key for the underlying structure. `fs-pvc` is a user-defined storage name. | | +| `backup.storages.fs-pvc.type` | Backup storage type | `filysystem` | +| `backup.storages.fs-pvc.verifyTLS` | Enable or disable verification of the storage server TLS certificate | `true` | +| `backup.storages.fs-pvc.volume.persistentVolumeClaim.accessModes` | Backup PVC access policy | `["ReadWriteOnce"]` | +| `backup.storages.fs-pvc.volume.persistentVolumeClaim.resources` | Backup Pod resources specification | `{}` | +| `backup.storages.fs-pvc.volume.persistentVolumeClaim.resources.requests.storage` | Backup Pod datadir backups size | `6Gi` | +| `backup.schedule` | Backup execution timetable | `[]` | +| `backup.schedule.0.name` | Backup execution timetable name | `daily-backup` | +| `backup.schedule.0.schedule` | Backup execution timetable cron timing | `0 0 * * *` | +| `backup.schedule.0.keep` | Backup items to keep | `5` | +| `backup.schedule.0.storageName` | Backup target storage | `fs-pvc` | | | -| `secrets.passwords.root` | Default user secret | `insecure-root-password` | -| `secrets.passwords.xtrabackup` | Default user secret | `insecure-xtrabackup-password` | -| `secrets.passwords.monitor` | Default user secret | `insecure-monitor-password` | -| `secrets.passwords.clustercheck` | Default user secret | `insecure-clustercheck-password` | -| `secrets.passwords.proxyadmin` | Default user secret | `insecure-proxyadmin-password` | -| `secrets.passwords.pmmserver` | Default user secret | `insecure-pmmserver-password` | -| `secrets.passwords.pmmserverkey` | PMM server API key | `` | -| `secrets.passwords.operator` | Default user secret | `insecure-operator-password` | -| `secrets.passwords.replication` | Default user secret | `insecure-replication-password` | -| `secrets.tls.cluster` | Specify secret name for TLS. Not needed in case if you're using cert-manager. Structure expects keys `ca.crt`, `tls.crt`, `tls.key` and files contents encoded in base64. | `` | -| `secrets.tls.internal` | Specify internal secret name for TLS. | `` | -| `secrets.logCollector` | Specify secret name used for Fluent Bit Log Collector | `` | -| `secrets.vault` | Specify secret name used for HashiCorp Vault to carry on Data at Rest Encryption | `` | +| `secrets.passwords.root` | Default user secret | `insecure-root-password` | +| `secrets.passwords.xtrabackup` | Default user secret | `insecure-xtrabackup-password` | +| `secrets.passwords.monitor` | Default user secret | `insecure-monitor-password` | +| `secrets.passwords.clustercheck` | Default user secret | `insecure-clustercheck-password` | +| `secrets.passwords.proxyadmin` | Default user secret | `insecure-proxyadmin-password` | +| `secrets.passwords.pmmserver` | Default user secret | `insecure-pmmserver-password` | +| `secrets.passwords.pmmserverkey` | PMM server API key | `` | +| `secrets.passwords.operator` | Default user secret | `insecure-operator-password` | +| `secrets.passwords.replication` | Default user secret | `insecure-replication-password` | +| `secrets.tls.cluster` | Specify secret name for TLS. Not needed in case if you're using cert-manager. Structure expects keys `ca.crt`, `tls.crt`, `tls.key` and files contents encoded in base64. | `` | +| `secrets.tls.internal` | Specify internal secret name for TLS. | `` | +| `secrets.logCollector` | Specify secret name used for Fluent Bit Log Collector | `` | +| `secrets.vault` | Specify secret name used for HashiCorp Vault to carry on Data at Rest Encryption | `` | Specify parameters using `--set key=value[,key=value]` argument to `helm install` diff --git a/charts/percona/pxc-db/templates/cluster.yaml b/charts/percona/pxc-db/templates/cluster.yaml index a967aaa55..2d47ce491 100644 --- a/charts/percona/pxc-db/templates/cluster.yaml +++ b/charts/percona/pxc-db/templates/cluster.yaml @@ -462,6 +462,10 @@ spec: image: {{ $pmm.image.repository }}:{{ $pmm.image.tag }} {{- if $pmm.imagePullPolicy }} imagePullPolicy: {{ $pmm.imagePullPolicy }} + {{- end }} + {{- if $pmm.containerSecurityContext }} + containerSecurityContext: +{{ tpl ($pmm.containerSecurityContext | toYaml) $ | indent 6 }} {{- end }} {{- if $pmm.imagePullSecrets }} imagePullSecrets: diff --git a/charts/percona/pxc-db/values.yaml b/charts/percona/pxc-db/values.yaml index ff40d3ee8..e967e9753 100644 --- a/charts/percona/pxc-db/values.yaml +++ b/charts/percona/pxc-db/values.yaml @@ -472,7 +472,7 @@ pmm: enabled: false image: repository: percona/pmm-client - tag: 2.38.0 + tag: 2.41.0 # imagePullPolicy: Always imagePullSecrets: [] serverHost: monitoring-service diff --git a/charts/redpanda/redpanda/Chart.lock b/charts/redpanda/redpanda/Chart.lock index 1f085e07c..cae70a288 100644 --- a/charts/redpanda/redpanda/Chart.lock +++ b/charts/redpanda/redpanda/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: console repository: https://charts.redpanda.com - version: 0.7.11 + version: 0.7.15 - name: connectors repository: https://charts.redpanda.com version: 0.1.9 -digest: sha256:81d74e8318d950386c72f6fd6638c09e2e589ef4fc06b3568d419ce4ee9d3e90 -generated: "2023-11-28T14:45:50.048627102Z" +digest: sha256:d9d9bb5d4dec4343bd82050f4ef32270fa99a453ab8567728e63f0862128fe54 +generated: "2024-01-12T13:44:28.692012451Z" diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 7414108db..17f487251 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/redpanda:v23.2.17 + image: docker.redpanda.com/redpandadata/redpanda:v23.3.1 - name: busybox image: busybox:latest - name: mintel/docker-alpine-bash-curl-jq @@ -17,7 +17,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: redpanda apiVersion: v2 -appVersion: v23.2.17 +appVersion: v23.3.1 dependencies: - condition: console.enabled name: console @@ -37,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.6.51 +version: 5.7.7 diff --git a/charts/redpanda/redpanda/README.md b/charts/redpanda/redpanda/README.md index f3d576ce7..f6c939e30 100644 --- a/charts/redpanda/redpanda/README.md +++ b/charts/redpanda/redpanda/README.md @@ -3,14 +3,14 @@ description: Find the default values and descriptions of settings in the Redpanda Helm chart. --- -![Version: 5.6.37](https://img.shields.io/badge/Version-5.6.37-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.2.13](https://img.shields.io/badge/AppVersion-v23.2.13-informational?style=flat-square) +![Version: 5.7.4](https://img.shields.io/badge/Version-5.7.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.1](https://img.shields.io/badge/AppVersion-v23.3.1-informational?style=flat-square) This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3) ## Source Code @@ -33,6 +33,70 @@ Affinity constraints for scheduling Pods, can override this for StatefulSets and **Default:** `{}` +### [auditLogging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging) + +Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. + +**Default:** + +``` +{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576} +``` + +### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize) + +Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + +**Default:** `16777216` + +### [auditLogging.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabled) + +Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled. + +**Default:** `false` + +### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes) + +Event types that should be captured by audit logs, default is ["admin", "authenticate", "management"]. + +**Default:** `nil` + +### [auditLogging.excludedPrincipals](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedPrincipals) + +List of principals to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.excludedTopics](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedTopics) + +List of topics to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener) + +Kafka listener name, note that it must have `authenticationMethod` set to sasl 'internal' if using internal listener, else use external listener name, e.g., default. + +**Default:** `"internal"` + +### [auditLogging.partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.partitions) + +Integer value defining the number of partitions used by a newly created audit topic. + +**Default:** `12` + +### [auditLogging.queueDrainIntervalMs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueDrainIntervalMs) + +In ms, frequency in which per shard audit logs are batched to client for write to audit log. + +**Default:** `500` + +### [auditLogging.queueMaxBufferSizePerShard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueMaxBufferSizePerShard) + +Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + +**Default:** `1048576` + ### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth) Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). @@ -533,7 +597,7 @@ Annotations to add to the `rbac` resources. ### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled) -Enable for features that need extra privileges. +Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles. **Default:** `false` @@ -647,6 +711,22 @@ Additional annotations to apply to the Pods of this StatefulSet. **Default:** `""` +### [statefulset.initContainers.fsValidator.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.enabled) + +**Default:** `false` + +### [statefulset.initContainers.fsValidator.expectedFS](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.expectedFS) + +**Default:** `"xfs"` + +### [statefulset.initContainers.fsValidator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.resources) + +**Default:** `{}` + ### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled) In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration. @@ -813,7 +893,7 @@ Number of Redpanda brokers (Redpanda Data recommends setting this to the number ### [statefulset.sideCars.controllers.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.tag) -**Default:** `"v23.2.8"` +**Default:** `"v2.1.10-23.2.18"` ### [statefulset.sideCars.controllers.metricsAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.metricsAddress) diff --git a/charts/redpanda/redpanda/charts/console/Chart.yaml b/charts/redpanda/redpanda/charts/console/Chart.yaml index 90015edd4..c88d0a0fd 100644 --- a/charts/redpanda/redpanda/charts/console/Chart.yaml +++ b/charts/redpanda/redpanda/charts/console/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/console:v2.3.7 + image: docker.redpanda.com/redpandadata/console:v2.3.8 artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Documentation @@ -9,7 +9,7 @@ annotations: - name: "Helm (>= 3.6.0)" url: https://helm.sh/docs/intro/install/ apiVersion: v2 -appVersion: v2.3.7 +appVersion: v2.3.8 description: Helm chart to deploy Redpanda Console. icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg maintainers: @@ -19,4 +19,4 @@ name: console sources: - https://github.com/redpanda-data/helm-charts type: application -version: 0.7.11 +version: 0.7.15 diff --git a/charts/redpanda/redpanda/charts/console/templates/deployment.yaml b/charts/redpanda/redpanda/charts/console/templates/deployment.yaml index e8608b158..b5572b6e4 100644 --- a/charts/redpanda/redpanda/charts/console/templates/deployment.yaml +++ b/charts/redpanda/redpanda/charts/console/templates/deployment.yaml @@ -32,6 +32,10 @@ spec: selector: matchLabels: {{- include "console.selectorLabels" . | nindent 6 }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} template: metadata: annotations: @@ -48,8 +52,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "console.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- with .Values.podSecurityContext }} + securityContext: {{- . | toYaml | nindent 8 }} + {{- end }} volumes: - name: configs configMap: @@ -84,8 +89,9 @@ spec: {{- with .Values.deployment.extraArgs }} {{ . | toYaml | nindent 12 }} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- with .Values.securityContext }} + securityContext: {{- . | toYaml | nindent 12 }} + {{- end }} image: {{ include "console.container.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} ports: diff --git a/charts/redpanda/redpanda/charts/console/templates/hpa.yaml b/charts/redpanda/redpanda/charts/console/templates/hpa.yaml index e2bcf8041..f20f6d494 100644 --- a/charts/redpanda/redpanda/charts/console/templates/hpa.yaml +++ b/charts/redpanda/redpanda/charts/console/templates/hpa.yaml @@ -33,12 +33,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/charts/redpanda/redpanda/charts/console/values.schema.json b/charts/redpanda/redpanda/charts/console/values.schema.json index 98a150579..c558bfbc3 100644 --- a/charts/redpanda/redpanda/charts/console/values.schema.json +++ b/charts/redpanda/redpanda/charts/console/values.schema.json @@ -301,6 +301,9 @@ "type": "string" } } + }, + "strategy": { + "type": "object" } } } diff --git a/charts/redpanda/redpanda/charts/console/values.yaml b/charts/redpanda/redpanda/charts/console/values.yaml index a356a896b..a77f593c8 100644 --- a/charts/redpanda/redpanda/charts/console/values.yaml +++ b/charts/redpanda/redpanda/charts/console/values.yaml @@ -267,3 +267,5 @@ configmap: create: true deployment: create: true + +strategy: {} diff --git a/charts/redpanda/redpanda/ci/05-one-node-cluster-tls-sasl-values.yaml b/charts/redpanda/redpanda/ci/05-one-node-cluster-tls-sasl-values.yaml index ad923e427..47e87512e 100644 --- a/charts/redpanda/redpanda/ci/05-one-node-cluster-tls-sasl-values.yaml +++ b/charts/redpanda/redpanda/ci/05-one-node-cluster-tls-sasl-values.yaml @@ -24,10 +24,15 @@ auth: enabled: true secretRef: "redpanda-users" users: - - name: admin + - name: admins password: change-me mechanism: SCRAM-SHA-256 +config: + cluster: + default_topic_replications: 3 + kafka_nodelete_topics: ['audit', 'consumer_offsets', '_schemas', 'my_sample_topic'] + storage: persistentVolume: size: 3Gi diff --git a/charts/redpanda/redpanda/ci/16-controller-sidecar-values.yaml b/charts/redpanda/redpanda/ci/16-controller-sidecar-values.yaml index fdd83c045..ab157923b 100644 --- a/charts/redpanda/redpanda/ci/16-controller-sidecar-values.yaml +++ b/charts/redpanda/redpanda/ci/16-controller-sidecar-values.yaml @@ -13,6 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. --- +rbac: + enabled: true + statefulset: sideCars: controllers: diff --git a/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl b/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl new file mode 100644 index 000000000..c760df54b --- /dev/null +++ b/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl @@ -0,0 +1,29 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +enterprise: + license: "${REDPANDA_LICENSE}" + +auth: + sasl: + enabled: true + users: + - name: admin + password: change-me + mechanism: SCRAM-SHA-512 + +auditLogging: + enabled: true + listeners: default diff --git a/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml b/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml index 2c4c672b8..030655830 100644 --- a/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml +++ b/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml @@ -53,3 +53,17 @@ config: node_empty_array_value: [] node_empty_map_value: {} node_empty_string_value: "" + +console: + extraEnv: + - name: TEST + value: test + extraVolumeMounts: + - name: redpanda-license + mountPath: /mnt/test + readOnly: true + extraVolumes: + - name: redpanda-license + secret: + defaultMode: 0420 + secretName: redpanda-license diff --git a/charts/redpanda/redpanda/templates/_configmap.tpl b/charts/redpanda/redpanda/templates/_configmap.tpl index dd2eb4f20..28e1b7b89 100644 --- a/charts/redpanda/redpanda/templates/_configmap.tpl +++ b/charts/redpanda/redpanda/templates/_configmap.tpl @@ -75,7 +75,13 @@ bootstrap.yaml: | {{- $r := $.Values.statefulset.replicas }} {{- $element = min $element (sub (add $r (mod $r 2)) 1) }} {{- end }} - {{- if or (eq (typeOf $element) "bool") $element }} + {{- if eq (typeOf $element) "bool" }} + {{- dict $key $element | toYaml | nindent 2 }} + {{- else if eq (typeOf $element) "[]interface {}" }} + {{- if not ( empty $element ) }} + {{ dict $key $element | toYaml | nindent 2 }} + {{- end }} + {{- else if $element }} {{- dict $key $element | toYaml | nindent 2 }} {{- end }} {{- end }} @@ -84,6 +90,47 @@ bootstrap.yaml: | {{- if and (not (hasKey .Values.config.cluster "storage_min_free_bytes")) ((include "redpanda-atleast-22-2-0" . | fromJson).bool) }} storage_min_free_bytes: {{ include "storage-min-free-bytes" . }} {{- end }} +{{/* AUDIT LOGS */}} +{{- if (include "redpanda-atleast-23-3-0" . | fromJson).bool }} + {{- if and ( dig "enabled" "false" .Values.auditLogging ) (include "sasl-enabled" $root | fromJson).bool }} + audit_enabled: true + {{- if not (eq (int .Values.auditLogging.clientMaxBufferSize) 16777216 ) }} + audit_client_max_buffer_size: {{ .Values.auditLogging.clientMaxBufferSize }} + {{- end }} + {{- if not (eq (int .Values.auditLogging.queueDrainIntervalMs) 500) }} + audit_queue_drain_interval_ms: {{ .Values.auditLogging.queueDrainIntervalMs }} + {{- end }} + {{- if not (eq (int .Values.auditLogging.queueMaxBufferSizePerShard) 1048576) }} + audit_queue_max_buffer_size_per_shard: {{ .Values.auditLogging.queueMaxBufferSizePerShard }} + {{- end }} + {{- if not (eq (int .Values.auditLogging.partitions) 12) }} + audit_log_num_partitions: {{ .Values.auditLogging.partitions }} + {{- end }} + {{- if (dig "replicationFactor" "" .Values.auditLogging) }} + audit_log_replication_factor: {{ .Values.auditLogging.replicationFactor }} + {{- end }} + {{- if dig "enabledEventTypes" "" .Values.auditLogging }} + audit_enabled_event_types: + {{- with .Values.auditLogging.enabledEventTypes }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- end }} + {{- if dig "excludedTopics" "" .Values.auditLogging }} + audit_excluded_topics: + {{- with .Values.auditLogging.excludedTopics }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- end }} + {{- if dig "excludedPrincipals" "" .Values.auditLogging }} + audit_excluded_principals: + {{- with .Values.auditLogging.excludedPrincipals }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- end }} + {{- else }} + audit_enabled: false + {{- end }} +{{- end }} {{- if and (include "is-licensed" . | fromJson).bool (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} {{- $tieredStorageConfig := (include "storage-tiered-config" .|fromJson) }} {{- $tieredStorageConfig = unset $tieredStorageConfig "cloud_storage_cache_directory" }} @@ -122,7 +169,13 @@ redpanda.yaml: | {{- end }} {{- with (dig "cluster" dict .Values.config) }} {{- range $key, $element := . }} - {{- if or (eq (typeOf $element) "bool") $element }} + {{- if eq (typeOf $element) "bool" }} + {{ $key }}: {{ $element | toYaml }} + {{- else if eq (typeOf $element) "[]interface {}" }} + {{- if not ( empty $element ) }} + {{ $key }}: {{ $element | toYaml | nindent 4 }} + {{- end }} + {{- else if $element }} {{ $key }}: {{ $element | toYaml }} {{- end }} {{- end }} @@ -151,6 +204,44 @@ redpanda.yaml: | {{- end }} {{- end }} {{- end -}} +{{/* AUDIT LOGS */}} +{{- if (include "redpanda-atleast-23-3-0" . | fromJson).bool }} + {{- if and ( dig "enabled" "false" .Values.auditLogging ) (include "sasl-enabled" $root | fromJson).bool }} + audit_enabled: true + {{- if not (eq (int .Values.auditLogging.clientMaxBufferSize) 16777216) }} + audit_client_max_buffer_size: {{ .Values.auditLogging.clientMaxBufferSize }} + {{- end }} + {{- if not (eq (int .Values.auditLogging.queueDrainIntervalMs) 500) }} + audit_queue_drain_interval_ms: {{ .Values.auditLogging.queueDrainIntervalMs }} + {{- end }} + {{- if not (eq (int .Values.auditLogging.queueMaxBufferSizePerShard) 1048576) }} + audit_queue_max_buffer_size_per_shard: {{ .Values.auditLogging.queueMaxBufferSizePerShard }} + {{- end }} + {{- if not (eq (int .Values.auditLogging.partitions) 12) }} + audit_log_num_partitions: {{ .Values.auditLogging.partitions }} + {{- end }} + {{- if dig "enabledEventTypes" "" .Values.auditLogging }} + audit_enabled_event_types: + {{- with .Values.auditLogging.enabledEventTypes }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if dig "excludedTopics" "" .Values.auditLogging }} + audit_excluded_topics: + {{- with .Values.auditLogging.excludedTopics }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if dig "excludedPrincipals" "" .Values.auditLogging }} + audit_excluded_principals: + {{- with .Values.auditLogging.excludedPrincipals }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- else }} + audit_enabled: false + {{- end }} +{{- end }} {{/* LISTENERS */}} {{/* Admin API */}} {{- $service := .Values.listeners.admin }} @@ -159,7 +250,7 @@ redpanda.yaml: | address: 0.0.0.0 port: {{ $service.port }} {{- range $name, $listener := $service.external }} - {{- if and $listener.port $name }} + {{- if and $listener.port $name (dig "enabled" true $listener) }} - name: {{ $name }} address: 0.0.0.0 port: {{ $listener.port }} @@ -174,7 +265,7 @@ redpanda.yaml: | require_client_auth: {{ $service.tls.requireClientAuth }} {{- $cert := get .Values.tls.certs $service.tls.cert }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail (printf "Certificate used but not defined")}} {{- end }} {{- if $cert.caEnabled }} truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt @@ -185,7 +276,7 @@ redpanda.yaml: | {{- end }} {{- range $name, $listener := $service.external }} {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "admin-external-tls-enabled" $k | fromJson).bool }} + {{- if and (include "admin-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} {{- $mtls := dig "tls" "requireClientAuth" false $listener }} {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} {{- $certName := include "admin-external-tls-cert" $k }} @@ -217,11 +308,13 @@ redpanda.yaml: | authentication_method: {{ default "sasl" $kafkaService.authenticationMethod }} {{- end }} {{- range $name, $listener := $kafkaService.external }} + {{- if and $listener.port $name (dig "enabled" true $listener) }} - name: {{ $name }} address: 0.0.0.0 port: {{ $listener.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} authentication_method: {{ default "sasl" $listener.authenticationMethod }} + {{- end }} {{- end }} {{- end }} kafka_api_tls: @@ -233,7 +326,7 @@ redpanda.yaml: | require_client_auth: {{ $kafkaService.tls.requireClientAuth }} {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail (printf "Certificate used but not defined")}} {{- end }} {{- if $cert.caEnabled }} truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt @@ -244,7 +337,7 @@ redpanda.yaml: | {{- end }} {{- range $name, $listener := $kafkaService.external }} {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "kafka-external-tls-enabled" $k | fromJson).bool }} + {{- if and (include "kafka-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} {{- $mtls := dig "tls" "requireClientAuth" false $listener }} {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} {{- $certName := include "kafka-external-tls-cert" $k }} @@ -279,7 +372,7 @@ redpanda.yaml: | require_client_auth: {{ $service.tls.requireClientAuth }} {{- $cert := get .Values.tls.certs $service.tls.cert }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail (printf "Certificate used but not defined")}} {{- end }} {{- if $cert.caEnabled }} truststore_file: /etc/tls/certs/{{ $service.tls.cert }}/ca.crt @@ -311,10 +404,10 @@ redpanda.yaml: | {{- $schemaRegistryService := .Values.listeners.schemaRegistry }} schema_registry_client: brokers: - {{- range (include "seed-server-list" $root | mustFromJson) }} - - address: {{ . }} + {{- range $id, $item := $root.tempConfigMapServerList }} + - address: {{ $item.host.address }} port: {{ $kafkaService.port }} - {{- end }} + {{- end }} {{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} broker_tls: enabled: true @@ -323,7 +416,7 @@ redpanda.yaml: | key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail (printf "Certificate used but not defined")}} {{- end }} {{- if $cert.caEnabled }} truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt @@ -344,6 +437,7 @@ redpanda.yaml: | authentication_method: {{ default "http_basic" $schemaRegistryService.authenticationMethod }} {{- end }} {{- range $name, $listener := $schemaRegistryService.external }} + {{- if dig "enabled" true $listener }} - name: {{ $name }} address: 0.0.0.0 {{- /* @@ -353,10 +447,11 @@ redpanda.yaml: | {{- if and (empty $listener.port) (ne (len $schemaRegistryService.external) 1) }} {{- fail "missing required port for schemaRegistry listener $listener.name" }} {{- end }} - port: {{ $listener.port | default 8084 }} + port: {{ $listener.port }} {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} authentication_method: {{ default "http_basic" $listener.authenticationMethod }} {{- end }} + {{- end }} {{- end }} schema_registry_api_tls: {{- if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} @@ -367,7 +462,7 @@ redpanda.yaml: | require_client_auth: {{ $schemaRegistryService.tls.requireClientAuth }} {{- $cert := get .Values.tls.certs $schemaRegistryService.tls.cert }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail ( printf "Certificate used but not defined" )}} {{- end }} {{- if $cert.caEnabled }} truststore_file: /etc/tls/certs/{{ $schemaRegistryService.tls.cert }}/ca.crt @@ -378,14 +473,14 @@ redpanda.yaml: | {{- end }} {{- range $name, $listener := $schemaRegistryService.external }} {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool }} + {{- if and (include "schemaRegistry-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} {{- $mtls := dig "tls" "requireClientAuth" false $listener }} {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} {{- $certName := include "schemaRegistry-external-tls-cert" $k }} {{- $certPath := printf "/etc/tls/certs/%s" $certName }} {{- $cert := get $values.tls.certs $certName }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail ( printf "Certificate, '%s', used but not defined" $certName )}} {{- end }} - name: {{ $name }} enabled: true @@ -401,13 +496,22 @@ redpanda.yaml: | {{- end }} {{- end }} {{- end -}} +{{/* AUDIT LOGS: Client Details */}} +{{- if (include "redpanda-atleast-23-3-0" . | fromJson).bool }} + {{- if and ( dig "enabled" "false" .Values.auditLogging ) (include "sasl-enabled" $root | fromJson).bool }} + {{- if not ( empty ( include "kafka-brokers-sasl-enabled" . | fromJson ) ) }} + audit_log_client: + {{- include "kafka-brokers-sasl-enabled" . | nindent 4 -}} + {{- end }} + {{- end }} +{{- end }} {{/* HTTP Proxy */}} {{- if and .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" $root | fromJson).bool }} {{- $HTTPService := .Values.listeners.http }} pandaproxy_client: brokers: - {{- range (include "seed-server-list" $root | mustFromJson) }} - - address: {{ . }} + {{- range $id, $item := $root.tempConfigMapServerList }} + - address: {{ $item.host.address }} port: {{ $kafkaService.port }} {{- end }} {{- if (include "kafka-internal-tls-enabled" . | fromJson).bool }} @@ -418,7 +522,7 @@ redpanda.yaml: | key_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/tls.key {{- $cert := get .Values.tls.certs $kafkaService.tls.cert }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail (printf "Certificate used but not defined")}} {{- end }} {{- if $cert.caEnabled }} truststore_file: /etc/tls/certs/{{ $kafkaService.tls.cert }}/ca.crt @@ -439,11 +543,13 @@ redpanda.yaml: | authentication_method: {{ default "http_basic" $HTTPService.authenticationMethod }} {{- end }} {{- range $name, $listener := $HTTPService.external }} + {{- if and $listener.port $name (dig "enabled" true $listener) }} - name: {{ $name }} address: 0.0.0.0 port: {{ $listener.port }} - {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} + {{- if or (include "sasl-enabled" $root | fromJson).bool $listener.authenticationMethod }} authentication_method: {{ default "http_basic" $listener.authenticationMethod }} + {{- end }} {{- end }} {{- end }} pandaproxy_api_tls: @@ -455,7 +561,7 @@ redpanda.yaml: | require_client_auth: {{ $HTTPService.tls.requireClientAuth }} {{- $cert := get .Values.tls.certs $HTTPService.tls.cert }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail (printf "Certificate used but not defined")}} {{- end }} {{- if $cert.caEnabled }} truststore_file: /etc/tls/certs/{{ $HTTPService.tls.cert }}/ca.crt @@ -466,14 +572,14 @@ redpanda.yaml: | {{- end }} {{- range $name, $listener := $HTTPService.external }} {{- $k := dict "Values" $values "listener" $listener }} - {{- if (include "http-external-tls-enabled" $k | fromJson).bool }} + {{- if and (include "http-external-tls-enabled" $k | fromJson).bool (dig "enabled" true $listener) }} {{- $mtls := dig "tls" "requireClientAuth" false $listener }} {{- $mtls = dig "tls" "requireClientAuth" $mtls $k }} {{- $certName := include "http-external-tls-cert" $k }} {{- $certPath := printf "/etc/tls/certs/%s" $certName }} {{- $cert := get $values.tls.certs $certName }} {{- if empty $cert }} - {{- fail (printf "Certificate, '%s', used but not defined")}} + {{- fail (printf "Certificate, '%s', used but not defined" $certName )}} {{- end }} - name: {{ $name }} enabled: true @@ -575,8 +681,11 @@ rpk: {{- $admin := list -}} {{- $profile := keys .Values.listeners.kafka.external | first -}} {{- $kafkaListener := get .Values.listeners.kafka.external $profile -}} - {{- $adminprofile := keys .Values.listeners.admin.external | first -}} - {{- $adminListener := get .Values.listeners.admin.external $adminprofile -}} + {{- $adminListener := dict -}} + {{- if .Values.listeners.admin.external -}} + {{- $adminprofile := keys .Values.listeners.admin.external | first -}} + {{- $adminListener = get .Values.listeners.admin.external $adminprofile -}} + {{- end -}} {{- range $i := until (.Values.statefulset.replicas|int) -}} {{- $externalAdvertiseAddress := printf "%s-%d" (include "redpanda.fullname" $) $i -}} {{- if (tpl ($.Values.external.domain | default "") $) -}} @@ -595,7 +704,7 @@ name: {{ $profile }} kafka_api: brokers: {{ toYaml $brokers | nindent 6 }} tls: - {{- if (include "kafka-external-tls-enabled" (dict "Values" .Values "listener" $kafkaListener) | fromJson).bool }} + {{- if and (include "kafka-external-tls-enabled" (dict "Values" .Values "listener" $kafkaListener) | fromJson).bool (dig "enabled" true $adminListener) }} {{- $cert := get .Values.tls.certs .Values.listeners.kafka.tls.cert }} {{- if $cert.caEnabled }} ca_file: ca.crt @@ -608,7 +717,7 @@ kafka_api: admin_api: addresses: {{ toYaml $admin | nindent 6 }} tls: - {{- if (include "admin-external-tls-enabled" (dict "Values" .Values "listener" $adminListener) | fromJson).bool }} + {{- if and (include "admin-external-tls-enabled" (dict "Values" .Values "listener" $adminListener) | fromJson).bool (dig "enabled" true $adminListener) }} {{- $cert := get .Values.tls.certs .Values.listeners.admin.tls.cert }} {{- if $cert.caEnabled }} ca_file: ca.crt diff --git a/charts/redpanda/redpanda/templates/_helpers.tpl b/charts/redpanda/redpanda/templates/_helpers.tpl index 1957152ea..08187c9ea 100644 --- a/charts/redpanda/redpanda/templates/_helpers.tpl +++ b/charts/redpanda/redpanda/templates/_helpers.tpl @@ -454,6 +454,9 @@ than 1 core. {{- define "redpanda-atleast-23-2-1" -}} {{- toJson (dict "bool" (or (not (eq .Values.image.repository "docker.redpanda.com/redpandadata/redpanda")) (include "redpanda.semver" . | semverCompare ">=23.2.1-0 || <0.0.1-0"))) -}} {{- end -}} +{{- define "redpanda-atleast-23-3-0" -}} +{{- toJson (dict "bool" (or (not (eq .Values.image.repository "docker.redpanda.com/redpandadata/redpanda")) (include "redpanda.semver" . | semverCompare ">=23.3.0-0 || <0.0.1-0"))) -}} +{{- end -}} {{- define "redpanda-22-2-x-without-sasl" -}} {{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}} @@ -582,6 +585,97 @@ return a warning if the chart is configured with insufficient CPU {{- toJson $brokers -}} {{- end -}} +{{- define "kafka-brokers-sasl-enabled" -}} + {{- $root := . -}} + {{- $kafkaService := .Values.listeners.kafka }} + {{- $auditLogging := .Values.auditLogging }} + {{- $brokers := list -}} + {{- $broker_tls := dict -}} + {{- $result := dict -}} + {{- $tlsEnabled := .Values.tls.enabled -}} + {{- $tlsCerts := .Values.tls.certs -}} + {{- $trustStoreFile := "" -}} + {{- $requireClientAuth := dig "tls" "requireClientAuth" false $kafkaService -}} + {{- if and ( eq "internal" $auditLogging.listener ) ( eq (default "sasl" $kafkaService.authenticationMethod) "sasl" ) -}} + {{- range $id, $item := $root.tempConfigMapServerList }} + {{- $brokerItem := ( dict + "address" $item.host.address + "port" $kafkaService.port + ) + -}} + {{- $brokers = append $brokers $brokerItem -}} + {{- end }} + {{- if $brokers -}} + {{- $result = set $result "brokers" $brokers -}} + {{- end -}} + {{- if dig "tls" "enabled" $tlsEnabled $kafkaService -}} + {{- $cert := get $tlsCerts $kafkaService.tls.cert -}} + {{- if empty $cert -}} + {{- fail (printf "Certificate used but not defined") -}} + {{- end -}} + {{- if $cert.caEnabled -}} + {{- $trustStoreFile = ( printf "/etc/tls/certs/%s/ca.crt" $kafkaService.tls.cert ) -}} + {{- else -}} + {{- $trustStoreFile = "/etc/ssl/certs/ca-certificates.crt" -}} + {{- end -}} + {{- $broker_tls = ( dict + "enabled" true + "cert_file" ( printf "/etc/tls/certs/%s/tls.crt" $kafkaService.tls.cert ) + "key_file" ( printf "/etc/tls/certs/%s/tls.key" $kafkaService.tls.cert ) + "require_client_auth" $requireClientAuth + ) + -}} + {{- if $trustStoreFile -}} + {{- $broker_tls = set $broker_tls "truststore_file" $trustStoreFile -}} + {{- end -}} + {{- if $broker_tls -}} + {{- $result = set $result "broker_tls" $broker_tls -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- range $name, $listener := $kafkaService.external -}} + {{- if and $listener.port $name (dig "enabled" true $listener) ( eq (default "sasl" $listener.authenticationMethod) "sasl" ) ( eq $name $auditLogging.listener ) -}} + {{- range $id, $item := $root.tempConfigMapServerList }} + {{- $brokerItem := ( dict + "address" $item.host.address + "port" $listener.port + ) + -}} + {{- $brokers = append $brokers $brokerItem -}} + {{- end }} + {{- if $brokers -}} + {{- $result = set $result "brokers" $brokers -}} + {{- end -}} + {{- if dig "tls" "enabled" $tlsEnabled $listener -}} + {{- $cert := get $tlsCerts $listener.tls.cert -}} + {{- if empty $cert -}} + {{- fail (printf "Certificate used but not defined") -}} + {{- end -}} + {{- if $cert.caEnabled -}} + {{- $trustStoreFile = ( printf "/etc/tls/certs/%s/ca.crt" $listener.tls.cert ) -}} + {{- else -}} + {{- $trustStoreFile = "/etc/ssl/certs/ca-certificates.crt" -}} + {{- end -}} + {{- $broker_tls = ( dict + "enabled" true + "cert_file" ( printf "/etc/tls/certs/%s/tls.crt" $listener.tls.cert ) + "key_file" ( printf "/etc/tls/certs/%s/tls.key" $listener.tls.cert ) + "require_client_auth" $requireClientAuth + ) + -}} + {{- if $trustStoreFile -}} + {{- $broker_tls = set $broker_tls "truststore_file" $trustStoreFile -}} + {{- end -}} + {{- if $broker_tls -}} + {{- $result = set $result "broker_tls" $broker_tls -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- toYaml $result -}} +{{- end -}} + {{/* return correct secretName to use based if secretRef exists */}} diff --git a/charts/redpanda/redpanda/templates/connectors/connectors.yaml b/charts/redpanda/redpanda/templates/connectors/connectors.yaml index 58dc429e7..99eec74d6 100644 --- a/charts/redpanda/redpanda/templates/connectors/connectors.yaml +++ b/charts/redpanda/redpanda/templates/connectors/connectors.yaml @@ -40,22 +40,29 @@ limitations under the License. {{ $extraVolumes := list }} {{ $extraVolumeMounts := list }} +{{ $extraEnv := .Values.connectors.deployment.extraEnv }} {{ $command := list }} {{ if (include "sasl-enabled" . | fromJson).bool }} - {{ $command = concat $command (list "sh" "-c") }} - {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s}; export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD_FILE CONNECT_SASL_MECHANISM;" (( include "sasl-mechanism" . ) | lower)) }} + {{ $command = concat $command (list "bash" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s}; export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM;" ( include "sasl-mechanism" . | lower )) }} {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;" }} {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;" }} {{ $consoleSASLConfig = cat $consoleSASLConfig " export CONNECT_SASL_MECHANISM;" }} - {{ $consoleSASLConfig = cat $consoleSASLConfig " echo $KAFKA_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " echo $CONNECT_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;" }} {{ $consoleSASLConfig = cat $consoleSASLConfig " exec /opt/kafka/bin/kafka_connect_run.sh" }} {{ $command = append $command $consoleSASLConfig }} + + {{ $extraVolumes = concat $extraVolumes .Values.connectors.storage.volume }} + {{ $extraVolumes = append $extraVolumes (dict "name" (printf "%s-users" (include "redpanda.fullname" .)) "secret" (dict "secretName" .Values.auth.sasl.secretRef ) )}} + + {{ $extraVolumeMounts = concat $extraVolumeMounts .Values.connectors.storage.volumeMounts }} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict "name" (printf "%s-users" (include "redpanda.fullname" .)) "mountPath" "/mnt/users" @@ -69,6 +76,10 @@ limitations under the License. "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) "mountPath" "/opt/kafka/connect-password/rc-credentials" )}} + {{ $extraEnv = append $extraEnv (dict + "name" "CONNECT_SASL_PASSWORD_FILE" + "value" "rc-credentials/password" + )}} {{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "storage" (dict @@ -82,12 +93,7 @@ limitations under the License. ) "deployment" (dict "command" $command - "extraEnv" (list - (dict - "name" "CONNECT_SASL_PASSWORD_FILE" - "value" "rc-credentials/password" - ) - ) + "extraEnv" $extraEnv ) ) )}} diff --git a/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml index 99add4f20..ca3a817d0 100644 --- a/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml +++ b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml @@ -275,7 +275,9 @@ limitations under the License. }} {{ end }} -{{ $extraEnv := concat $kafkaTLS $schemaRegistryTLS $adminAPI}} +{{ $extraEnv := concat $kafkaTLS $schemaRegistryTLS $adminAPI .Values.console.extraEnv }} +{{ $extraVolumes = concat $extraVolumes .Values.console.extraVolumes }} +{{ $extraVolumeMounts = concat $extraVolumeMounts .Values.console.extraVolumeMounts }} {{ $consoleValues := dict "Values" (dict "extraVolumes" $extraVolumes diff --git a/charts/redpanda/redpanda/templates/post-upgrade.yaml b/charts/redpanda/redpanda/templates/post-upgrade.yaml index 67a9a68a5..3819ac70d 100644 --- a/charts/redpanda/redpanda/templates/post-upgrade.yaml +++ b/charts/redpanda/redpanda/templates/post-upgrade.yaml @@ -80,7 +80,11 @@ spec: {{- if and (typeIs "float64" $value) (eq (floor $value) $value) }} {{- $value = int64 $value }} {{- end }} - {{- if or (typeIs "bool" $value ) $value }} + {{- if and (typeIs "bool" $value ) ( not ( empty $value ) ) }} + rpk cluster config set {{ $key }} {{ $value }} + {{- else if and (typeIs "[]interface {}" $value ) ( not ( empty $value ) ) }} + rpk cluster config set {{ $key }} "[ {{ join "," $value }} ]" + {{- else if $value }} rpk cluster config set {{ $key }} {{ $value }} {{- end }} {{- end }} diff --git a/charts/redpanda/redpanda/templates/rbac.yaml b/charts/redpanda/redpanda/templates/rbac.yaml index 707c4570c..767f13270 100644 --- a/charts/redpanda/redpanda/templates/rbac.yaml +++ b/charts/redpanda/redpanda/templates/rbac.yaml @@ -129,7 +129,6 @@ rules: - "" resources: - nodes - - pods verbs: - get - list @@ -191,6 +190,7 @@ rules: - "" resources: - secrets + - pods verbs: - get - list diff --git a/charts/redpanda/redpanda/templates/secrets.yaml b/charts/redpanda/redpanda/templates/secrets.yaml index 76fe6672b..eaac69bed 100644 --- a/charts/redpanda/redpanda/templates/secrets.yaml +++ b/charts/redpanda/redpanda/templates/secrets.yaml @@ -351,6 +351,12 @@ stringData: rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}" {{- end }} {{- end }} + {{- if and .Values.storage.tiered.credentialsSecretRef.name .Values.storage.tiered.credentialsSecretRef.key }} + set +x + echo Setting cloud_storage_secret_key configuration + rpk redpanda config --config "$CONFIG" set cloud_storage_secret_key $CLOUD_STORAGE_SECRET_KEY + set -x + {{- end }} {{- if .Values.statefulset.initContainers.fsValidator.enabled}} --- apiVersion: v1 diff --git a/charts/redpanda/redpanda/templates/servicemonitor.yaml b/charts/redpanda/redpanda/templates/servicemonitor.yaml index cd75372a5..316f4087c 100644 --- a/charts/redpanda/redpanda/templates/servicemonitor.yaml +++ b/charts/redpanda/redpanda/templates/servicemonitor.yaml @@ -33,7 +33,7 @@ spec: endpoints: - interval: {{ .Values.monitoring.scrapeInterval }} path: /public_metrics - targetPort: admin + port: admin {{- if dig "enableHttp2" "" .Values.monitoring }} enableHttp2: .Values.monitoring.enableHttp2 {{- end }} diff --git a/charts/redpanda/redpanda/templates/statefulset.yaml b/charts/redpanda/redpanda/templates/statefulset.yaml index 663db1284..edbf2ca68 100644 --- a/charts/redpanda/redpanda/templates/statefulset.yaml +++ b/charts/redpanda/redpanda/templates/statefulset.yaml @@ -163,6 +163,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.hostIP + {{- if and .Values.storage.tiered.credentialsSecretRef.name .Values.storage.tiered.credentialsSecretRef.key }} + - name: CLOUD_STORAGE_SECRET_KEY + valueFrom: + secretKeyRef: + key: {{ .Values.storage.tiered.credentialsSecretRef.key }} + name: {{ .Values.storage.tiered.credentialsSecretRef.name }} + {{- end }} securityContext: {{ include "container-security-context" . | nindent 12 }} volumeMounts: {{ include "common-mounts" . | nindent 12 }} {{- if dig "initContainers" "configurator" "extraVolumeMounts" false .Values.statefulset -}} @@ -243,6 +250,7 @@ spec: # It's ok that this cluster-wide check affects all the pods as it's only used for the # PodDisruptionBudget and we don't want to roll any pods if the Redpanda cluster isn't healthy. # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets + # All services set `publishNotReadyAddresses:true` to prevent this from affecting cluster access {{- if not ( dig "node" "recovery_mode_enabled" false .Values.config ) }} readinessProbe: exec: @@ -253,11 +261,11 @@ spec: set -x rpk cluster health rpk cluster health | grep 'Healthy:.*true' - {{- end }} initialDelaySeconds: {{ .Values.statefulset.readinessProbe.initialDelaySeconds }} failureThreshold: {{ .Values.statefulset.readinessProbe.failureThreshold }} periodSeconds: {{ .Values.statefulset.readinessProbe.periodSeconds }} successThreshold: {{ .Values.statefulset.readinessProbe.initialDelaySeconds }} + {{- end }} command: - rpk - redpanda diff --git a/charts/redpanda/redpanda/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/templates/tests/test-auditLogging.yaml new file mode 100644 index 000000000..4f407fa18 --- /dev/null +++ b/charts/redpanda/redpanda/templates/tests/test-auditLogging.yaml @@ -0,0 +1,94 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +{{/* + This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met + as part of setting auditLogging being enabled. +*/}} +{{- if and .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} +{{- $rpk := deepCopy . }} +{{- $sasl := .Values.auth.sasl }} +{{- $_ := set $rpk "rpk" "rpk" }} +{{- $_ := set $rpk "dummySasl" false }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-audit-logging" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: { { - toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + old_setting=${-//[^x]/} + audit_topic_name="_redpanda.audit_log" + expected_partitions={{ .Values.auditLogging.partitions }} + + # sasl configurations + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + + {{- $i := .Values.statefulset.replicas }} + {{- $default_topic_replicas := sub (add $i (mod $i 2)) 1 }} + # wait for post-upgrade job to update the default_topic_replications value + timeout 600 bash -c "until [[ $(rpk cluster config get default_topic_replications) = {{ $default_topic_replicas }} ]]; do sleep 1; done" + + # now run the to determine if we have the right results + # should describe topic without error + rpk topic describe ${audit_topic_name} + # should get the expected values + result=$(rpk topic list | grep ${audit_topic_name}) + name=$(echo $result | awk '{print $1}') + partitions=$(echo $result | awk '{print $2}') + if [ "${name}" != "${audit_topic_name}" ]; then + echo "expected topic name does not match" + exit 1 + fi + if [ ${partitions} != ${expected_partitions} ]; then + echo "expected partition size did not match" + exit 1 + fi + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/templates/tests/test-kafka-nodelete.yaml new file mode 100644 index 000000000..928ffc8fd --- /dev/null +++ b/charts/redpanda/redpanda/templates/tests/test-kafka-nodelete.yaml @@ -0,0 +1,106 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if dig "kafka_nodelete_topics" "[]" $.Values.config.cluster }} +{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }} +{{- $sasl := .Values.auth.sasl }} +{{- $root := deepCopy . }} +{{- $rpk := deepCopy . }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if and (include "is-licensed" . | fromJson).bool (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + {{- $i := .Values.statefulset.replicas }} + {{- $default_topic_replicas := sub (add $i (mod $i 2)) 1 }} + # wait for post-upgrade job to update the default_topic_replications value + timeout 120 bash -c "until [[ $(rpk cluster config get default_topic_replications) = {{ $default_topic_replicas }} ]]; do sleep 1; done" + + exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$exists" != "my_sample_topic" ]]; then + until rpk topic create my_sample_topic {{ $cloudStorageFlags }} + do sleep 2 + done + fi + + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce my_sample_topic + {{- end }} + sleep 2 + rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!" + + # now check if we can delete the topic (we should not) + rpk topic delete my_sample_topic + + {{- if has "my_sample_topic" $noDeleteTopics }} + result=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$result" != "my_sample_topic" ]]; then + echo "topic should not have been deleted" + exit 1 + fi + {{- end }} + + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/values.schema.json b/charts/redpanda/redpanda/values.schema.json index 642ee92bb..c3ef32776 100644 --- a/charts/redpanda/redpanda/values.schema.json +++ b/charts/redpanda/redpanda/values.schema.json @@ -416,6 +416,17 @@ } } }, + "credentialsSecretRef": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "key": { + "type": "string" + } + } + }, "config":{ "type": "object", "required": [ @@ -1136,7 +1147,6 @@ "type": "object", "required": [ "port", - "external", "tls" ], "properties": { @@ -1188,7 +1198,6 @@ "type": "object", "required": [ "port", - "external", "tls" ], "properties": { @@ -1259,7 +1268,6 @@ "enabled", "port", "kafkaEndpoint", - "external", "tls" ], "properties": { @@ -1382,7 +1390,6 @@ "enabled", "port", "kafkaEndpoint", - "external", "tls" ], "properties": { @@ -1556,6 +1563,41 @@ } } } + }, + "auditLogging": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "listener": { + "type": "string" + }, + "partitions": { + "type": "integer" + }, + "enabledEventTypes": { + "type": ["array", "null"] + }, + "excludedTopics": { + "type": ["array", "null"] + }, + "excludedPrincipals": { + "type": ["array", "null"] + }, + "clientMaxBufferSize": { + "type": "integer" + }, + "queueDrainIntervalMs": { + "type": "integer" + }, + "queueMaxBufferSizePerShard": { + "type": "integer" + }, + "replicationFactor": { + "type": ["integer", "null"] + } + } } } } diff --git a/charts/redpanda/redpanda/values.yaml b/charts/redpanda/redpanda/values.yaml index 3e4bf8145..7ac8d1429 100644 --- a/charts/redpanda/redpanda/values.yaml +++ b/charts/redpanda/redpanda/values.yaml @@ -87,6 +87,35 @@ license_secret_ref: {} # secret_name: my-secret # secret_key: key-where-license-is-stored +# -- Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication +# for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. +auditLogging: + # -- Enable or disable audit logging, for production clusters we suggest you enable, + # however, this will only work if you also enable sasl and a listener with sasl enabled. + enabled: false + # -- Kafka listener name, note that it must have `authenticationMethod` set to sasl + # 'internal' if using internal listener, else use external listener name, e.g., default. + listener: internal + # -- Integer value defining the number of partitions used by a newly created audit topic. + partitions: 12 + # -- Event types that should be captured by audit logs, default is ["admin", "authenticate", "management"]. + enabledEventTypes: + # -- List of topics to exclude from auditing, default is null. + excludedTopics: + # -- List of principals to exclude from auditing, default is null. + excludedPrincipals: + # -- Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + clientMaxBufferSize: 16777216 + # -- In ms, frequency in which per shard audit logs are batched to client for write to audit log. + queueDrainIntervalMs: 500 + # -- Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + queueMaxBufferSizePerShard: 1048576 + # -- Defines the replication factor for a newly created audit log topic. This configuration applies + # only to the audit log topic and may be different from the cluster or other topic configurations. + # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, + # Redpanda will use the internal_topic_replication_factor cluster config value. Default is null + replicationFactor: + # -- Enterprise (optional) # For details, # see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). @@ -426,6 +455,12 @@ storage: labels: {} # -- Additional annotations to apply to the created PersistentVolumeClaims. annotations: {} + + # credentialsSecretRef can be used to set cloud_storage_secret_key from + # referenced Kubernetes Secret + credentialsSecretRef: {} + # name: + # key # # -- Tiered Storage settings # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` @@ -638,7 +673,7 @@ statefulset: # an existing node is removed. controllers: image: - tag: v23.2.14 + tag: v2.1.10-23.2.18 repository: docker.redpanda.com/redpandadata/redpanda-operator # You must also enable RBAC, `rbac.enabled=true`, to deploy this sidecar enabled: false diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index 5b710b245..c14efa197 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 1.4.88 +appVersion: 2.0.4 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 1.4.7 +version: 2.0.2 diff --git a/charts/speedscale/speedscale-operator/README.md b/charts/speedscale/speedscale-operator/README.md index dc552c883..5dd1e4d52 100644 --- a/charts/speedscale/speedscale-operator/README.md +++ b/charts/speedscale/speedscale-operator/README.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 1.4.7 +### Upgrade to 2.0.2 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.4.7/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.2/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/app-readme.md b/charts/speedscale/speedscale-operator/app-readme.md index dc552c883..5dd1e4d52 100644 --- a/charts/speedscale/speedscale-operator/app-readme.md +++ b/charts/speedscale/speedscale-operator/app-readme.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 1.4.7 +### Upgrade to 2.0.2 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/1.4.7/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.2/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/templates/configmap.yaml b/charts/speedscale/speedscale-operator/templates/configmap.yaml index 46c94e6f4..36b2e532c 100644 --- a/charts/speedscale/speedscale-operator/templates/configmap.yaml +++ b/charts/speedscale/speedscale-operator/templates/configmap.yaml @@ -10,13 +10,11 @@ metadata: {{ toYaml .Values.globalAnnotations | indent 4}} {{- end }} data: - CLI_VERSION: {{ .Values.image.tag }} CLUSTER_NAME: {{ .Values.clusterName }} IMAGE_PULL_POLICY: {{ .Values.image.pullPolicy }} IMAGE_PULL_SECRETS: "" IMAGE_REGISTRY: {{ .Values.image.registry }} IMAGE_TAG: {{ .Values.image.tag }} - INSTALL_SOURCE: helm INSTANCE_ID: '{{- $cm := (lookup "v1" "ConfigMap" .Release.Namespace "speedscale-operator") -}}{{ if $cm }}{{ $cm.data.INSTANCE_ID }}{{ else }}{{ ( printf "%s-%s" .Values.clusterName uuidv4 ) }}{{ end }}' LOG_LEVEL: {{ .Values.logLevel }} SPEEDSCALE_DLP_CONFIG: {{ .Values.dlp.config }} @@ -38,3 +36,5 @@ data: NO_PROXY: {{ .Values.no_proxy }} {{- end }} PRIVILEGED_SIDECARS: {{ .Values.privilegedSidecars | quote }} + DISABLE_SMARTDNS: {{ .Values.disableSidecarSmartReverseDNS | quote }} + SIDECAR_CONFIG: {{ .Values.sidecar | toJson | quote }} diff --git a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml index 616afa681..05525696a 100644 --- a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml +++ b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.8.0 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null name: trafficreplays.speedscale.com spec: @@ -66,15 +66,16 @@ spec: workload. Defaults to true. type: boolean configChecksum: - description: ConfigChecksum is the SHA1 checksum of the configuration. + description: ConfigChecksum, managed my the operator, is the SHA1 + checksum of the configuration. type: string customURL: - description: CustomURL allows to specify custom URL to SUT. + description: CustomURL allows to specify custom URL to the SUT. type: string generatorLowData: - description: Setting GeneratorLowData to 'true' forces the generator - into a high efficiency/low data output mode. This is ideal for high - volume performance tests. Defaults to false. + description: GeneratorLowData forces the generator into a high efficiency/low + data output mode. This is ideal for high volume performance tests. + Defaults to false. DEPRECATED type: boolean mode: description: Mode is the name of replay mode used for this TrafficReplay. @@ -85,12 +86,12 @@ spec: type: string proxyMode: description: ProxyMode defines proxy operational mode used with injected - sidecar. (deprecated) + sidecar. DEPRECATED type: string responderLowData: - description: Setting ResponderLowData to 'true' forces the responder - into a high efficiency/low data output mode. This is ideal for high - volume performance tests. Defaults to false. + description: ResponderLowData forces the responder into a high efficiency/low + data output mode. This is ideal for high volume performance tests. + Defaults to false. DEPRECATED type: boolean secretRefs: description: SecretRefs hold the references to the secrets which contain @@ -108,11 +109,12 @@ spec: type: object type: array sidecar: - description: Sidecar defines sidecar specific configuration. + description: 'Sidecar defines sidecar specific configuration. DEPRECATED: + use Workloads' properties: inject: description: Inject enables or disables sidecar injection during - the replay. Defaults to false. (deprecated) + the replay. Defaults to false. type: boolean tls: properties: @@ -173,9 +175,9 @@ spec: the execution and reached its final state (either complete or failed). type: string workloadRef: - description: The reference to the target workload (SUT - system under - test) for TrafficReplay. The operations will be performed in the - namespace of the target object. + description: 'WorkloadRef is the reference to the target workload + (SUT) for TrafficReplay. The operations will be performed in the + namespace of the target object. DEPRECATED: use Workloads' properties: apiVersion: description: API version of the referent @@ -194,8 +196,99 @@ spec: - kind - name type: object + workloads: + description: Workloads define target workloads (SUT) for a TrafficReplay. + Many workloads may be provided, or none. Workloads may be modified + and restarted during replay to configure communication with a responder. + items: + description: Workload represents a Kubernetes workload to be targeted + during replay and associated settings. + properties: + inTrafficKey: + description: InTrafficKey is used to identify the slice of inbound + snapshot traffic this workload is targeting and maps directly + to a snapshot's `InTraffic` field. Snapshot traffic can be + split across multiple slices where each slice contains part + of the traffic. A slice may only have one workload, but a + workload may be targeted by multiple slices. + type: string + ref: + description: Ref is a reference to a cluster workload, like + a deployment or a statefulset. + properties: + apiVersion: + description: API version of the referent + type: string + kind: + description: Kind of the referent + type: string + name: + description: Name of the referent + type: string + namespace: + description: Namespace of the referent, defaults to the + TrafficReplay namespace + type: string + required: + - kind + - name + type: object + sidecar: + description: 'TODO: this is not implemented, come back and replace + deprecated Sidecar with workload specific settings Sidecar + defines sidecar specific configuration.' + properties: + inject: + description: Inject enables or disables sidecar injection + during the replay. Defaults to false. + type: boolean + tls: + properties: + in: + description: In provides configuration for sidecar inbound + TLS. + properties: + private: + description: Private is the filename of the TLS + inbound private key. + type: string + public: + description: Public is the filename of the TLS inbound + public key. + type: string + secret: + description: Secret is a secret with the TLS keys + to use for inbound traffic. + type: string + type: object + mutual: + description: Mutual provides configuration for sidecar + mutual TLS. + properties: + private: + description: Private is the filename of the mutual + TLS private key. + type: string + public: + description: Public is the filename of the mutual + TLS public key. + type: string + secret: + description: Secret is a secret with the mutual + TLS keys. + type: string + type: object + out: + description: Out enables or disables TLS out on the + sidecar during replay. + type: boolean + type: object + type: object + type: object + type: array required: - - workloadRef + - snapshotID + - testConfigID type: object status: default: @@ -302,10 +395,6 @@ spec: description: Information when the traffic replay has started. format: date-time type: string - workloadHost: - description: WorkloadHost is the host address which is targeted during - the traffic replay. - type: string type: object type: object served: true @@ -316,5 +405,5 @@ status: acceptedNames: kind: "" plural: "" - conditions: [] - storedVersions: [] + conditions: null + storedVersions: null diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index f1faaf614..8c08b8dbc 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v1.4.88 + tag: v2.0.4 pullPolicy: Always # Log level for Speedscale components. @@ -86,6 +86,9 @@ no_proxy: "" # control if sidecar init containers should run with privileged set privilegedSidecars: false +# control if the sidecar should enable/disable use of the smart dns lookup feature (requires NET_ADMIN) +disableSidecarSmartReverseDNS: false + # Operator settings. These limits are recommended unless you have a cluster # with a very large number of workloads (for eg. 10k+ deployments, replicasets, etc.). operator: @@ -96,3 +99,14 @@ operator: requests: cpu: 100m memory: 128Mi + +# Default sidecar settings. Example: +# sidecar: +# resources: +# limits: +# cpu: 500m +# memory: 512Mi +# requests: +# cpu: 10m +# memory: 32Mi +sidecar: {} diff --git a/charts/stackstate/stackstate-k8s-agent/Chart.lock b/charts/stackstate/stackstate-k8s-agent/Chart.lock index eb882a083..ab1abbaf8 100644 --- a/charts/stackstate/stackstate-k8s-agent/Chart.lock +++ b/charts/stackstate/stackstate-k8s-agent/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: http-header-injector repository: https://helm.stackstate.io - version: 0.0.6 -digest: sha256:eec4d022d97ef52e88860b54682692fd369c864ca49ccde01b30605cce20c96f -generated: "2023-08-25T14:49:57.569449+02:00" + version: 0.0.8 +digest: sha256:c3b39729fb1d0b742d799b83905467fddbce2f15cf7fb65ed4806cee6a27c818 +generated: "2023-12-05T10:09:00.393174914+01:00" diff --git a/charts/stackstate/stackstate-k8s-agent/Chart.yaml b/charts/stackstate/stackstate-k8s-agent/Chart.yaml index 0dc74620f..7919ca68a 100644 --- a/charts/stackstate/stackstate-k8s-agent/Chart.yaml +++ b/charts/stackstate/stackstate-k8s-agent/Chart.yaml @@ -9,7 +9,7 @@ dependencies: - alias: httpHeaderInjectorWebhook name: http-header-injector repository: file://./charts/http-header-injector - version: 0.0.6 + version: 0.0.8 description: Helm chart for the StackState Agent. home: https://github.com/StackVista/stackstate-agent icon: https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/stackstate-k8s-agent/logo.svg @@ -21,4 +21,4 @@ maintainers: - email: ops@stackstate.com name: Stackstate name: stackstate-k8s-agent -version: 1.0.58 +version: 1.0.66 diff --git a/charts/stackstate/stackstate-k8s-agent/README.md b/charts/stackstate/stackstate-k8s-agent/README.md index 6929dc358..35d62b47b 100644 --- a/charts/stackstate/stackstate-k8s-agent/README.md +++ b/charts/stackstate/stackstate-k8s-agent/README.md @@ -2,7 +2,7 @@ Helm chart for the StackState Agent. -Current chart version is `1.0.58` +Current chart version is `1.0.66` **Homepage:** @@ -10,7 +10,7 @@ Current chart version is `1.0.58` | Repository | Name | Version | |------------|------|---------| -| https://helm.stackstate.io | httpHeaderInjectorWebhook(http-header-injector) | 0.0.6 | +| https://helm.stackstate.io | httpHeaderInjectorWebhook(http-header-injector) | 0.0.8 | ## Required Values @@ -61,7 +61,7 @@ stackstate/stackstate-k8s-agent | checksAgent.enabled | bool | `true` | Enable / disable runnning cluster checks in a separately deployed pod | | checksAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | checksAgent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| checksAgent.image.tag | string | `"9af1b63f"` | Default container image tag. | +| checksAgent.image.tag | string | `"edf7fca5"` | Default container image tag. | | checksAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | checksAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | checksAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -121,7 +121,7 @@ stackstate/stackstate-k8s-agent | clusterAgent.enabled | bool | `true` | Enable / disable the cluster agent. | | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | clusterAgent.image.repository | string | `"stackstate/stackstate-k8s-cluster-agent"` | Base container image repository. | -| clusterAgent.image.tag | string | `"9af1b63f"` | Default container image tag. | +| clusterAgent.image.tag | string | `"edf7fca5"` | Default container image tag. | | clusterAgent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | clusterAgent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | clusterAgent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -157,7 +157,7 @@ stackstate/stackstate-k8s-agent | logsAgent.enabled | bool | `true` | Enable / disable k8s pod log collection | | logsAgent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | logsAgent.image.repository | string | `"stackstate/promtail"` | Base container image repository. | -| logsAgent.image.tag | string | `"2.7.1"` | Default container image tag. | +| logsAgent.image.tag | string | `"2.7.1-4b6ae2af"` | Default container image tag. | | logsAgent.nodeSelector | object | `{}` | Node labels for pod assignment. | | logsAgent.priorityClassName | string | `""` | Priority class for logsAgent pods. | | logsAgent.resources.limits.cpu | string | `"1300m"` | Memory resource limits. | @@ -179,7 +179,7 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.agent.env | object | `{}` | Additional environment variables for the agent container | | nodeAgent.containers.agent.image.pullPolicy | string | `"IfNotPresent"` | Default container image pull policy. | | nodeAgent.containers.agent.image.repository | string | `"stackstate/stackstate-k8s-agent"` | Base container image repository. | -| nodeAgent.containers.agent.image.tag | string | `"9af1b63f"` | Default container image tag. | +| nodeAgent.containers.agent.image.tag | string | `"edf7fca5"` | Default container image tag. | | nodeAgent.containers.agent.livenessProbe.enabled | bool | `true` | Enable use of livenessProbe check. | | nodeAgent.containers.agent.livenessProbe.failureThreshold | int | `3` | `failureThreshold` for the liveness probe. | | nodeAgent.containers.agent.livenessProbe.initialDelaySeconds | int | `15` | `initialDelaySeconds` for the liveness probe. | @@ -203,8 +203,9 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.processAgent.image.pullPolicy | string | `"IfNotPresent"` | Process-agent container image pull policy. | | nodeAgent.containers.processAgent.image.registry | string | `nil` | | | nodeAgent.containers.processAgent.image.repository | string | `"stackstate/stackstate-k8s-process-agent"` | Process-agent container image repository. | -| nodeAgent.containers.processAgent.image.tag | string | `"160f79ee"` | Default process-agent container image tag. | +| nodeAgent.containers.processAgent.image.tag | string | `"76e11e86"` | Default process-agent container image tag. | | nodeAgent.containers.processAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off # If not set, fall back to the value of agent.logLevel. | +| nodeAgent.containers.processAgent.procVolumeReadOnly | bool | `true` | Configure whether /host/proc is read only for the process agent container | | nodeAgent.containers.processAgent.resources.limits.cpu | string | `"125m"` | Memory resource limits. | | nodeAgent.containers.processAgent.resources.limits.memory | string | `"400Mi"` | | | nodeAgent.containers.processAgent.resources.requests.cpu | string | `"25m"` | Memory resource requests. | @@ -215,12 +216,12 @@ stackstate/stackstate-k8s-agent | nodeAgent.nodeSelector | object | `{}` | Node labels for pod assignment. | | nodeAgent.priorityClassName | string | `""` | Priority class for nodeAgent pods. | | nodeAgent.protocolInspection.enabled | bool | `true` | Enable / disable the nodeAgent protocol inspection. | -| nodeAgent.scaling.autoscalerLimits.agent.maximum.cpu | string | `"500m"` | Maximum CPU resource limits for main agent. | -| nodeAgent.scaling.autoscalerLimits.agent.maximum.memory | string | `"750Mi"` | Maximum memory resource limits for main agent. | +| nodeAgent.scaling.autoscalerLimits.agent.maximum.cpu | string | `"200m"` | Maximum CPU resource limits for main agent. | +| nodeAgent.scaling.autoscalerLimits.agent.maximum.memory | string | `"450Mi"` | Maximum memory resource limits for main agent. | | nodeAgent.scaling.autoscalerLimits.agent.minimum.cpu | string | `"20m"` | Minimum CPU resource limits for main agent. | | nodeAgent.scaling.autoscalerLimits.agent.minimum.memory | string | `"180Mi"` | Minimum memory resource limits for main agent. | -| nodeAgent.scaling.autoscalerLimits.processAgent.maximum.cpu | string | `"1000m"` | Maximum CPU resource limits for process agent. | -| nodeAgent.scaling.autoscalerLimits.processAgent.maximum.memory | string | `"1500Mi"` | Maximum memory resource limits for process agent. | +| nodeAgent.scaling.autoscalerLimits.processAgent.maximum.cpu | string | `"200m"` | Maximum CPU resource limits for process agent. | +| nodeAgent.scaling.autoscalerLimits.processAgent.maximum.memory | string | `"500Mi"` | Maximum memory resource limits for process agent. | | nodeAgent.scaling.autoscalerLimits.processAgent.minimum.cpu | string | `"25m"` | Minimum CPU resource limits for process agent. | | nodeAgent.scaling.autoscalerLimits.processAgent.minimum.memory | string | `"100Mi"` | Minimum memory resource limits for process agent. | | nodeAgent.scc.enabled | bool | `false` | Enable / disable the installation of the SecurityContextConfiguration needed for installation on OpenShift. | diff --git a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/Chart.yaml b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/Chart.yaml index c1f1de800..d2c911c5d 100644 --- a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/Chart.yaml +++ b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/Chart.yaml @@ -12,4 +12,4 @@ maintainers: - email: ops@stackstate.com name: Stackstate Lupulus Team name: http-header-injector -version: 0.0.6 +version: 0.0.8 diff --git a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/README.md b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/README.md index 3f83e01b8..33e6bedf7 100644 --- a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/README.md +++ b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/README.md @@ -1,6 +1,6 @@ # http-header-injector -![Version: 0.0.6](https://img.shields.io/badge/Version-0.0.6-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) +![Version: 0.0.7](https://img.shields.io/badge/Version-0.0.7-informational?style=flat-square) ![AppVersion: 0.0.1](https://img.shields.io/badge/AppVersion-0.0.1-informational?style=flat-square) Helm chart for deploying the http-header-injector sidecar, which automatically injects x-request-id into http traffic going through the cluster for pods which have the annotation `http-header-injector.stackstate.io/inject: enabled` is set. @@ -17,10 +17,10 @@ going through the cluster for pods which have the annotation `http-header-inject | Key | Type | Default | Description | |-----|------|---------|-------------| -| certificatePrehook | object | `{"image":{"pullPolicy":"IfNotPresent","registry":null,"repository":"stackstate/container-tools","tag":"1.1.8"}}` | Helm prehook to setup/remove a certificate for the sidecarInjector mutationwebhook | +| certificatePrehook | object | `{"image":{"pullPolicy":"IfNotPresent","registry":null,"repository":"stackstate/container-tools","tag":"1.2.0"}}` | Helm prehook to setup/remove a certificate for the sidecarInjector mutationwebhook | | certificatePrehook.image.pullPolicy | string | `"IfNotPresent"` | Policy when pulling an image | | certificatePrehook.image.registry | string | `nil` | Registry for the docker image. | -| certificatePrehook.image.tag | string | `"1.1.8"` | The tag for the docker image | +| certificatePrehook.image.tag | string | `"1.2.0"` | The tag for the docker image | | debug | bool | `false` | Enable debugging. This will leave leave artifacts around like the prehook jobs for further inspection | | enabled | bool | `true` | Enable/disable the mutationwebhook | | global.imagePullCredentials | object | `{}` | Globally define credentials for pulling images. | diff --git a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/_defines.tpl b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/_defines.tpl index f1b8b8872..a3614d755 100644 --- a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/_defines.tpl +++ b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/_defines.tpl @@ -80,3 +80,34 @@ imagePullSecrets: {{- end }} {{- end -}} {{- end -}} + +{{- define "http-header-injector.cert-setup.container.main" }} +{{- $containerConfig := dict "ContainerConfig" .Values.certificatePrehook -}} +name: webhook-cert-setup +image: "{{ include "http-header-injector.image.registry" (merge $containerConfig .) }}/{{ .Values.certificatePrehook.image.repository }}:{{ .Values.certificatePrehook.image.tag }}" +imagePullPolicy: {{ .Values.certificatePrehook.image.pullPolicy }} +{{- with .Values.certificatePrehook.resources }} +resources: + {{- toYaml . | nindent 2 }} +{{- end }} +volumeMounts: + - name: "{{ include "http-header-injector.cert-config.name" . }}" + mountPath: /scripts + readOnly: true +command: ["/scripts/generate-cert.sh"] +{{- end }} + +{{- define "http-header-injector.cert-delete.container.main" }} +{{- $containerConfig := dict "ContainerConfig" .Values.certificatePrehook -}} +name: webhook-cert-delete +image: "{{ include "http-header-injector.image.registry" (merge $containerConfig .) }}/{{ .Values.certificatePrehook.image.repository }}:{{ .Values.certificatePrehook.image.tag }}" +imagePullPolicy: {{ .Values.certificatePrehook.image.pullPolicy }} +{{- with .Values.certificatePrehook.resources }} +resources: + {{- toYaml . | nindent 2 }} +{{- end }} +volumeMounts: + - name: "{{ include "http-header-injector.cert-config.name" . }}" + mountPath: /scripts +command: [ "/scripts/delete-cert.sh" ] +{{- end }} \ No newline at end of file diff --git a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-delete.yaml b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-delete.yaml index 027d69b37..1e67e5a45 100644 --- a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-delete.yaml +++ b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-delete.yaml @@ -1,5 +1,4 @@ {{- if eq .Values.webhook.tls.mode "generated" }} -{{- $containerConfig := dict "ContainerConfig" .Values.certificatePrehook -}} apiVersion: batch/v1 kind: Job metadata: @@ -30,13 +29,7 @@ spec: name: "{{ include "http-header-injector.cert-config.name" . }}" defaultMode: 0777 containers: - - name: webhook-cert-delete - image: "{{ include "http-header-injector.image.registry" (merge $containerConfig .) }}/{{ .Values.certificatePrehook.image.repository }}:{{ .Values.certificatePrehook.image.tag }}" - imagePullPolicy: {{ .Values.certificatePrehook.image.pullPolicy }} - volumeMounts: - - name: "{{ include "http-header-injector.cert-config.name" . }}" - mountPath: /scripts - command: [ "/scripts/delete-cert.sh" ] + - {{ include "http-header-injector.cert-delete.container.main" . | nindent 8 }} restartPolicy: Never backoffLimit: 0 {{- end }} diff --git a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-setup.yaml b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-setup.yaml index b8e310442..19451d293 100644 --- a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-setup.yaml +++ b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/templates/cert-hook-job-setup.yaml @@ -1,5 +1,4 @@ {{- if eq .Values.webhook.tls.mode "generated" }} -{{- $containerConfig := dict "ContainerConfig" .Values.certificatePrehook -}} apiVersion: batch/v1 kind: Job metadata: @@ -30,14 +29,7 @@ spec: name: "{{ include "http-header-injector.cert-config.name" . }}" defaultMode: 0777 containers: - - name: webhook-cert-setup - image: "{{ include "http-header-injector.image.registry" (merge $containerConfig .) }}/{{ .Values.certificatePrehook.image.repository }}:{{ .Values.certificatePrehook.image.tag }}" - imagePullPolicy: {{ .Values.certificatePrehook.image.pullPolicy }} - volumeMounts: - - name: "{{ include "http-header-injector.cert-config.name" . }}" - mountPath: /scripts - readOnly: true - command: ["/scripts/generate-cert.sh"] + - {{ include "http-header-injector.cert-setup.container.main" . | nindent 8 }} restartPolicy: Never backoffLimit: 0 {{- end }} diff --git a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/values.yaml b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/values.yaml index 236a8bb6a..b7ed95b53 100644 --- a/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/values.yaml +++ b/charts/stackstate/stackstate-k8s-agent/charts/http-header-injector/values.yaml @@ -70,7 +70,14 @@ certificatePrehook: # certificatePrehook.image.pullPolicy -- Policy when pulling an image pullPolicy: IfNotPresent # certificatePrehook.image.tag -- The tag for the docker image - tag: 1.1.8 + tag: 1.2.0 + resources: + limits: + cpu: "100m" + memory: "100Mi" + requests: + cpu: "100m" + memory: "100Mi" # webhook -- MutationWebhook that will be installed to inject a sidecar into pods webhook: diff --git a/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml b/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml index 345484161..fa6ceb592 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/_container-process-agent.yaml @@ -32,6 +32,8 @@ value: "/host/proc" - name: HOST_SYS value: "/host/sys" + - name: HOST_ETC + value: "/host/etc" - name: KUBERNETES value: "true" - name: STS_CLUSTER_AGENT_ENABLED @@ -123,9 +125,15 @@ - name: dockersocket mountPath: /var/run/docker.sock readOnly: true + # The agent needs access to /etc to figure out what os it is running on. + - name: etcdir + mountPath: /host/etc + readOnly: true - name: procdir mountPath: /host/proc - readOnly: true + # We have an agent option STS_DISABLE_BPF_JIT_HARDEN that write to /proc. this is a debug setting but if we want to use + # it, we have the option to make /proc writable. + readOnly: {{ .Values.nodeAgent.containers.processAgent.procVolumeReadOnly }} - name: passwd mountPath: /etc/passwd readOnly: true diff --git a/charts/stackstate/stackstate-k8s-agent/templates/node-agent-daemonset.yaml b/charts/stackstate/stackstate-k8s-agent/templates/node-agent-daemonset.yaml index 39632a5cf..dd47d1a9e 100644 --- a/charts/stackstate/stackstate-k8s-agent/templates/node-agent-daemonset.yaml +++ b/charts/stackstate/stackstate-k8s-agent/templates/node-agent-daemonset.yaml @@ -89,6 +89,9 @@ spec: - hostPath: path: {{ .Values.nodeAgent.containerRuntime.hostProc }} name: procdir + - hostPath: + path: /etc + name: etcdir - hostPath: path: /etc/passwd name: passwd diff --git a/charts/stackstate/stackstate-k8s-agent/values.yaml b/charts/stackstate/stackstate-k8s-agent/values.yaml index 476230af0..b2aaaf905 100644 --- a/charts/stackstate/stackstate-k8s-agent/values.yaml +++ b/charts/stackstate/stackstate-k8s-agent/values.yaml @@ -78,9 +78,9 @@ nodeAgent: memory: "180Mi" maximum: # nodeAgent.scaling.autoscalerLimits.agent.maximum.cpu -- Maximum CPU resource limits for main agent. - cpu: "500m" + cpu: "200m" # nodeAgent.scaling.autoscalerLimits.agent.maximum.memory -- Maximum memory resource limits for main agent. - memory: "750Mi" + memory: "450Mi" processAgent: minimum: # nodeAgent.scaling.autoscalerLimits.processAgent.minimum.cpu -- Minimum CPU resource limits for process agent. @@ -89,9 +89,9 @@ nodeAgent: memory: "100Mi" maximum: # nodeAgent.scaling.autoscalerLimits.processAgent.maximum.cpu -- Maximum CPU resource limits for process agent. - cpu: "1000m" + cpu: "200m" # nodeAgent.scaling.autoscalerLimits.processAgent.maximum.memory -- Maximum memory resource limits for process agent. - memory: "1500Mi" + memory: "500Mi" containers: agent: @@ -99,7 +99,7 @@ nodeAgent: # nodeAgent.containers.agent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # nodeAgent.containers.agent.image.tag -- Default container image tag. - tag: "9af1b63f" + tag: "edf7fca5" # nodeAgent.containers.agent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent processAgent: @@ -158,7 +158,7 @@ nodeAgent: # nodeAgent.containers.processAgent.image.repository -- Process-agent container image repository. repository: stackstate/stackstate-k8s-process-agent # nodeAgent.containers.processAgent.image.tag -- Default process-agent container image tag. - tag: "160f79ee" + tag: "76e11e86" # nodeAgent.containers.processAgent.image.pullPolicy -- Process-agent container image pull policy. pullPolicy: IfNotPresent # nodeAgent.containers.processAgent.env -- Additional environment variables for the process-agent container @@ -167,6 +167,9 @@ nodeAgent: ## If not set, fall back to the value of agent.logLevel. logLevel: # INFO + # nodeAgent.containers.processAgent.procVolumeReadOnly -- Configure whether /host/proc is read only for the process agent container + procVolumeReadOnly: true + resources: limits: # nodeAgent.containers.processAgent.resources.limits.cpu -- CPU resource limits. @@ -331,7 +334,7 @@ clusterAgent: # clusterAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-cluster-agent # clusterAgent.image.tag -- Default container image tag. - tag: "9af1b63f" + tag: "edf7fca5" # clusterAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent @@ -418,7 +421,7 @@ logsAgent: # logsAgent.image.repository -- Base container image repository. repository: stackstate/promtail # logsAgent.image.tag -- Default container image tag. - tag: 2.7.1 + tag: 2.7.1-4b6ae2af # logsAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent @@ -483,7 +486,7 @@ checksAgent: # checksAgent.image.repository -- Base container image repository. repository: stackstate/stackstate-k8s-agent # checksAgent.image.tag -- Default container image tag. - tag: "9af1b63f" + tag: "edf7fca5" # checksAgent.image.pullPolicy -- Default container image pull policy. pullPolicy: IfNotPresent diff --git a/charts/sysdig/sysdig/CHANGELOG.md b/charts/sysdig/sysdig/CHANGELOG.md index b04332cf8..803cee008 100644 --- a/charts/sysdig/sysdig/CHANGELOG.md +++ b/charts/sysdig/sysdig/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.16.24 +### Chores +* **sysdig, node-analyzer** [4a1a9a1d](https://github.com/sysdiglabs/charts/commit/4a1a9a1d7feaeb4ee04b2c17e4b84d8440cf6901): bump sysdig/vuln-runtime-scanner to v1.6.6 ([#1526](https://github.com/sysdiglabs/charts/issues/1526)) # v1.16.23 ### New Features * **sysdig** [048837fc](https://github.com/sysdiglabs/charts/commit/048837fcb04b48c5dc584d13f5a005fdb75fd230): Update legacy engine NIA component with security updates ([#1489](https://github.com/sysdiglabs/charts/issues/1489)) diff --git a/charts/sysdig/sysdig/Chart.yaml b/charts/sysdig/sysdig/Chart.yaml index 76781b153..c2ad146cb 100644 --- a/charts/sysdig/sysdig/Chart.yaml +++ b/charts/sysdig/sysdig/Chart.yaml @@ -19,4 +19,4 @@ name: sysdig sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig -version: 1.16.23 +version: 1.16.24 diff --git a/charts/sysdig/sysdig/README.md b/charts/sysdig/sysdig/README.md index 34aa09149..5014271f0 100644 --- a/charts/sysdig/sysdig/README.md +++ b/charts/sysdig/sysdig/README.md @@ -262,7 +262,7 @@ The following table lists the configurable parameters of the Sysdig chart and th | `nodeAnalyzer.runtimeScanner.deploy` | Deploys the Runtime Scanner. | `false` | | `nodeAnalyzer.runtimeScanner.extraMounts` | Specifies a container engine custom socket path (docker, containerd, CRI-O). | | | `nodeAnalyzer.runtimeScanner.image.repository` | The image repository to pull the Runtime Scanner from. | `sysdig/vuln-runtime-scanner` | -| `nodeAnalyzer.runtimeScanner.image.tag` | The image tag to pull the Runtime Scanner. | `1.6.4` | +| `nodeAnalyzer.runtimeScanner.image.tag` | The image tag to pull the Runtime Scanner. | `1.6.6` | | `nodeAnalyzer.runtimeScanner.image.digest` | The image digest to pull. | ` ` | | `nodeAnalyzer.runtimeScanner.image.pullPolicy` | The image pull policy for the Runtime Scanner. | `IfNotPresent` | | `nodeAnalyzer.runtimeScanner.resources.requests.cpu` | Runtime Scanner CPU requests per node. | `250m` | diff --git a/charts/sysdig/sysdig/RELEASE-NOTES.md b/charts/sysdig/sysdig/RELEASE-NOTES.md index 9a27747a3..f3e7e48ae 100644 --- a/charts/sysdig/sysdig/RELEASE-NOTES.md +++ b/charts/sysdig/sysdig/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### New Features -- **sysdig** [048837fc](https://github.com/sysdiglabs/charts/commit/048837fcb04b48c5dc584d13f5a005fdb75fd230): Update legacy engine NIA component with security updates ([#1489](https://github.com/sysdiglabs/charts/issues/1489)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.29.12...sysdig-1.16.23 +### Chores +- **sysdig, node-analyzer** [4a1a9a1d](https://github.com/sysdiglabs/charts/commit/4a1a9a1d7feaeb4ee04b2c17e4b84d8440cf6901): bump sysdig/vuln-runtime-scanner to v1.6.6 ([#1526](https://github.com/sysdiglabs/charts/issues/1526)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.33.2...sysdig-1.16.24 diff --git a/charts/sysdig/sysdig/values.yaml b/charts/sysdig/sysdig/values.yaml index 62fffb1a8..bd7a67c42 100644 --- a/charts/sysdig/sysdig/values.yaml +++ b/charts/sysdig/sysdig/values.yaml @@ -432,7 +432,7 @@ nodeAnalyzer: deploy: false image: repository: sysdig/vuln-runtime-scanner - tag: 1.6.4 + tag: 1.6.6 digest: null pullPolicy: IfNotPresent extraMounts: [] diff --git a/charts/traefik/traefik/Changelog.md b/charts/traefik/traefik/Changelog.md index 62162c67e..1e4b09488 100644 --- a/charts/traefik/traefik/Changelog.md +++ b/charts/traefik/traefik/Changelog.md @@ -1,11 +1,110 @@ # Change Log +## 26.0.0 ![AppVersion: v2.10.6](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.6&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-12-04 + +* fix: 🐛 improve confusing suggested value on openTelemetry.grpc +* fix: 🐛 declare http3 udp port, with or without hostport +* feat: 💥 deployment.podannotations support interpolation with tpl +* feat: allow update of namespace policy for websecure listener +* feat: allow defining startupProbe +* feat: add file provider +* feat: :boom: unify plugin import between traefik and this chart +* chore(release): 🚀 publish v26 +* chore(deps): update traefik docker tag to v2.10.6 +* Release namespace for Prometheus Operator resources + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 71e377e..f9dac91 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -40,6 +40,7 @@ deployment: + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) + labels: {} + # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping) ++ # It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' + podAnnotations: {} + # -- Additional Pod labels (e.g. for filtering Pod by custom labels) + podLabels: {} +@@ -119,10 +120,12 @@ experimental: + # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" + # v3: + # -- Enable traefik version 3 +- # enabled: false +- plugins: +- # -- Enable traefik experimental plugins +- enabled: false ++ ++ # -- Enable traefik experimental plugins ++ plugins: {} ++ # demo: ++ # moduleName: github.com/traefik/plugindemo ++ # version: v0.2.1 + kubernetesGateway: + # -- Enable traefik experimental GatewayClass CRD + enabled: false +@@ -206,6 +209,17 @@ livenessProbe: + # -- The number of seconds to wait for a probe response before considering it as failed. + timeoutSeconds: 2 + ++# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes ++# eg. ++# `startupProbe: ++# exec: ++# command: ++# - mycommand ++# - foo ++# initialDelaySeconds: 5 ++# periodSeconds: 5` ++startupProbe: ++ + providers: + kubernetesCRD: + # -- Load Kubernetes IngressRoute provider +@@ -241,6 +255,23 @@ providers: + # By default this Traefik service + # pathOverride: "" + ++ file: ++ # -- Create a file provider ++ enabled: false ++ # -- Allows Traefik to automatically watch for file changes ++ watch: true ++ # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) ++ content: "" ++ # http: ++ # routers: ++ # router0: ++ # entryPoints: ++ # - web ++ # middlewares: ++ # - my-basic-auth ++ # service: service-foo ++ # rule: Path(`/foo`) ++ + # + # -- Add volumes to the traefik pod. The volume name will be passed to tpl. + # This can be used to mount a cert pair or a configmap that holds a config.toml file. +@@ -487,7 +518,7 @@ metrics: + # -- https://doc.traefik.io/traefik/observability/tracing/overview/ + tracing: {} + # openTelemetry: # traefik v3+ only +-# grpc: {} ++# grpc: true + # insecure: true + # address: localhost:4317 + # instana: +``` + ## 25.0.0 ![AppVersion: v2.10.5](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.5&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) -**Release date:** 2023-10-16 +**Release date:** 2023-10-23 * revert: "fix: 🐛 remove old CRDs using traefik.containo.us" -* fix: 🐛 warn user when he's using previous syntax on redirect * fix: 🐛 remove old CRDs using traefik.containo.us * fix: disable ClusterRole and ClusterRoleBinding when not needed * fix: detect correctly v3 version when using sha in `image.tag` @@ -17,7 +116,7 @@ * feat: :boom: rework and allow update of namespace policy for Gateway * docs: Fix typo in the default values file * chore: remove label whitespace at TLSOption -* chore(release): 🚀 publish v25.0.0 +* chore(release): publish v25.0.0 * chore(deps): update traefik docker tag to v2.10.5 * chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.12.3 * chore(ci): 🔧 👷 add e2e test when releasing @@ -128,11 +227,11 @@ index aeec85c..71e377e 100644 + # port: 9000 + # host: localhost + # scheme: HTTP - + # -- Pod disruption budget podDisruptionBudget: @@ -116,9 +116,9 @@ ingressClass: - + # Traefik experimental features experimental: - #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" @@ -177,7 +276,7 @@ index aeec85c..71e377e 100644 + middlewares: [] + # -- TLS options (e.g. secret containing certificate) + tls: {} - + updateStrategy: # -- Customize updateStrategy: RollingUpdate or OnDelete @@ -204,10 +220,10 @@ providers: @@ -186,7 +285,7 @@ index aeec85c..71e377e 100644 namespaces: [] - # - "default" + # - "default" - + kubernetesIngress: - # -- Load Kubernetes IngressRoute provider + # -- Load Kubernetes Ingress provider @@ -203,7 +302,7 @@ index aeec85c..71e377e 100644 publishedService: enabled: false @@ -243,9 +259,9 @@ volumes: [] - + # -- Additional volumeMounts to add to the Traefik container additionalVolumeMounts: [] - # -- For instance when using a logshipper for access logs @@ -212,7 +311,7 @@ index aeec85c..71e377e 100644 +# -- For instance when using a logshipper for access logs +# - name: traefik-logs +# mountPath: /var/log/traefik - + logs: general: @@ -270,26 +286,26 @@ logs: @@ -248,7 +347,7 @@ index aeec85c..71e377e 100644 + # User-Agent: redact + # Authorization: drop + # Content-Type: keep - + metrics: ## -- Prometheus is enabled by default. @@ -308,118 +324,118 @@ metrics: @@ -574,18 +673,18 @@ index aeec85c..71e377e 100644 +# serverURL: http://localhost:8200 +# secretToken: "" +# serviceEnvironment: "" - + # -- Global command arguments to be passed to all traefik's pods globalArguments: - - "--global.checknewversion" - - "--global.sendanonymoususage" +- "--global.checknewversion" +- "--global.sendanonymoususage" - + # # Configure Traefik static configuration @@ -531,14 +547,14 @@ additionalArguments: [] - + # -- Environment variables to be passed to Traefik's binary env: - - name: POD_NAME @@ -673,7 +772,7 @@ index aeec85c..71e377e 100644 size: 128Mi # storageClass: "" @@ -852,12 +871,12 @@ serviceAccountAnnotations: {} - + # -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. resources: {} - # requests: @@ -688,7 +787,7 @@ index aeec85c..71e377e 100644 +# limits: +# cpu: "300m" +# memory: "150Mi" - + # -- This example pod anti-affinity forces the scheduler to put traefik pods # -- on nodes where no other traefik pods are scheduled. ``` @@ -730,7 +829,7 @@ index 947ba56..aeec85c 100644 #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" #v3: # -- Enable traefik version 3 -- # enabled: false +- # enabled: false + # enabled: false plugins: # -- Enable traefik experimental plugins @@ -738,7 +837,7 @@ index 947ba56..aeec85c 100644 @@ -564,15 +571,6 @@ ports: # only. # hostIP: 192.168.100.10 - + - # Override the liveness/readiness port. This is useful to integrate traefik - # with an external Load Balancer that performs healthchecks. - # Default: ports.traefik.port @@ -755,7 +854,7 @@ index 947ba56..aeec85c 100644 nodeSelector: {} # -- Tolerations allow the scheduler to schedule pods with matching taints. tolerations: [] --# -- You can use topology spread constraints to control +-# -- You can use topology spread constraints to control +# -- You can use topology spread constraints to control # how Pods are spread across your cluster among failure-domains. topologySpreadConstraints: [] @@ -790,7 +889,7 @@ index 345bbd8..947ba56 100644 enabled: true isDefaultClass: true + # name: my-custom-class - + # Traefik experimental features experimental: - v3: @@ -798,7 +897,7 @@ index 345bbd8..947ba56 100644 + #v3: # -- Enable traefik version 3 - enabled: false -+ # enabled: false ++ # enabled: false plugins: # -- Enable traefik experimental plugins enabled: false @@ -815,7 +914,7 @@ index 345bbd8..947ba56 100644 # localAgentPort: 42699 @@ -517,7 +523,15 @@ additionalArguments: [] # - "--log.level=DEBUG" - + # -- Environment variables to be passed to Traefik's binary -env: [] +env: @@ -868,7 +967,7 @@ index 345bbd8..947ba56 100644 # -- The exposed port for this service @@ -880,14 +894,15 @@ topologySpreadConstraints: [] priorityClassName: "" - + # -- Set the container security context -# -- To run the container with ports below 1024 this will need to be adjust to run as root +# -- To run the container with ports below 1024 this will need to be adjusted to run as root @@ -877,7 +976,7 @@ index 345bbd8..947ba56 100644 drop: [ALL] readOnlyRootFilesystem: true + allowPrivilegeEscalation: false - + podSecurityContext: - # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and + # /!\ When setting fsGroup, Kubernetes will recursively change ownership and @@ -920,7 +1019,7 @@ index 71273cc..345bbd8 100644 tag: "" + # -- Traefik image pull policy pullPolicy: IfNotPresent - + -# -# Configure integration with Traefik Hub -# @@ -943,7 +1042,7 @@ index 71273cc..345bbd8 100644 - # key: "/path/to/key.pem" +# -- Add additional label to all resources +commonLabels: {} - + # # Configure the deployment # @@ -1031,7 +1130,7 @@ index 71273cc..345bbd8 100644 @@ -107,7 +93,7 @@ deployment: # host: localhost # scheme: HTTP - + -# Pod disruption budget +# -- Pod disruption budget podDisruptionBudget: @@ -1040,13 +1139,13 @@ index 71273cc..345bbd8 100644 @@ -115,93 +101,112 @@ podDisruptionBudget: # minAvailable: 0 # minAvailable: 25% - + -# Create a default IngressClass for Traefik +# -- Create a default IngressClass for Traefik ingressClass: enabled: true isDefaultClass: true - + -# Enable experimental features +# Traefik experimental features experimental: @@ -1073,7 +1172,7 @@ index 71273cc..345bbd8 100644 # Additional gateway annotations (e.g. for cert-manager.io/issuer) # annotations: # cert-manager.io/issuer: letsencrypt - + -# Create an IngressRoute for the dashboard +## Create an IngressRoute for the dashboard ingressRoute: @@ -1100,7 +1199,7 @@ index 71273cc..345bbd8 100644 - # TLS options (e.g. secret containing certificate) + # -- TLS options (e.g. secret containing certificate) tls: {} - + -# Customize updateStrategy of traefik pods updateStrategy: + # -- Customize updateStrategy: RollingUpdate or OnDelete @@ -1108,7 +1207,7 @@ index 71273cc..345bbd8 100644 rollingUpdate: maxUnavailable: 0 maxSurge: 1 - + -# Customize liveness and readiness probe values. readinessProbe: + # -- The number of consecutive failures allowed before considering the probe as failed. @@ -1133,7 +1232,7 @@ index 71273cc..345bbd8 100644 successThreshold: 1 + # -- The number of seconds to wait for a probe response before considering it as failed. timeoutSeconds: 2 - + -# -# Configure providers -# @@ -1152,7 +1251,7 @@ index 71273cc..345bbd8 100644 + # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. namespaces: [] # - "default" - + kubernetesIngress: + # -- Load Kubernetes IngressRoute provider enabled: true @@ -1168,7 +1267,7 @@ index 71273cc..345bbd8 100644 # IP used for Kubernetes Ingress endpoints @@ -212,13 +217,13 @@ providers: # pathOverride: "" - + # -# Add volumes to the traefik pod. The volume name will be passed to tpl. +# -- Add volumes to the traefik pod. The volume name will be passed to tpl. @@ -1186,7 +1285,7 @@ index 71273cc..345bbd8 100644 @@ -227,25 +232,22 @@ volumes: [] # mountPath: "/config" # type: configMap - + -# Additional volumeMounts to add to the Traefik container +# -- Additional volumeMounts to add to the Traefik container additionalVolumeMounts: [] @@ -1194,7 +1293,7 @@ index 71273cc..345bbd8 100644 + # -- For instance when using a logshipper for access logs # - name: traefik-logs # mountPath: /var/log/traefik - + -## Logs -## https://docs.traefik.io/observability/logs/ logs: @@ -1244,7 +1343,7 @@ index 71273cc..345bbd8 100644 # User-Agent: redact @@ -278,10 +283,10 @@ logs: # Content-Type: keep - + metrics: - ## Prometheus is enabled by default. - ## It can be disabled by setting "prometheus: null" @@ -1259,7 +1358,7 @@ index 71273cc..345bbd8 100644 @@ -404,11 +409,9 @@ metrics: # ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. # grpc: true - + -## -## enable optional CRDs for Prometheus Operator +## -- enable optional CRDs for Prometheus Operator @@ -1272,7 +1371,7 @@ index 71273cc..345bbd8 100644 @@ -455,6 +458,8 @@ metrics: # summary: "Traefik Down" # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" - + +## Tracing +# -- https://doc.traefik.io/traefik/observability/tracing/overview/ tracing: {} @@ -1281,12 +1380,12 @@ index 71273cc..345bbd8 100644 @@ -497,20 +502,21 @@ tracing: {} # secretToken: "" # serviceEnvironment: "" - + +# -- Global command arguments to be passed to all traefik's pods globalArguments: - "--global.checknewversion" - "--global.sendanonymoususage" - + # # Configure Traefik static configuration -# Additional arguments to be passed at Traefik's binary @@ -1296,7 +1395,7 @@ index 71273cc..345bbd8 100644 additionalArguments: [] # - "--providers.kubernetesingress.ingressclass=traefik-internal" # - "--log.level=DEBUG" - + -# Environment variables to be passed to Traefik's binary +# -- Environment variables to be passed to Traefik's binary env: [] @@ -1305,14 +1404,14 @@ index 71273cc..345bbd8 100644 @@ -525,22 +531,20 @@ env: [] # name: secret-name # key: secret-key - + +# -- Environment variables to be passed to Traefik's binary from configMaps or secrets envFrom: [] # - configMapRef: # name: config-map-name # - secretRef: # name: secret-name - + -# Configure ports ports: - # The name of this one can't be changed as it is used for the readiness and @@ -1439,7 +1538,7 @@ index 71273cc..345bbd8 100644 - # The port protocol (TCP/UDP) + # -- The port protocol (TCP/UDP) protocol: TCP - + -# TLS Options are created as TLSOption CRDs +# -- TLS Options are created as TLSOption CRDs # https://doc.traefik.io/traefik/https/tls/#tls-options @@ -1448,7 +1547,7 @@ index 71273cc..345bbd8 100644 @@ -684,7 +690,7 @@ ports: # - CurveP384 tlsOptions: {} - + -# TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate +# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate # https://doc.traefik.io/traefik/https/tls/#default-certificate @@ -1457,7 +1556,7 @@ index 71273cc..345bbd8 100644 @@ -693,24 +699,22 @@ tlsOptions: {} # secretName: tls-cert tlsStore: {} - + -# Options for the main traefik service, where the entrypoints traffic comes -# from. service: @@ -1508,7 +1607,7 @@ index 71273cc..345bbd8 100644 @@ -739,9 +745,8 @@ service: # # externalIPs: [] # # ipFamilies: [ "IPv4","IPv6" ] - + -## Create HorizontalPodAutoscaler object. -## autoscaling: @@ -1519,7 +1618,7 @@ index 71273cc..345bbd8 100644 @@ -766,10 +771,10 @@ autoscaling: # value: 1 # periodSeconds: 60 - + -# Enable persistence using Persistent Volume Claims -# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ -# It can be used to store TLS certificates, see `storage` in certResolvers @@ -1537,7 +1636,7 @@ index 71273cc..345bbd8 100644 - # subPath: "" # only mount a subpath of the Volume into the pod + # -- Only mount a subpath of the Volume into the pod + # subPath: "" - + +# -- Certificates resolvers configuration certResolvers: {} # letsencrypt: @@ -1545,14 +1644,14 @@ index 71273cc..345bbd8 100644 @@ -802,13 +809,13 @@ certResolvers: {} # # It has to match the path with a persistent volume # storage: /data/acme.json - + -# If hostNetwork is true, runs traefik in the host network namespace +# -- If hostNetwork is true, runs traefik in the host network namespace # To prevent unschedulabel pods due to port collisions, if hostNetwork=true # and replicas>1, a pod anti-affinity is recommended and will be set if the # affinity is left as default. hostNetwork: false - + -# Whether Role Based Access Control objects like roles and rolebindings should be created +# -- Whether Role Based Access Control objects like roles and rolebindings should be created rbac: @@ -1561,23 +1660,23 @@ index 71273cc..345bbd8 100644 @@ -818,19 +825,20 @@ rbac: # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles # aggregateTo: [ "admin" ] - + -# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding +# -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding podSecurityPolicy: enabled: false - + -# The service account the pods will use to interact with the Kubernetes API +# -- The service account the pods will use to interact with the Kubernetes API serviceAccount: # If set, an existing service account is used # If not set, a service account is created automatically using the fullname template name: "" - + -# Additional serviceAccount annotations (e.g. for oidc authentication) +# -- Additional serviceAccount annotations (e.g. for oidc authentication) serviceAccountAnnotations: {} - + +# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers. resources: {} # requests: @@ -1585,7 +1684,7 @@ index 71273cc..345bbd8 100644 @@ -839,8 +847,8 @@ resources: {} # cpu: "300m" # memory: "150Mi" - + -# This example pod anti-affinity forces the scheduler to put traefik pods -# on nodes where no other traefik pods are scheduled. +# -- This example pod anti-affinity forces the scheduler to put traefik pods @@ -1596,12 +1695,12 @@ index 71273cc..345bbd8 100644 @@ -851,11 +859,15 @@ affinity: {} # app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' # topologyKey: kubernetes.io/hostname - + +# -- nodeSelector is the simplest recommended form of node selection constraint. nodeSelector: {} +# -- Tolerations allow the scheduler to schedule pods with matching taints. tolerations: [] -+# -- You can use topology spread constraints to control ++# -- You can use topology spread constraints to control +# how Pods are spread across your cluster among failure-domains. topologySpreadConstraints: [] -# # This example topologySpreadConstraints forces the scheduler to put traefik pods @@ -1614,13 +1713,13 @@ index 71273cc..345bbd8 100644 @@ -863,29 +875,33 @@ topologySpreadConstraints: [] # topologyKey: kubernetes.io/hostname # whenUnsatisfiable: DoNotSchedule - + -# Pods can have priority. -# Priority indicates the importance of a Pod relative to other Pods. +# -- Pods can have priority. +# -- Priority indicates the importance of a Pod relative to other Pods. priorityClassName: "" - + -# Set the container security context -# To run the container with ports below 1024 this will need to be adjust to run as root +# -- Set the container security context @@ -1629,7 +1728,7 @@ index 71273cc..345bbd8 100644 capabilities: drop: [ALL] readOnlyRootFilesystem: true - + podSecurityContext: -# # /!\ When setting fsGroup, Kubernetes will recursively changes ownership and -# # permissions for the contents of each volume to match the fsGroup. This can @@ -1647,7 +1746,7 @@ index 71273cc..345bbd8 100644 runAsNonRoot: true + # -- The ID of the user for all containers in the pod to run as. runAsUser: 65532 - + # -# Extra objects to deploy (value evaluated as a template) +# -- Extra objects to deploy (value evaluated as a template) @@ -1763,7 +1862,7 @@ index 4762b77..9ece303 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -654,12 +654,15 @@ ports: - + # TLS Options are created as TLSOption CRDs # https://doc.traefik.io/traefik/https/tls/#tls-options +# When using `labelSelector`, you'll need to set labels on tlsOption accordingly. @@ -1842,7 +1941,7 @@ index cadc7a6..4762b77 100644 runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 - + -podSecurityContext: - fsGroup: 65532 - @@ -1884,7 +1983,7 @@ index 780b04b..cadc7a6 100644 middlewares: [] + # TLS options (e.g. secret containing certificate) + tls: {} - + # Customize updateStrategy of traefik pods updateStrategy: @@ -750,6 +752,7 @@ persistence: @@ -1997,7 +2096,7 @@ index b77539d..42a27f9 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -107,6 +107,8 @@ ingressClass: - + # Enable experimental features experimental: + v3: @@ -2047,7 +2146,7 @@ index b77539d..42a27f9 100644 +# insecureSkipVerify: true +# ## This instructs the reporter to send metrics to the OpenTelemetry Collector using gRPC. +# grpc: true - + ## ## enable optional CRDs for Prometheus Operator @@ -510,6 +548,8 @@ ports: @@ -2095,7 +2194,7 @@ index 4f2fb2a..b77539d 100644 + # Additional gateway annotations (e.g. for cert-manager.io/issuer) + # annotations: + # cert-manager.io/issuer: letsencrypt - + # Create an IngressRoute for the dashboard ingressRoute: @@ -219,7 +222,8 @@ logs: @@ -2128,7 +2227,7 @@ index 15f1682..4f2fb2a 100644 @@ -211,10 +211,10 @@ additionalVolumeMounts: [] # - name: traefik-logs # mountPath: /var/log/traefik - + -# Logs -# https://docs.traefik.io/observability/logs/ +## Logs @@ -2184,7 +2283,7 @@ index 15f1682..4f2fb2a 100644 # Authorization: drop # Content-Type: keep @@ -693,10 +694,7 @@ autoscaling: - + # Enable persistence using Persistent Volume Claims # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ -# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: @@ -2202,7 +2301,7 @@ index 15f1682..4f2fb2a 100644 -# # match the path to persistence +# # It has to match the path with a persistent volume # storage: /data/acme.json - + # If hostNetwork is true, runs traefik in the host network namespace ``` @@ -2252,7 +2351,7 @@ index e49d02d..15f1682 100644 # * add an internal (ClusterIP) Service, dedicated for Traefik Hub @@ -254,16 +254,96 @@ logs: # Content-Type: keep - + metrics: - # datadog: - # address: 127.0.0.1:8125 @@ -2489,7 +2588,7 @@ index 2ec3736..97a1b71 100644 entryPoints: ["traefik"] + # Additional ingressRoute middlewares (e.g. for authentication) + middlewares: [] - + # Customize updateStrategy of traefik pods updateStrategy: ``` @@ -2512,7 +2611,7 @@ index 413aa88..2ec3736 100644 @@ -134,9 +134,12 @@ ingressRoute: # /!\ Do not expose your dashboard without any protection over the internet /!\ entryPoints: ["traefik"] - + -rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 @@ -2522,7 +2621,7 @@ index 413aa88..2ec3736 100644 + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 - + # Customize liveness and readiness probe values. readinessProbe: ``` @@ -2610,7 +2709,7 @@ index 69190f1..b24c1cb 100644 @@ -100,11 +100,10 @@ podDisruptionBudget: # minAvailable: 0 # minAvailable: 25% - + -# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x +# Create a default IngressClass for Traefik ingressClass: @@ -2619,7 +2718,7 @@ index 69190f1..b24c1cb 100644 - isDefaultClass: false + enabled: true + isDefaultClass: true - + # Enable experimental features experimental: ``` @@ -2678,7 +2777,7 @@ index 8033a87..69190f1 100644 + # # loadBalancerSourceRanges: [] + # # externalIPs: [] + # # ipFamilies: [ "IPv4","IPv6" ] - + ## Create HorizontalPodAutoscaler object. ## ``` @@ -2699,7 +2798,7 @@ index acce704..8033a87 100644 @@ -5,6 +5,27 @@ image: tag: "" pullPolicy: IfNotPresent - + +# +# Configure integration with Traefik Hub +# @@ -2749,7 +2848,7 @@ index 807bd09..acce704 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -87,8 +87,6 @@ ingressClass: - + # Enable experimental features experimental: - http3: @@ -2841,7 +2940,7 @@ index 6a90bc6..807bd09 100644 -# app.kubernetes.io/instance: '{{ .Release.Name }}' +# app.kubernetes.io/instance: '{{ .Release.Name }}-{{ .Release.Namespace }}' # topologyKey: kubernetes.io/hostname - + nodeSelector: {} ``` @@ -2960,7 +3059,7 @@ index 7e335b5..9b5afc4 100644 + # annotations: + # summary: "Traefik Down" + # description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" - + tracing: {} # instana: ``` @@ -2991,7 +3090,7 @@ index 03fdaed..7e335b5 100644 - token: "" - # Toggle Pilot Dashboard - # dashboard: false - + # Enable experimental features experimental: ``` @@ -3027,7 +3126,7 @@ index 76aac93..03fdaed 100644 + # Enable user-facing roles + # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # aggregateTo: [ "admin" ] - + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding podSecurityPolicy: ``` @@ -3061,12 +3160,12 @@ index 781ac15..76aac93 100644 +++ b/traefik/values.yaml @@ -555,7 +555,7 @@ rbac: enabled: true - + # If set to false, installs ClusterRole and ClusterRoleBinding so Traefik can be used across namespaces. - # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace + # If set to true, installs Role and RoleBinding. Providers will only watch target namespace. namespaced: false - + # Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding ``` @@ -3091,7 +3190,7 @@ index fc2c371..781ac15 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -593,6 +593,15 @@ affinity: {} - + nodeSelector: {} tolerations: [] +topologySpreadConstraints: [] @@ -3103,7 +3202,7 @@ index fc2c371..781ac15 100644 +# maxSkew: 1 +# topologyKey: kubernetes.io/hostname +# whenUnsatisfiable: DoNotSchedule - + # Pods can have priority. # Priority indicates the importance of a Pod relative to other Pods. ``` @@ -3233,7 +3332,7 @@ index 4431c36..a4e4ff2 100644 + nodeSelector: {} tolerations: [] - + ``` ## 12.0.6 ![AppVersion: 2.9.1](https://img.shields.io/static/v1?label=AppVersion&message=2.9.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -3257,12 +3356,12 @@ index 3526729..4431c36 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -342,6 +342,7 @@ ports: - + # Override the liveness/readiness port. This is useful to integrate traefik # with an external Load Balancer that performs healthchecks. + # Default: ports.traefik.port # healthchecksPort: 9000 - + # Override the liveness/readiness scheme. Useful for getting ping to ``` @@ -3329,7 +3428,7 @@ index 2bd51f8..3526729 100644 +# - type: Pods +# value: 1 +# periodSeconds: 60 - + # Enable persistence using Persistent Volume Claims # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ``` @@ -3363,12 +3462,12 @@ index 844cadc..2bd51f8 100644 +++ b/traefik/values.yaml @@ -126,20 +126,20 @@ ingressRoute: entryPoints: ["traefik"] - + rollingUpdate: - maxUnavailable: 1 + maxUnavailable: 0 maxSurge: 1 - + # Customize liveness and readiness probe values. readinessProbe: failureThreshold: 1 @@ -3377,7 +3476,7 @@ index 844cadc..2bd51f8 100644 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 2 - + livenessProbe: failureThreshold: 3 - initialDelaySeconds: 10 @@ -3401,7 +3500,7 @@ index c926bd9..844cadc 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -598,3 +598,10 @@ securityContext: - + podSecurityContext: fsGroup: 65532 + @@ -3466,7 +3565,7 @@ index c9feb76..3957448 100644 + # By default, it's using traefik entrypoint, which is not exposed. + # /!\ Do not expose your dashboard without any protection over the internet /!\ + entryPoints: ["traefik"] - + rollingUpdate: maxUnavailable: 1 ``` @@ -3501,7 +3600,7 @@ index fed4a8a..c9feb76 100644 @@ -340,6 +340,10 @@ ports: # with an external Load Balancer that performs healthchecks. # healthchecksPort: 9000 - + + # Override the liveness/readiness scheme. Useful for getting ping to + # respond on websecure entryPoint. + # healthchecksScheme: HTTPS @@ -3525,7 +3624,7 @@ index d1708cc..fed4a8a 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -247,12 +247,45 @@ metrics: - + tracing: {} # instana: - # enabled: true @@ -3568,7 +3667,7 @@ index d1708cc..fed4a8a 100644 + # serverURL: http://localhost:8200 + # secretToken: "" + # serviceEnvironment: "" - + globalArguments: - "--global.checknewversion" ``` @@ -3601,7 +3700,7 @@ index 19a133c..d1708cc 100644 + # port: 9000 + # host: localhost + # scheme: HTTP - + # Pod disruption budget podDisruptionBudget: ``` @@ -3667,7 +3766,7 @@ index d4011c3..d9c745e 100644 @@ -373,6 +373,15 @@ ports: # - CurveP384 tlsOptions: {} - + +# TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate +# https://doc.traefik.io/traefik/https/tls/#default-certificate +# Example: @@ -3818,7 +3917,7 @@ index a16b107..e141e29 100644 @@ -433,6 +433,27 @@ persistence: annotations: {} # subPath: "" # only mount a subpath of the Volume into the pod - + +certResolvers: {} +# letsencrypt: +# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/ @@ -3926,7 +4025,7 @@ index 15f1103..02ab704 100644 @@ -110,6 +110,20 @@ rollingUpdate: maxUnavailable: 1 maxSurge: 1 - + +# Customize liveness and readiness probe values. +readinessProbe: + failureThreshold: 1 @@ -3941,7 +4040,7 @@ index 15f1103..02ab704 100644 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 - + # # Configure providers ``` @@ -3968,7 +4067,7 @@ index 4dccd1a..15f1103 100644 + # debug: false + # globalTag: "" + # prioritySampling: false - + globalArguments: - "--global.checknewversion" ``` @@ -4023,7 +4122,7 @@ index cd4d49b..1f9dbbe 100644 + # addRoutersLabels: true # statsd: # address: localhost:8125 - + ``` ## 10.14.2 ![AppVersion: 2.6.1](https://img.shields.io/static/v1?label=AppVersion&message=2.6.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -4054,7 +4153,7 @@ index d49122f..cd4d49b 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -83,6 +83,8 @@ pilot: - + # Enable experimental features experimental: + http3: @@ -4097,7 +4196,7 @@ index 32fce6f..d49122f 100644 + # ipFamilies: + # - IPv4 + # - IPv6 - + ## Create HorizontalPodAutoscaler object. ## ``` @@ -4159,7 +4258,7 @@ index 8c72905..ab25456 100644 +# topologyKey: kubernetes.io/hostname nodeSelector: {} tolerations: [] - + ``` ## 10.11.0 ![AppVersion: 2.6.0](https://img.shields.io/static/v1?label=AppVersion&message=2.6.0&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -4178,7 +4277,7 @@ index 7fe4a2c..8c72905 100644 @@ -208,6 +208,10 @@ metrics: # statsd: # address: localhost:8125 - + +tracing: {} + # instana: + # enabled: true @@ -4236,7 +4335,7 @@ index 79df205..8ae4bd8 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -123,6 +123,7 @@ providers: - + kubernetesIngress: enabled: true + allowExternalNameServices: false @@ -4288,7 +4387,7 @@ index e0655c8..7e9186b 100644 imagePullSecrets: [] - # - name: myRegistryKeySecretName + # - name: myRegistryKeySecretName - + # Pod disruption budget podDisruptionBudget: enabled: false @@ -4296,7 +4395,7 @@ index e0655c8..7e9186b 100644 + # maxUnavailable: 33% # minAvailable: 0 + # minAvailable: 25% - + # Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x ingressClass: ``` @@ -4331,7 +4430,7 @@ index 3ec7105..e0655c8 100644 # - 1.2.3.4 + # One of SingleStack, PreferDualStack, or RequireDualStack. + # ipFamilyPolicy: SingleStack - + ## Create HorizontalPodAutoscaler object. ## ``` @@ -4565,7 +4664,7 @@ index 04d336c..72a01ea 100644 # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" - fallbackApiVersion: + fallbackApiVersion: "" - + # Activate Pilot integration pilot: ``` @@ -4607,7 +4706,7 @@ index f6e370a..04d336c 100644 @@ -186,6 +186,17 @@ logs: # Authorization: drop # Content-Type: keep - + +metrics: + # datadog: + # address: 127.0.0.1:8125 @@ -4640,7 +4739,7 @@ index f6e370a..04d336c 100644 + exposedPort: 9100 + # The port protocol (TCP/UDP) + protocol: TCP - + # TLS Options are created as TLSOption CRDs # https://doc.traefik.io/traefik/https/tls/#tls-options ``` @@ -4665,7 +4764,7 @@ index 9bf90ea..f6e370a 100644 + # By default, Gateway would be created to the Namespace you are deploying Traefik to. + # You may create that Gateway in another namespace, setting its name below: + # namespace: default - + # Create an IngressRoute for the dashboard ingressRoute: ``` @@ -4721,12 +4820,12 @@ index b30afac..9bf90ea 100644 @@ -363,7 +363,7 @@ rbac: # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace namespaced: false - + -# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding +# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding podSecurityPolicy: enabled: false - + ``` ## 9.19.0 ![AppVersion: 2.4.8](https://img.shields.io/static/v1?label=AppVersion&message=2.4.8&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -4748,7 +4847,7 @@ index 0aa2d6b..b30afac 100644 isDefaultClass: false + # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" + fallbackApiVersion: - + # Activate Pilot integration pilot: ``` @@ -4793,7 +4892,7 @@ index 017f771..0aa2d6b 100644 token: "" + # Toggle Pilot Dashboard + # dashboard: false - + # Enable experimental features experimental: ``` @@ -4874,7 +4973,7 @@ index 56abb93..868a985 100644 @@ -225,6 +227,10 @@ ports: # only. # hostIP: 192.168.100.10 - + + # Override the liveness/readiness port. This is useful to integrate traefik + # with an external Load Balancer that performs healthchecks. + # healthchecksPort: 9000 @@ -5014,7 +5113,7 @@ index 50cab94..56485ad 100644 + # - group: "core" + # kind: "Secret" + # name: "mysecret" - + # Create an IngressRoute for the dashboard ingressRoute: ``` @@ -5155,7 +5254,7 @@ index 37dd151..e6b85ca 100644 @@ -111,6 +111,12 @@ volumes: [] # mountPath: "/config" # type: configMap - + +# Additional volumeMounts to add to the Traefik container +additionalVolumeMounts: [] + # For instance when using a logshipper for access logs @@ -5194,7 +5293,7 @@ index 87f60c0..37dd151 100644 + # Additional imagePullSecrets + imagePullSecrets: [] + # - name: myRegistryKeySecretName - + # Pod disruption budget podDisruptionBudget: ``` @@ -5227,7 +5326,7 @@ index 4ca1f8f..87f60c0 100644 + # defaults to appVersion + tag: "" pullPolicy: IfNotPresent - + # ``` @@ -5273,7 +5372,7 @@ index eee3622..4ca1f8f 100644 +# - CurveP521 +# - CurveP384 +tlsOptions: {} - + # Options for the main traefik service, where the entrypoints traffic comes # from. ``` @@ -5294,12 +5393,12 @@ index b7153a1..eee3622 100644 @@ -54,10 +54,16 @@ ingressClass: enabled: false isDefaultClass: false - + +# Activate Pilot integration pilot: enabled: false token: "" - + +# Enable experimental features +experimental: + plugins: @@ -5366,7 +5465,7 @@ index 5a8d8ea..9bac45e 100644 +++ b/traefik/values.yaml @@ -76,7 +76,7 @@ providers: # pathOverride: "" - + # -# Add volumes to the traefik pod. +# Add volumes to the traefik pod. The volume name will be passed to tpl. @@ -5381,7 +5480,7 @@ index 5a8d8ea..9bac45e 100644 +# - name: '{{ printf "%s-configs" .Release.Name }}' # mountPath: "/config" # type: configMap - + ``` ## 9.5.0 ![AppVersion: 2.3.1](https://img.shields.io/static/v1?label=AppVersion&message=2.3.1&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -5400,7 +5499,7 @@ index 8c4d866..5a8d8ea 100644 @@ -281,6 +281,10 @@ rbac: # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace namespaced: false - + +# Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBindin or ClusterRoleBinding +podSecurityPolicy: + enabled: false @@ -5430,7 +5529,7 @@ index 3df75a4..8c4d866 100644 - tag: 2.3.0 + tag: 2.3.1 pullPolicy: IfNotPresent - + # ``` @@ -5492,12 +5591,12 @@ index fba955d..a6175ff 100644 - tag: 2.2.8 + tag: 2.3.0 pullPolicy: IfNotPresent - + # @@ -36,6 +36,16 @@ podDisruptionBudget: # maxUnavailable: 1 # minAvailable: 0 - + +# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x +ingressClass: + # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 @@ -5591,7 +5690,7 @@ index e161a14..7b74a39 100644 + # Published Kubernetes Service to copy status from. Format: namespace/servicename + # By default this Traefik service + # pathOverride: "" - + # # Add volumes to the traefik pod. ``` @@ -5657,7 +5756,7 @@ index 6f79580..67276f7 100644 @@ -73,6 +73,48 @@ volumes: [] # mountPath: "/config" # type: configMap - + +# Logs +# https://docs.traefik.io/observability/logs/ +logs: @@ -5734,7 +5833,7 @@ index 10b3949..6f79580 100644 name: traefik tag: 2.2.8 + pullPolicy: IfNotPresent - + # # Configure the deployment ``` @@ -5758,7 +5857,7 @@ index 80ddaaa..10b3949 100644 # mountPath: /data + # Custom pod DNS policy. Apply if `hostNetwork: true` + # dnsPolicy: ClusterFirstWithHostNet - + # Pod disruption budget podDisruptionBudget: ``` @@ -5786,7 +5885,7 @@ index 936ab92..80ddaaa 100644 + # to set this value if you need traefik to listen on specific interface + # only. + # hostIP: 192.168.100.10 - + # Defines whether the port is exposed if service.type is LoadBalancer or # NodePort. ``` @@ -5810,7 +5909,7 @@ index 42ee893..936ab92 100644 name: traefik - tag: 2.2.5 + tag: 2.2.8 - + # # Configure the deployment ``` @@ -5834,7 +5933,7 @@ index a7fb668..42ee893 100644 name: traefik - tag: 2.2.1 + tag: 2.2.5 - + # # Configure the deployment ``` @@ -5866,7 +5965,7 @@ index 62e3a77..a7fb668 100644 + # volumeMounts: + # - name: data + # mountPath: /data - + # Pod disruption budget podDisruptionBudget: ``` @@ -5890,7 +5989,7 @@ index 85df29c..62e3a77 100644 # Additional containers (e.g. for metric offloading sidecars) - additionalContainers: {} + additionalContainers: [] - + # Pod disruption budget podDisruptionBudget: ``` @@ -5914,7 +6013,7 @@ index 6a9dfd8..85df29c 100644 podAnnotations: {} + # Additional containers (e.g. for metric offloading sidecars) + additionalContainers: {} - + # Pod disruption budget podDisruptionBudget: ``` @@ -5942,7 +6041,7 @@ index 05f9eab..6a9dfd8 100644 @@ -196,7 +196,7 @@ rbac: # If set to true, installs namespace-specific Role and RoleBinding and requires provider configuration be set to that same namespace namespaced: false - + -# The service account the pods will use to interact with the Kubernates API +# The service account the pods will use to interact with the Kubernetes API serviceAccount: @@ -5966,7 +6065,7 @@ index 102ae00..05f9eab 100644 @@ -34,6 +34,16 @@ rollingUpdate: maxUnavailable: 1 maxSurge: 1 - + + +# +# Configure providers @@ -6048,7 +6147,7 @@ index 9a9b668..b2f4fc3 100644 + # The port protocol (TCP/UDP) + protocol: TCP # nodePort: 32443 - + # Options for the main traefik service, where the entrypoints traffic comes ``` @@ -6072,7 +6171,7 @@ index e812b98..9a9b668 100644 - maxUnavailable: 1 + # maxUnavailable: 1 # minAvailable: 0 - + # Create an IngressRoute for the dashboard ``` @@ -6092,7 +6191,7 @@ index 5f44e5c..e812b98 100644 @@ -15,6 +15,12 @@ deployment: # Additional pod annotations (e.g. for mesh injection or prometheus scraping) podAnnotations: {} - + +# Pod disruption budget +podDisruptionBudget: + enabled: false @@ -6120,7 +6219,7 @@ index 96bba18..5f44e5c 100644 @@ -165,6 +165,20 @@ persistence: # affinity is left as default. hostNetwork: false - + +# Whether Role Based Access Control objects like roles and rolebindings should be created +rbac: + enabled: true @@ -6137,7 +6236,7 @@ index 96bba18..5f44e5c 100644 + # Additional serviceAccount annotations (e.g. for oidc authentication) serviceAccountAnnotations: {} - + ``` ## 8.2.1 ![AppVersion: 2.2.1](https://img.shields.io/static/v1?label=AppVersion&message=2.2.1&color=success&logo=) ![Helm: v2](https://img.shields.io/static/v1?label=Helm&message=v2&color=inactive&logo=helm) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -6163,7 +6262,7 @@ index e35bdf9..96bba18 100644 -# - "--providers.kubernetesingress" +# - "--providers.kubernetesingress.ingressclass=traefik-internal" # - "--log.level=DEBUG" - + # Environment variables to be passed to Traefik's binary ``` @@ -6197,7 +6296,7 @@ index abe2334..e35bdf9 100644 # - "--providers.kubernetesingress" -# - "--logs.level=DEBUG" +# - "--log.level=DEBUG" - + # Environment variables to be passed to Traefik's binary env: [] ``` @@ -6221,7 +6320,7 @@ index 57cc7e1..abe2334 100644 name: traefik - tag: 2.2.0 + tag: 2.2.1 - + # # Configure the deployment ``` @@ -6248,7 +6347,7 @@ index d639f72..57cc7e1 100644 additionalArguments: [] # - "--providers.kubernetesingress" +# - "--logs.level=DEBUG" - + # Environment variables to be passed to Traefik's binary env: [] ``` @@ -6336,7 +6435,7 @@ index 7f8092e..d55a40a 100644 @@ -71,6 +71,12 @@ env: [] # name: secret-name # key: secret-key - + +envFrom: [] +# - configMapRef: +# name: config-map-name @@ -6366,7 +6465,7 @@ index 152339b..7f8092e 100644 path: /data annotations: {} + # subPath: "" # only mount a subpath of the Volume into the pod - + # If hostNetwork is true, runs traefik in the host network namespace # To prevent unschedulabel pods due to port collisions, if hostNetwork=true ``` @@ -6390,7 +6489,7 @@ index 5d294b7..152339b 100644 annotations: {} + # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) + labels: {} - + rollingUpdate: maxUnavailable: 1 ``` @@ -6431,7 +6530,7 @@ index e61a9fd..5d294b7 100644 - # Addtional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) annotations: {} - + rollingUpdate: ``` @@ -6454,7 +6553,7 @@ index 15d1c25..e61a9fd 100644 enabled: true + # Addtional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) + annotations: {} - + rollingUpdate: maxUnavailable: 1 ``` @@ -6485,7 +6584,7 @@ index 6d6d13f..15d1c25 100644 # - 172.16.0.0/16 + externalIPs: [] + # - 1.2.3.4 - + ## Create HorizontalPodAutoscaler object. ## ``` @@ -6506,7 +6605,7 @@ index 1ac720d..6d6d13f 100644 @@ -52,18 +52,20 @@ globalArguments: additionalArguments: [] # - "--providers.kubernetesingress" - + -# Secret to be set as environment variables to be passed to Traefik's binary -secretEnv: [] - # - name: SOME_VAR @@ -6531,7 +6630,7 @@ index 1ac720d..6d6d13f 100644 +# secretKeyRef: +# name: secret-name +# key: secret-key - + # Configure ports ports: ``` @@ -6552,7 +6651,7 @@ index 85abe42..1ac720d 100644 @@ -151,6 +151,9 @@ persistence: # affinity is left as default. hostNetwork: false - + +# Additional serviceAccount annotations (e.g. for oidc authentication) +serviceAccountAnnotations: {} + @@ -6577,7 +6676,7 @@ index 2f5d132..85abe42 100644 @@ -115,6 +115,22 @@ service: # - 192.168.0.1/32 # - 172.16.0.0/16 - + +## Create HorizontalPodAutoscaler object. +## +autoscaling: @@ -6618,7 +6717,7 @@ index ebd2fde..2f5d132 100644 name: traefik - tag: 2.1.8 + tag: 2.2.0 - + # # Configure the deployment ``` @@ -6642,7 +6741,7 @@ index 65c7665..ebd2fde 100644 name: traefik - tag: 2.1.4 + tag: 2.1.8 - + # # Configure the deployment ``` @@ -6666,7 +6765,7 @@ index 89c7ac1..65c7665 100644 name: traefik - tag: 2.1.3 + tag: 2.1.4 - + # # Configure the deployment ``` @@ -6692,7 +6791,7 @@ index 8d66111..89c7ac1 100644 + annotations: {} # Additional pod annotations (e.g. for mesh injection or prometheus scraping) podAnnotations: {} - + ``` ## 6.0.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -6717,14 +6816,14 @@ index 490b2b6..8d66111 100644 +++ b/traefik/values.yaml @@ -51,13 +51,13 @@ additionalArguments: [] # - "--providers.kubernetesingress" - + # Secret to be set as environment variables to be passed to Traefik's binary -secretEnv: {} +secretEnv: [] # - name: SOME_VAR # secretName: my-secret-name # secretKey: my-secret-key - + # Environment variables to be passed to Traefik's binary -env: {} +env: [] @@ -6739,7 +6838,7 @@ index 490b2b6..8d66111 100644 + loadBalancerSourceRanges: [] # - 192.168.0.1/32 # - 172.16.0.0/16 - + ``` ## 6.0.0 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -6758,7 +6857,7 @@ index 7aebefe..490b2b6 100644 @@ -18,15 +18,10 @@ ingressRoute: dashboard: enabled: true - + -additional: - checkNewVersion: true - sendAnonymousUsage: true @@ -6766,7 +6865,7 @@ index 7aebefe..490b2b6 100644 rollingUpdate: maxUnavailable: 1 maxSurge: 1 - + - # # Add volumes to the traefik pod. @@ -6774,7 +6873,7 @@ index 7aebefe..490b2b6 100644 @@ -43,9 +38,14 @@ volumes: [] # mountPath: "/config" # type: configMap - + +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" @@ -6790,7 +6889,7 @@ index 7aebefe..490b2b6 100644 @@ -63,7 +63,7 @@ env: {} # - name: SOME_OTHER_VAR # value: some-other-var-value - + -# +# Configure ports ports: @@ -6802,13 +6901,13 @@ index 7aebefe..490b2b6 100644 exposedPort: 443 - # nodePort: 32443 + # nodePort: 32443 - + # Options for the main traefik service, where the entrypoints traffic comes # from. @@ -113,9 +113,6 @@ service: # - 192.168.0.1/32 # - 172.16.0.0/16 - + -logs: - loglevel: WARN - @@ -6839,7 +6938,7 @@ index 38bb263..7aebefe 100644 replicas: 1 # Additional pod annotations (e.g. for mesh injection or prometheus scraping) podAnnotations: {} - + +# Create an IngressRoute for the dashboard +ingressRoute: + dashboard: @@ -6874,7 +6973,7 @@ index ecb2833..38bb263 100644 @@ -123,6 +123,12 @@ persistence: path: /data annotations: {} - + +# If hostNetwork is true, runs traefik in the host network namespace +# To prevent unschedulabel pods due to port collisions, if hostNetwork=true +# and replicas>1, a pod anti-affinity is recommended and will be set if the @@ -6966,7 +7065,7 @@ index 7f31548..ec1d619 100644 +## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress,--global.checknewversion=true}"` additionalArguments: [] # - "--providers.kubernetesingress" - + ``` ## 5.3.2 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -7013,7 +7112,7 @@ index ccea845..7f31548 100644 @@ -44,12 +44,18 @@ volumes: [] additionalArguments: [] # - "--providers.kubernetesingress" - + +# Secret to be set as environment variables to be passed to Traefik's binary +secretEnv: {} + # - name: SOME_VAR @@ -7030,7 +7129,7 @@ index ccea845..7f31548 100644 + # value: some-var-value + # - name: SOME_OTHER_VAR + # value: some-other-var-value - + # ports: ``` @@ -7055,7 +7154,7 @@ index 78bbee0..ccea845 100644 + loadBalancerSourceRanges: {} + # - 192.168.0.1/32 + # - 172.16.0.0/16 - + logs: loglevel: WARN ``` @@ -7076,7 +7175,7 @@ index a442fca..78bbee0 100644 @@ -92,15 +92,6 @@ service: # loadBalancerIP: "1.2.3.4" # clusterIP: "2.3.4.5" - + -dashboard: - # Enable the dashboard on Traefik - enable: true @@ -7088,7 +7187,7 @@ index a442fca..78bbee0 100644 - logs: loglevel: WARN - + ``` ## 4.1.3 ![AppVersion: 2.1.3](https://img.shields.io/static/v1?label=AppVersion&message=2.1.3&color=success&logo=) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) @@ -7109,7 +7208,7 @@ index 8b2f4db..a442fca 100644 # storageClass: "" path: /data + annotations: {} - + resources: {} # requests: ``` @@ -7128,7 +7227,7 @@ index 2a2554f..8b2f4db 100644 --- a/traefik/values.yaml +++ b/traefik/values.yaml @@ -103,7 +103,20 @@ dashboard: - + logs: loglevel: WARN -# @@ -7167,7 +7266,7 @@ index 5401832..2a2554f 100644 @@ -20,6 +20,23 @@ rollingUpdate: maxUnavailable: 1 maxSurge: 1 - + + +# +# Add volumes to the traefik pod. @@ -7209,7 +7308,7 @@ index 5eab74b..5401832 100644 replicas: 1 + # Additional pod annotations (e.g. for mesh injection or prometheus scraping) + podAnnotations: {} - + additional: checkNewVersion: true ``` @@ -7249,13 +7348,13 @@ index bcc42f8..5eab74b 100644 name: traefik - tag: 2.1.1 + tag: 2.1.3 - + # # Configure the deployment @@ -10,6 +10,10 @@ deployment: # Number of pods of the deployment replicas: 1 - + +additional: + checkNewVersion: true + sendAnonymousUsage: true @@ -7303,7 +7402,7 @@ index 4462359..bcc42f8 100644 @@ -21,6 +21,13 @@ rollingUpdate: additionalArguments: [] # - "--providers.kubernetesingress" - + +# Environment variables to be passed to Traefik's binary +env: {} +# - name: SOME_VAR @@ -7348,7 +7447,7 @@ index b1fe42a..4462359 100644 expose: true exposedPort: 443 + # nodePort: 32443 - + # Options for the main traefik service, where the entrypoints traffic comes # from. ``` diff --git a/charts/traefik/traefik/Chart.yaml b/charts/traefik/traefik/Chart.yaml index 2a59a261f..c770b3b53 100644 --- a/charts/traefik/traefik/Chart.yaml +++ b/charts/traefik/traefik/Chart.yaml @@ -1,22 +1,18 @@ annotations: - artifacthub.io/changes: "- \"feat: ✨ add healthcheck ingressRoute\"\n- \"feat: :boom: - support http redirections and http challenges with cert-manager\"\n- \"feat: :boom: - rework and allow update of namespace policy for Gateway\"\n- \"fix: disable ClusterRole - and ClusterRoleBinding when not needed\"\n- \"fix: detect correctly v3 version - when using sha in `image.tag`\"\n- \"fix: allow updateStrategy.rollingUpdate.maxUnavailable - to be passed in as an int or string\"\n- \"fix: add missing separator in crds\"\n- - \"fix: add Prometheus scraping annotations only if serviceMonitor not created\"\n- - \"docs: Fix typo in the default values file\"\n- \"chore: remove label whitespace - at TLSOption\"\n- \"chore(release): \U0001F680 publish v25.0.0\"\n- \"chore(deps): - update traefik docker tag to v2.10.5\"\n- \"chore(deps): update docker.io/helmunittest/helm-unittest - docker tag to v3.12.3\"\n- \"chore(ci): \U0001F527 \U0001F477 add e2e test when - releasing\"\n" + artifacthub.io/changes: "- \"fix: \U0001F41B improve confusing suggested value on + openTelemetry.grpc\"\n- \"fix: \U0001F41B declare http3 udp port, with or without + hostport\"\n- \"feat: \U0001F4A5 deployment.podannotations support interpolation + with tpl\"\n- \"feat: allow update of namespace policy for websecure listener\"\n- + \"feat: allow defining startupProbe\"\n- \"feat: add file provider\"\n- \"feat: + :boom: unify plugin import between traefik and this chart\"\n- \"chore(release): + \U0001F680 publish v26\"\n- \"chore(deps): update traefik docker tag to v2.10.6\"\n- + \"Release namespace for Prometheus Operator resources\"\n" catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Traefik Proxy catalog.cattle.io/kube-version: '>=1.16.0-0' catalog.cattle.io/release-name: traefik apiVersion: v2 -appVersion: v2.10.5 +appVersion: v2.10.6 description: A Traefik based Kubernetes ingress controller home: https://traefik.io/ icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png @@ -41,4 +37,4 @@ sources: - https://github.com/traefik/traefik - https://github.com/traefik/traefik-helm-chart type: application -version: 25.0.0 +version: 26.0.0 diff --git a/charts/traefik/traefik/VALUES.md b/charts/traefik/traefik/VALUES.md index bf6e85eab..fb626ea9f 100644 --- a/charts/traefik/traefik/VALUES.md +++ b/charts/traefik/traefik/VALUES.md @@ -1,6 +1,6 @@ # traefik -![Version: 25.0.0](https://img.shields.io/badge/Version-25.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.10.5](https://img.shields.io/badge/AppVersion-v2.10.5-informational?style=flat-square) +![Version: 26.0.0](https://img.shields.io/badge/Version-26.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.10.6](https://img.shields.io/badge/AppVersion-v2.10.6-informational?style=flat-square) A Traefik based Kubernetes ingress controller @@ -46,7 +46,7 @@ Kubernetes: `>=1.16.0-0` | deployment.labels | object | `{}` | Additional deployment labels (e.g. for filtering deployment by custom labels) | | deployment.lifecycle | object | `{}` | Pod lifecycle actions | | deployment.minReadySeconds | int | `0` | The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available | -| deployment.podAnnotations | object | `{}` | Additional pod annotations (e.g. for mesh injection or prometheus scraping) | +| deployment.podAnnotations | object | `{}` | Additional pod annotations (e.g. for mesh injection or prometheus scraping) It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' | | deployment.podLabels | object | `{}` | Additional Pod labels (e.g. for filtering Pod by custom labels) | | deployment.replicas | int | `1` | Number of pods of the deployment (only applies when kind == Deployment) | | deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing | @@ -54,8 +54,7 @@ Kubernetes: `>=1.16.0-0` | env | list | `[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]` | Environment variables to be passed to Traefik's binary | | envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets | | experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD | -| experimental.plugins | object | `{"enabled":false}` | Enable traefik version 3 enabled: false | -| experimental.plugins.enabled | bool | `false` | Enable traefik experimental plugins | +| experimental.plugins | object | `{}` | Enable traefik experimental plugins | | extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. | | globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods | | hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulabel pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. | @@ -127,6 +126,9 @@ Kubernetes: `>=1.16.0-0` | ports.websecure.tls.enabled | bool | `true` | | | ports.websecure.tls.options | string | `""` | | | priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. | +| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) | +| providers.file.enabled | bool | `false` | Create a file provider | +| providers.file.watch | bool | `true` | Allows Traefik to automatically watch for file changes | | providers.kubernetesCRD.allowCrossNamespace | bool | `false` | Allows IngressRoute to reference resources in namespace other than theirs | | providers.kubernetesCRD.allowEmptyServices | bool | `false` | Allows to return 503 when there is no endpoints available | | providers.kubernetesCRD.allowExternalNameServices | bool | `false` | Allows to reference ExternalName services in IngressRoute | @@ -157,6 +159,7 @@ Kubernetes: `>=1.16.0-0` | service.type | string | `"LoadBalancer"` | | | serviceAccount | object | `{"name":""}` | The service account the pods will use to interact with the Kubernetes API | | serviceAccountAnnotations | object | `{}` | Additional serviceAccount annotations (e.g. for oidc authentication) | +| startupProbe | string | `nil` | Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes eg. `startupProbe: exec: command: - mycommand - foo initialDelaySeconds: 5 periodSeconds: 5` | | tlsOptions | object | `{}` | TLS Options are created as TLSOption CRDs https://doc.traefik.io/traefik/https/tls/#tls-options When using `labelSelector`, you'll need to set labels on tlsOption accordingly. Example: tlsOptions: default: labels: {} sniStrict: true preferServerCipherSuites: true customOptions: labels: {} curvePreferences: - CurveP521 - CurveP384 | | tlsStore | object | `{}` | TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate https://doc.traefik.io/traefik/https/tls/#default-certificate Example: tlsStore: default: defaultCertificate: secretName: tls-cert | | tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. | diff --git a/charts/traefik/traefik/crds/traefik.containo.us_ingressroutes.yaml b/charts/traefik/traefik/crds/traefik.containo.us_ingressroutes.yaml index bd137f410..1d4ef4537 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_ingressroutes.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_ingressroutes.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us @@ -267,9 +265,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_ingressroutetcps.yaml b/charts/traefik/traefik/crds/traefik.containo.us_ingressroutetcps.yaml index 589fe31c1..7fed7a23d 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_ingressroutetcps.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_ingressroutetcps.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us @@ -210,9 +208,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_ingressrouteudps.yaml b/charts/traefik/traefik/crds/traefik.containo.us_ingressrouteudps.yaml index c35ee4dc2..718f73312 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_ingressrouteudps.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_ingressrouteudps.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: ingressrouteudps.traefik.containo.us spec: group: traefik.containo.us @@ -97,9 +95,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_middlewares.yaml b/charts/traefik/traefik/crds/traefik.containo.us_middlewares.yaml index 5e14f93fa..f96dafdc9 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_middlewares.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_middlewares.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: middlewares.traefik.containo.us spec: group: traefik.containo.us @@ -916,9 +914,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_middlewaretcps.yaml b/charts/traefik/traefik/crds/traefik.containo.us_middlewaretcps.yaml index 85302fa82..45ac8aee2 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_middlewaretcps.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_middlewaretcps.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: middlewaretcps.traefik.containo.us spec: group: traefik.containo.us @@ -64,9 +62,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_serverstransports.yaml b/charts/traefik/traefik/crds/traefik.containo.us_serverstransports.yaml index d6fc3a92d..6d555f91b 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_serverstransports.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_serverstransports.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: serverstransports.traefik.containo.us spec: group: traefik.containo.us @@ -120,9 +118,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_tlsoptions.yaml b/charts/traefik/traefik/crds/traefik.containo.us_tlsoptions.yaml index 73667667a..a8308332f 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_tlsoptions.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_tlsoptions.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us @@ -105,9 +103,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_tlsstores.yaml b/charts/traefik/traefik/crds/traefik.containo.us_tlsstores.yaml index 12f0ad37d..b5f669621 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_tlsstores.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_tlsstores.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: tlsstores.traefik.containo.us spec: group: traefik.containo.us @@ -91,9 +89,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.containo.us_traefikservices.yaml b/charts/traefik/traefik/crds/traefik.containo.us_traefikservices.yaml index 0dcf47003..431b8d92e 100644 --- a/charts/traefik/traefik/crds/traefik.containo.us_traefikservices.yaml +++ b/charts/traefik/traefik/crds/traefik.containo.us_traefikservices.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: traefikservices.traefik.containo.us spec: group: traefik.containo.us @@ -394,9 +392,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_ingressroutes.yaml b/charts/traefik/traefik/crds/traefik.io_ingressroutes.yaml index 89aaee759..3b78294f3 100644 --- a/charts/traefik/traefik/crds/traefik.io_ingressroutes.yaml +++ b/charts/traefik/traefik/crds/traefik.io_ingressroutes.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: ingressroutes.traefik.io spec: group: traefik.io @@ -267,9 +265,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_ingressroutetcps.yaml b/charts/traefik/traefik/crds/traefik.io_ingressroutetcps.yaml index 82f61ac24..6a17c70c5 100644 --- a/charts/traefik/traefik/crds/traefik.io_ingressroutetcps.yaml +++ b/charts/traefik/traefik/crds/traefik.io_ingressroutetcps.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: ingressroutetcps.traefik.io spec: group: traefik.io @@ -210,9 +208,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_ingressrouteudps.yaml b/charts/traefik/traefik/crds/traefik.io_ingressrouteudps.yaml index 27c50185d..cd30cd43c 100644 --- a/charts/traefik/traefik/crds/traefik.io_ingressrouteudps.yaml +++ b/charts/traefik/traefik/crds/traefik.io_ingressrouteudps.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: ingressrouteudps.traefik.io spec: group: traefik.io @@ -97,9 +95,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_middlewares.yaml b/charts/traefik/traefik/crds/traefik.io_middlewares.yaml index 5a4dc3640..0ba7bb31b 100644 --- a/charts/traefik/traefik/crds/traefik.io_middlewares.yaml +++ b/charts/traefik/traefik/crds/traefik.io_middlewares.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: middlewares.traefik.io spec: group: traefik.io @@ -916,9 +914,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_middlewaretcps.yaml b/charts/traefik/traefik/crds/traefik.io_middlewaretcps.yaml index 8623568f5..cd2988194 100644 --- a/charts/traefik/traefik/crds/traefik.io_middlewaretcps.yaml +++ b/charts/traefik/traefik/crds/traefik.io_middlewaretcps.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: middlewaretcps.traefik.io spec: group: traefik.io @@ -64,9 +62,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_serverstransports.yaml b/charts/traefik/traefik/crds/traefik.io_serverstransports.yaml index 803b56395..01bf9758c 100644 --- a/charts/traefik/traefik/crds/traefik.io_serverstransports.yaml +++ b/charts/traefik/traefik/crds/traefik.io_serverstransports.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: serverstransports.traefik.io spec: group: traefik.io @@ -120,9 +118,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_tlsoptions.yaml b/charts/traefik/traefik/crds/traefik.io_tlsoptions.yaml index b86fefe0e..754eb0339 100644 --- a/charts/traefik/traefik/crds/traefik.io_tlsoptions.yaml +++ b/charts/traefik/traefik/crds/traefik.io_tlsoptions.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: tlsoptions.traefik.io spec: group: traefik.io @@ -105,9 +103,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_tlsstores.yaml b/charts/traefik/traefik/crds/traefik.io_tlsstores.yaml index 47b46854c..f9b03d99b 100644 --- a/charts/traefik/traefik/crds/traefik.io_tlsstores.yaml +++ b/charts/traefik/traefik/crds/traefik.io_tlsstores.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: tlsstores.traefik.io spec: group: traefik.io @@ -91,9 +89,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/crds/traefik.io_traefikservices.yaml b/charts/traefik/traefik/crds/traefik.io_traefikservices.yaml index 0f3475bda..187d1d1c6 100644 --- a/charts/traefik/traefik/crds/traefik.io_traefikservices.yaml +++ b/charts/traefik/traefik/crds/traefik.io_traefikservices.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.2 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: traefikservices.traefik.io spec: group: traefik.io @@ -394,9 +392,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/charts/traefik/traefik/templates/_podtemplate.tpl b/charts/traefik/traefik/templates/_podtemplate.tpl index 07119cca5..036d2be26 100644 --- a/charts/traefik/traefik/templates/_podtemplate.tpl +++ b/charts/traefik/traefik/templates/_podtemplate.tpl @@ -1,8 +1,8 @@ {{- define "traefik.podTemplate" }} metadata: annotations: - {{- with .Values.deployment.podAnnotations }} - {{- toYaml . | nindent 8 }} + {{- if .Values.deployment.podAnnotations }} + {{- tpl (toYaml .Values.deployment.podAnnotations) . | nindent 8 }} {{- end }} {{- if .Values.metrics }} {{- if and (.Values.metrics.prometheus) (not .Values.metrics.prometheus.serviceMonitor) }} @@ -74,6 +74,10 @@ port: {{ $healthchecksPort }} scheme: {{ $healthchecksScheme }} {{- toYaml .Values.livenessProbe | nindent 10 }} + {{- with .Values.startupProbe}} + startupProbe: + {{- toYaml . | nindent 10 }} + {{- end }} lifecycle: {{- with .Values.deployment.lifecycle }} {{- toYaml . | nindent 10 }} @@ -96,14 +100,13 @@ hostIP: {{ $config.hostIP }} {{- end }} protocol: {{ default "TCP" $config.protocol | quote }} - {{- if $config.http3 }} - {{- if and $config.http3.enabled $config.hostPort }} - {{- $http3Port := default $config.hostPort $config.http3.advertisedPort }} + {{- if ($config.http3).enabled }} - name: "{{ $name }}-http3" containerPort: {{ $config.port }} - hostPort: {{ $http3Port }} - protocol: UDP + {{- if $config.hostPort }} + hostPort: {{ default $config.hostPort $config.http3.advertisedPort }} {{- end }} + protocol: UDP {{- end }} {{- end }} {{- end }} @@ -125,10 +128,14 @@ mountPath: {{ .mountPath }} readOnly: true {{- end }} - {{- if .Values.experimental.plugins.enabled }} + {{- if gt (len .Values.experimental.plugins) 0 }} - name: plugins mountPath: "/plugins-storage" {{- end }} + {{- if .Values.providers.file.enabled }} + - name: traefik-extra-config + mountPath: "/etc/traefik/dynamic" + {{- end }} {{- if .Values.additionalVolumeMounts }} {{- toYaml .Values.additionalVolumeMounts | nindent 10 }} {{- end }} @@ -510,6 +517,13 @@ {{- end }} {{- end }} {{- end }} + {{- range $pluginName, $plugin := .Values.experimental.plugins }} + {{- if or (ne (typeOf $plugin) "map[string]interface {}") (not (hasKey $plugin "moduleName")) (not (hasKey $plugin "version")) }} + {{- fail (printf "ERROR: plugin %s is missing moduleName/version keys !" $pluginName) }} + {{- end }} + - --experimental.plugins.{{ $pluginName }}.moduleName={{ $plugin.moduleName }} + - --experimental.plugins.{{ $pluginName }}.version={{ $plugin.version }} + {{- end }} {{- if .Values.providers.kubernetesCRD.enabled }} - "--providers.kubernetescrd" {{- if .Values.providers.kubernetesCRD.labelSelector }} @@ -560,6 +574,14 @@ - "--providers.kubernetesingress.namespaces={{ template "providers.kubernetesIngress.namespaces" $ }}" {{- end }} {{- end }} + {{- with .Values.providers.file }} + {{- if .enabled }} + - "--providers.file.directory=/etc/traefik/dynamic" + {{- if .watch }} + - "--providers.file.watch=true" + {{- end }} + {{- end }} + {{- end }} {{- range $entrypoint, $config := $.Values.ports }} {{- if $config }} {{- if $config.redirectTo }} @@ -720,10 +742,15 @@ {{- if .Values.deployment.additionalVolumes }} {{- toYaml .Values.deployment.additionalVolumes | nindent 8 }} {{- end }} - {{- if .Values.experimental.plugins.enabled }} + {{- if gt (len .Values.experimental.plugins) 0 }} - name: plugins emptyDir: {} {{- end }} + {{- if .Values.providers.file.enabled }} + - name: traefik-extra-config + configMap: + name: {{ template "traefik.fullname" . }}-file-provider + {{- end }} {{- if .Values.affinity }} affinity: {{- tpl (toYaml .Values.affinity) . | nindent 8 }} diff --git a/charts/traefik/traefik/templates/_service.tpl b/charts/traefik/traefik/templates/_service.tpl index e7b58921e..825ce7fce 100644 --- a/charts/traefik/traefik/templates/_service.tpl +++ b/charts/traefik/traefik/templates/_service.tpl @@ -55,7 +55,7 @@ {{- $http3Port := default $config.exposedPort $config.http3.advertisedPort }} - port: {{ $http3Port }} name: "{{ $name }}-http3" - targetPort: {{ default $config.port $config.targetPort }} + targetPort: {{ $name }}-http3 protocol: UDP {{- if $config.nodePort }} nodePort: {{ $config.nodePort }} diff --git a/charts/traefik/traefik/templates/daemonset.yaml b/charts/traefik/traefik/templates/daemonset.yaml index 4814ac5ff..5be6a0a25 100644 --- a/charts/traefik/traefik/templates/daemonset.yaml +++ b/charts/traefik/traefik/templates/daemonset.yaml @@ -31,6 +31,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} annotations: + {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }} + checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }} + {{- end }} {{- with .Values.deployment.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/charts/traefik/traefik/templates/deployment.yaml b/charts/traefik/traefik/templates/deployment.yaml index df7bb3885..3e9c8ad78 100644 --- a/charts/traefik/traefik/templates/deployment.yaml +++ b/charts/traefik/traefik/templates/deployment.yaml @@ -17,6 +17,9 @@ {{- fail "\n\n ERROR: latest tag should not be used" }} {{- end }} +{{- if ne (typeOf .Values.experimental.plugins) "map[string]interface {}" }} + {{- fail (printf "ERROR: .Values.experimental.plugins should be a map (%s provided) !" (typeOf .Values.experimental.plugins)) }} +{{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -29,6 +32,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} annotations: + {{- if and .Values.providers.file.enabled (not .Values.providers.file.watch) }} + checksum/traefik-dynamic-conf: {{ include (print $.Template.BasePath "/provider-file-cm.yaml") . | sha256sum }} + {{- end }} {{- with .Values.deployment.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/charts/traefik/traefik/templates/gateway.yaml b/charts/traefik/traefik/templates/gateway.yaml index a5b5a12ff..7370bacdf 100644 --- a/charts/traefik/traefik/templates/gateway.yaml +++ b/charts/traefik/traefik/templates/gateway.yaml @@ -26,6 +26,11 @@ spec: - name: websecure port: {{ $.Values.ports.websecure.port }} protocol: HTTPS + {{- with .Values.experimental.kubernetesGateway.namespacePolicy }} + allowedRoutes: + namespaces: + from: {{ . }} + {{- end }} tls: certificateRefs: - name: {{ .Values.experimental.kubernetesGateway.certificate.name }} diff --git a/charts/traefik/traefik/templates/prometheusrules.yaml b/charts/traefik/traefik/templates/prometheusrules.yaml index fa786051b..4534964d1 100644 --- a/charts/traefik/traefik/templates/prometheusrules.yaml +++ b/charts/traefik/traefik/templates/prometheusrules.yaml @@ -9,9 +9,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ template "traefik.fullname" . }} - {{- if .Values.metrics.prometheus.prometheusRule.namespace }} - namespace: {{ .Values.metrics.prometheus.prometheusRule.namespace }} - {{- end }} + namespace: {{ .Values.metrics.prometheus.prometheusRule.namespace | default (include "traefik.namespace" .) }} labels: {{- include "traefik.labels" . | nindent 4 }} {{- with .Values.metrics.prometheus.prometheusRule.additionalLabels }} diff --git a/charts/traefik/traefik/templates/provider-file-cm.yaml b/charts/traefik/traefik/templates/provider-file-cm.yaml new file mode 100644 index 000000000..01eedf1fa --- /dev/null +++ b/charts/traefik/traefik/templates/provider-file-cm.yaml @@ -0,0 +1,12 @@ +{{- if .Values.providers.file.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "traefik.fullname" . }}-file-provider + namespace: {{ template "traefik.namespace" . }} + labels: + {{- include "traefik.labels" . | nindent 4 }} +data: + config.yml: | + {{ .Values.providers.file.content | nindent 4 }} +{{- end -}} diff --git a/charts/traefik/traefik/templates/servicemonitor.yaml b/charts/traefik/traefik/templates/servicemonitor.yaml index f3e128405..a4a8eda92 100644 --- a/charts/traefik/traefik/templates/servicemonitor.yaml +++ b/charts/traefik/traefik/templates/servicemonitor.yaml @@ -9,9 +9,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ template "traefik.fullname" . }} - {{- with .Values.metrics.prometheus.serviceMonitor.namespace }} - namespace: {{ . }} - {{- end }} + namespace: {{ .Values.metrics.prometheus.serviceMonitor.namespace | default (include "traefik.namespace" .) }} labels: {{- if (.Values.metrics.prometheus.service).enabled }} {{- include "traefik.metricsservicelabels" . | nindent 4 }} diff --git a/charts/traefik/traefik/values.yaml b/charts/traefik/traefik/values.yaml index 71e377e69..f9dac910a 100644 --- a/charts/traefik/traefik/values.yaml +++ b/charts/traefik/traefik/values.yaml @@ -40,6 +40,7 @@ deployment: # -- Additional deployment labels (e.g. for filtering deployment by custom labels) labels: {} # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping) + # It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}' podAnnotations: {} # -- Additional Pod labels (e.g. for filtering Pod by custom labels) podLabels: {} @@ -119,10 +120,12 @@ experimental: # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" # v3: # -- Enable traefik version 3 - # enabled: false - plugins: - # -- Enable traefik experimental plugins - enabled: false + + # -- Enable traefik experimental plugins + plugins: {} + # demo: + # moduleName: github.com/traefik/plugindemo + # version: v0.2.1 kubernetesGateway: # -- Enable traefik experimental GatewayClass CRD enabled: false @@ -206,6 +209,17 @@ livenessProbe: # -- The number of seconds to wait for a probe response before considering it as failed. timeoutSeconds: 2 +# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +# eg. +# `startupProbe: +# exec: +# command: +# - mycommand +# - foo +# initialDelaySeconds: 5 +# periodSeconds: 5` +startupProbe: + providers: kubernetesCRD: # -- Load Kubernetes IngressRoute provider @@ -241,6 +255,23 @@ providers: # By default this Traefik service # pathOverride: "" + file: + # -- Create a file provider + enabled: false + # -- Allows Traefik to automatically watch for file changes + watch: true + # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) + content: "" + # http: + # routers: + # router0: + # entryPoints: + # - web + # middlewares: + # - my-basic-auth + # service: service-foo + # rule: Path(`/foo`) + # # -- Add volumes to the traefik pod. The volume name will be passed to tpl. # This can be used to mount a cert pair or a configmap that holds a config.toml file. @@ -487,7 +518,7 @@ metrics: # -- https://doc.traefik.io/traefik/observability/tracing/overview/ tracing: {} # openTelemetry: # traefik v3+ only -# grpc: {} +# grpc: true # insecure: true # address: localhost:4317 # instana: diff --git a/charts/trilio/k8s-triliovault-operator/Chart.yaml b/charts/trilio/k8s-triliovault-operator/Chart.yaml index acbdfe38d..29c4e55b8 100644 --- a/charts/trilio/k8s-triliovault-operator/Chart.yaml +++ b/charts/trilio/k8s-triliovault-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19.0-0' catalog.cattle.io/release-name: k8s-triliovault-operator apiVersion: v2 -appVersion: 3.1.3 +appVersion: 4.0.0 dependencies: - condition: observability.enabled name: observability @@ -21,4 +21,4 @@ maintainers: name: k8s-triliovault-operator sources: - https://github.com/trilioData/k8s-triliovault-operator -version: 3.1.3 +version: 4.0.0 diff --git a/charts/trilio/k8s-triliovault-operator/README.md b/charts/trilio/k8s-triliovault-operator/README.md index 5f5eb92e1..1c8cb3841 100644 --- a/charts/trilio/k8s-triliovault-operator/README.md +++ b/charts/trilio/k8s-triliovault-operator/README.md @@ -45,6 +45,10 @@ The following table lists the configuration parameter of the upstream operator o | `preflight.volumeSnapshotClass` | Name of volume snapshot class to use for preflight checks (Optional) | "" | | | `preflight.logLevel` | Log Level for the preflight run (Default: "INFO") | "" | | | `preflight.imageTag` | Image tag to use for the preflight image (Default: latest) | "" | | +| `nodeSelector` | Node selection constraints for scheduling Pods of this application. | {} | | +| `affinity` | Affinity rules for scheduling the Pod of this application. | {} | | +| `tolerations` | Taints to be tolerated by Pods of this application. | [] | | + Check the TVM CR configuration by running following command: diff --git a/charts/trilio/k8s-triliovault-operator/crds/triliovault.trilio.io_triliovaultmanagers.yaml b/charts/trilio/k8s-triliovault-operator/crds/triliovault.trilio.io_triliovaultmanagers.yaml index a1f050cb9..d16b6465f 100644 --- a/charts/trilio/k8s-triliovault-operator/crds/triliovault.trilio.io_triliovaultmanagers.yaml +++ b/charts/trilio/k8s-triliovault-operator/crds/triliovault.trilio.io_triliovaultmanagers.yaml @@ -24,6 +24,9 @@ spec: - jsonPath: .spec.applicationScope name: Scope type: string + - jsonPath: .status.status + name: Status + type: string name: v1 schema: openAPIV3Schema: diff --git a/charts/trilio/k8s-triliovault-operator/templates/TVMCustomResource.yaml b/charts/trilio/k8s-triliovault-operator/templates/TVMCustomResource.yaml index 5aa91c1da..24e4d2052 100644 --- a/charts/trilio/k8s-triliovault-operator/templates/TVMCustomResource.yaml +++ b/charts/trilio/k8s-triliovault-operator/templates/TVMCustomResource.yaml @@ -13,7 +13,7 @@ spec: {{- if .Values.installTVK.tvkInstanceName }} tvkInstanceName: {{ .Values.installTVK.tvkInstanceName }} {{- end }} - {{- if or .Values.imagePullSecret .Values.priorityClassName .Values.svcAccountName .Values.observability.enabled }} + {{- if or .Values.imagePullSecret .Values.svcAccountName .Values.observability.enabled }} helmValues: {{- if .Values.observability.enabled }} observability: @@ -23,13 +23,21 @@ spec: {{- if include "k8s-triliovault-operator.imagePullSecret" . }} imagePullSecret: {{ template "k8s-triliovault-operator.imagePullSecret" . }} {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} {{- if .Values.svcAccountName }} svcAccountName: {{ .Values.svcAccountName }} {{- end }} {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 4 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 4 }} + {{- end }} # User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section ingressConfig: {{- if and (gt (len .Values.installTVK.ingressConfig.annotations) 0) (not .Values.installTVK.ComponentConfiguration.ingressController.enabled) }} diff --git a/charts/trilio/k8s-triliovault-operator/templates/deployment.yaml b/charts/trilio/k8s-triliovault-operator/templates/deployment.yaml index 24a847bf9..9236b8113 100644 --- a/charts/trilio/k8s-triliovault-operator/templates/deployment.yaml +++ b/charts/trilio/k8s-triliovault-operator/templates/deployment.yaml @@ -121,7 +121,7 @@ spec: - name: RELATED_IMAGE_DEX value: {{ .Values.registry }}/{{ .Values.relatedImages.dex.image }}:{{ .Values.relatedImages.dex.tag }} - name: RELATED_IMAGE_MINIO - value: {{ .Values.registry }}/{{ .Values.relatedImages.minio.image }}:{{ .Values.relatedImages.minio.tag }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.minio.image }}:{{ .Values.relatedImages.tags.tvk }} - name: RELATED_IMAGE_NATS value: {{ .Values.registry }}/{{ .Values.relatedImages.nats.image }}:{{ .Values.relatedImages.nats.tag }} - name: RELATED_IMAGE_SERVICE_MANAGER @@ -148,6 +148,8 @@ spec: - name: POD_LABELS value: {{ .Values.podLabels | toPrettyJson | quote }} {{- end }} + - name: PRIORITY_CLASS_NAME + value: {{ .Values.priorityClassName }} livenessProbe: httpGet: path: /healthz @@ -251,6 +253,10 @@ spec: affinity: {{- toYaml .Values.affinity | nindent 8 }} {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} volumes: {{- if .Values.tls.enable }} - name: helm-tls-certs diff --git a/charts/trilio/k8s-triliovault-operator/templates/preflight_job_preinstall_hook.yaml b/charts/trilio/k8s-triliovault-operator/templates/preflight_job_preinstall_hook.yaml index f9f1e77e0..c94ef2f96 100644 --- a/charts/trilio/k8s-triliovault-operator/templates/preflight_job_preinstall_hook.yaml +++ b/charts/trilio/k8s-triliovault-operator/templates/preflight_job_preinstall_hook.yaml @@ -179,6 +179,17 @@ spec: {{- if .Values.preflight.volumeSnapshotClass }} --volume-snapshot-class={{ .Values.preflight.volumeSnapshotClass }} {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} restartPolicy: Never terminationGracePeriodSeconds: 0 serviceAccountName: {{ template "k8s-triliovault-operator.preflightServiceAccountName" . }} diff --git a/charts/trilio/k8s-triliovault-operator/values.yaml b/charts/trilio/k8s-triliovault-operator/values.yaml index e42c99072..63e353cc9 100644 --- a/charts/trilio/k8s-triliovault-operator/values.yaml +++ b/charts/trilio/k8s-triliovault-operator/values.yaml @@ -4,7 +4,7 @@ operator-webhook-init: repository: operator-webhook-init k8s-triliovault-operator: repository: k8s-triliovault-operator -tag: "3.1.3" +tag: "4.0.0" # create image pull secrets and specify the name here. imagePullSecret: "" priorityClassName: "" @@ -22,6 +22,8 @@ preflight: requests: "" storageClass: "" volumeSnapshotClass: "" +# Affinity rules for scheduling the Pod of this application. +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -31,6 +33,12 @@ affinity: operator: In values: - amd64 +# Node selection constraints for scheduling Pods of this application. +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +nodeSelector: {} +# Taints to be tolerated by Pods of this application. +# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] masterEncryptionKeyConfig: name: "triliovault-master-encryption-key" namespace: "" @@ -174,8 +182,8 @@ podLabels: linkerd.io/inject: disabled relatedImages: tags: - tvk: "3.1.3" - event: "3.1.3" + tvk: "4.0.0" + event: "4.0.0" control-plane: image: "control-plane" metamover: @@ -218,8 +226,7 @@ relatedImages: image: "dex" tag: "2.30.6" minio: - image: "minio" - tag: "20220416" + image: "control-plane" nats: image: "nats" tag: "2.8.4" diff --git a/charts/weka/csi-wekafsplugin/CHANGELOG.md b/charts/weka/csi-wekafsplugin/CHANGELOG.md index 61c3c7e97..40eb8732d 100644 --- a/charts/weka/csi-wekafsplugin/CHANGELOG.md +++ b/charts/weka/csi-wekafsplugin/CHANGELOG.md @@ -2,16 +2,11 @@ ## What's Changed -### Features -* feat(CSI-166): update CSI spec to 1.9.0 by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/178 - ### Bug Fixes -* fix(CSI-163): missing ca-certificates package in wekafs container image by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/179 +* fix(CSI-170): error not reported when moving directory to trash by @sergeyberezansky in in https://github.com/weka/csi-wekafs/pull/184 ### Miscellaneous -* chore(deps): update actions/checkout digest to b4ffde6 by @renovate in https://github.com/weka/csi-wekafs/pull/161 -* chore(deps): update stefanzweifel/git-auto-commit-action action to v5 by @renovate in https://github.com/weka/csi-wekafs/pull/167 -* chore(deps): update helm/chart-testing-action action to v2.6.0 by @renovate in https://github.com/weka/csi-wekafs/pull/181 -* chore(deps): bump dependencies by @sergeyberezansky in https://github.com/weka/csi-wekafs/pull/177 +* chore(deps): update helm/chart-testing-action action to v2.6.1 by @renovate in https://github.com/weka/csi-wekafs/pull/184 +* chore(deps): update helm/chart-releaser-action action to v1.6.0 by @renovate in https://github.com/weka/csi-wekafs/pull/183 diff --git a/charts/weka/csi-wekafsplugin/Chart.yaml b/charts/weka/csi-wekafsplugin/Chart.yaml index f07104ec7..00dcef3c3 100644 --- a/charts/weka/csi-wekafsplugin/Chart.yaml +++ b/charts/weka/csi-wekafsplugin/Chart.yaml @@ -11,7 +11,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.18.0' catalog.cattle.io/release-name: csi-wekafsplugin apiVersion: v2 -appVersion: v2.3.1 +appVersion: v2.3.2 description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for WekaFS - the world fastest filesystem home: https://github.com/weka/csi-wekafs @@ -27,6 +27,6 @@ maintainers: url: https://weka.io name: csi-wekafsplugin sources: -- https://github.com/weka/csi-wekafs/tree/v2.3.1 +- https://github.com/weka/csi-wekafs/tree/v2.3.2 type: application -version: 2.3.1 +version: 2.3.2 diff --git a/charts/weka/csi-wekafsplugin/README.md b/charts/weka/csi-wekafsplugin/README.md index 2005778b8..7695ba86a 100644 --- a/charts/weka/csi-wekafsplugin/README.md +++ b/charts/weka/csi-wekafsplugin/README.md @@ -3,7 +3,7 @@ Helm chart for Deployment of WekaIO Container Storage Interface (CSI) plugin for [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/csi-wekafs)](https://artifacthub.io/packages/search?repo=csi-wekafs) -![Version: 2.3.1](https://img.shields.io/badge/Version-2.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.1](https://img.shields.io/badge/AppVersion-v2.3.1-informational?style=flat-square) +![Version: 2.3.2](https://img.shields.io/badge/Version-2.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.3.2](https://img.shields.io/badge/AppVersion-v2.3.2-informational?style=flat-square) ## Homepage https://github.com/weka/csi-wekafs @@ -56,15 +56,15 @@ Kubernetes: `>=1.18.0` |-----|------|---------|-------------| | dynamicProvisionPath | string | `"csi-volumes"` | Directory in root of file system where dynamic volumes are provisioned | | csiDriverName | string | `"csi.weka.io"` | Name of the driver (and provisioner) | -| csiDriverVersion | string | `"2.3.1"` | CSI driver version | -| images.livenessprobesidecar | string | `"registry.k8s.io/sig-storage/livenessprobe:v2.10.0"` | CSI liveness probe sidecar image URL | -| images.attachersidecar | string | `"registry.k8s.io/sig-storage/csi-attacher:v4.3.0"` | CSI attacher sidecar image URL | -| images.provisionersidecar | string | `"registry.k8s.io/sig-storage/csi-provisioner:v3.5.0"` | CSI provisioner sidecar image URL | -| images.registrarsidecar | string | `"registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0"` | CSI registrar sidercar | -| images.resizersidecar | string | `"registry.k8s.io/sig-storage/csi-resizer:v1.8.0"` | CSI resizer sidecar image URL | -| images.snapshottersidecar | string | `"registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2"` | CSI snapshotter sidecar image URL | +| csiDriverVersion | string | `"2.3.2"` | CSI driver version | +| images.livenessprobesidecar | string | `"registry.k8s.io/sig-storage/livenessprobe:v2.11.0"` | CSI liveness probe sidecar image URL | +| images.attachersidecar | string | `"registry.k8s.io/sig-storage/csi-attacher:v4.4.1"` | CSI attacher sidecar image URL | +| images.provisionersidecar | string | `"registry.k8s.io/sig-storage/csi-provisioner:v3.6.1"` | CSI provisioner sidecar image URL | +| images.registrarsidecar | string | `"registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0"` | CSI registrar sidercar | +| images.resizersidecar | string | `"registry.k8s.io/sig-storage/csi-resizer:v1.9.1"` | CSI resizer sidecar image URL | +| images.snapshottersidecar | string | `"registry.k8s.io/sig-storage/csi-snapshotter:v6.3.1"` | CSI snapshotter sidecar image URL | | images.csidriver | string | `"quay.io/weka.io/csi-wekafs"` | CSI driver main image URL | -| images.csidriverTag | string | `"2.3.1"` | CSI driver tag | +| images.csidriverTag | string | `"2.3.2"` | CSI driver tag | | globalPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for all CSI driver components | | controllerPluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI controller component only (by default same as global) | | nodePluginTolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]` | Tolerations for CSI node component only (by default same as global) | diff --git a/charts/weka/csi-wekafsplugin/values.yaml b/charts/weka/csi-wekafsplugin/values.yaml index accd73719..174ce8d38 100644 --- a/charts/weka/csi-wekafsplugin/values.yaml +++ b/charts/weka/csi-wekafsplugin/values.yaml @@ -5,20 +5,20 @@ dynamicProvisionPath: "csi-volumes" # -- Name of the driver (and provisioner) csiDriverName: "csi.weka.io" # -- CSI driver version -csiDriverVersion: &csiDriverVersion 2.3.1 +csiDriverVersion: &csiDriverVersion 2.3.2 images: # -- CSI liveness probe sidecar image URL - livenessprobesidecar: registry.k8s.io/sig-storage/livenessprobe:v2.10.0 + livenessprobesidecar: registry.k8s.io/sig-storage/livenessprobe:v2.11.0 # -- CSI attacher sidecar image URL - attachersidecar: registry.k8s.io/sig-storage/csi-attacher:v4.3.0 + attachersidecar: registry.k8s.io/sig-storage/csi-attacher:v4.4.1 # -- CSI provisioner sidecar image URL - provisionersidecar: registry.k8s.io/sig-storage/csi-provisioner:v3.5.0 + provisionersidecar: registry.k8s.io/sig-storage/csi-provisioner:v3.6.1 # -- CSI registrar sidercar - registrarsidecar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 + registrarsidecar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0 # -- CSI resizer sidecar image URL - resizersidecar: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 + resizersidecar: registry.k8s.io/sig-storage/csi-resizer:v1.9.1 # -- CSI snapshotter sidecar image URL - snapshottersidecar: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2 + snapshottersidecar: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.1 # -- CSI driver main image URL csidriver: quay.io/weka.io/csi-wekafs # -- CSI driver tag diff --git a/charts/yugabyte/yugabyte/Chart.yaml b/charts/yugabyte/yugabyte/Chart.yaml index 406955dc4..0e310c77f 100644 --- a/charts/yugabyte/yugabyte/Chart.yaml +++ b/charts/yugabyte/yugabyte/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/release-name: yugabyte charts.openshift.io/name: yugabyte apiVersion: v2 -appVersion: 2.18.4.2-b2 +appVersion: 2.18.5.1-b1 description: YugabyteDB is the high-performance distributed SQL database for building global, internet-scale apps. home: https://www.yugabyte.com @@ -19,4 +19,4 @@ maintainers: name: yugabyte sources: - https://github.com/yugabyte/yugabyte-db -version: 2.18.4+2 +version: 2.18.5 diff --git a/charts/yugabyte/yugabyte/app-readme.md b/charts/yugabyte/yugabyte/app-readme.md index df28baa23..b8f79ad28 100644 --- a/charts/yugabyte/yugabyte/app-readme.md +++ b/charts/yugabyte/yugabyte/app-readme.md @@ -1 +1 @@ -This chart bootstraps an RF3 YugabyteDB version 2.18.4.2-b2 cluster using the Helm Package Manager. +This chart bootstraps an RF3 YugabyteDB version 2.18.5.1-b1 cluster using the Helm Package Manager. diff --git a/charts/yugabyte/yugabyte/values.yaml b/charts/yugabyte/yugabyte/values.yaml index 715393759..85fe60a54 100644 --- a/charts/yugabyte/yugabyte/values.yaml +++ b/charts/yugabyte/yugabyte/values.yaml @@ -8,7 +8,7 @@ nameOverride: "" Image: repository: "yugabytedb/yugabyte" - tag: 2.18.4.2-b2 + tag: 2.18.5.1-b1 pullPolicy: IfNotPresent pullSecretName: "" diff --git a/charts/yugabyte/yugaware/Chart.yaml b/charts/yugabyte/yugaware/Chart.yaml index dc58efb07..c3dc85517 100644 --- a/charts/yugabyte/yugaware/Chart.yaml +++ b/charts/yugabyte/yugaware/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/release-name: yugaware charts.openshift.io/name: yugaware apiVersion: v2 -appVersion: 2.18.4.2-b2 +appVersion: 2.18.5.1-b1 description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB cluster with multiple pods provided by Kubernetes or OpenShift and logically grouped together @@ -19,4 +19,4 @@ maintainers: - email: gjalla@yugabyte.com name: Govardhan Reddy Jalla name: yugaware -version: 2.18.4+2 +version: 2.18.5 diff --git a/charts/yugabyte/yugaware/templates/_helpers.tpl b/charts/yugabyte/yugaware/templates/_helpers.tpl index 232797171..a38257a7a 100644 --- a/charts/yugabyte/yugaware/templates/_helpers.tpl +++ b/charts/yugabyte/yugaware/templates/_helpers.tpl @@ -231,3 +231,19 @@ Check export of nss_wrapper environment variables required {{- end -}} {{- end -}} {{- end -}} + +{{/* +Make list of custom http headers +*/}} +{{- define "customHeaders" -}} +[ +{{- $headers := .Values.yugaware.custom_headers -}} +{{- range $index, $element := $headers -}} + {{- if ne $index (sub (len $headers) 1) -}} + {{- . | quote }}, + {{- else -}} + {{- . | quote }} + {{- end -}} +{{- end -}} +] +{{- end -}} \ No newline at end of file diff --git a/charts/yugabyte/yugaware/templates/configs.yaml b/charts/yugabyte/yugaware/templates/configs.yaml index 6c9cd550e..ac295599e 100644 --- a/charts/yugabyte/yugaware/templates/configs.yaml +++ b/charts/yugabyte/yugaware/templates/configs.yaml @@ -100,6 +100,10 @@ data: url = "https://{{ .Values.tls.hostname }}" # GKE MCS takes 7 to 10 minutes to setup DNS wait_for_server_timeout = 15 minutes + {{- if .Values.tls.enabled }} + security.headers.hsts_enabled = true + {{- end }} + security.headers.custom_headers = {{ include "customHeaders" . }} } play.filters { diff --git a/charts/yugabyte/yugaware/templates/tests/test.yaml b/charts/yugabyte/yugaware/templates/tests/test.yaml index 1c36fe948..89d02035c 100644 --- a/charts/yugabyte/yugaware/templates/tests/test.yaml +++ b/charts/yugabyte/yugaware/templates/tests/test.yaml @@ -17,6 +17,8 @@ spec: command: - '/bin/bash' - '-ec' + - > + sleep 60s; {{- if .Values.tls.enabled }} - > curl --head -k https://{{ .Release.Name }}-yugaware-ui @@ -24,7 +26,7 @@ spec: - > curl --head http://{{ .Release.Name }}-yugaware-ui {{- end }} - # Hard coded resources to the test pod. + # Hard coded resources to the test pod. resources: limits: cpu: "1" diff --git a/charts/yugabyte/yugaware/values.yaml b/charts/yugabyte/yugaware/values.yaml index 194bda706..7141c8a86 100644 --- a/charts/yugabyte/yugaware/values.yaml +++ b/charts/yugabyte/yugaware/values.yaml @@ -15,7 +15,7 @@ image: # including the yugaware image repository: quay.io/yugabyte/yugaware - tag: 2.18.4.2-b2 + tag: 2.18.5.1-b1 pullPolicy: IfNotPresent pullSecret: yugabyte-k8s-pull-secret ## Docker config JSON File name @@ -34,7 +34,7 @@ image: prometheus: registry: "" - tag: v2.46.0 + tag: v2.47.1 name: prom/prometheus nginx: @@ -95,6 +95,12 @@ yugaware: extraEnv: [] + # In case client wants to enable the additional headers to the YBA's http response + # Previously, it was possible via nginx, but given that we no longer have it, we can + # expose the same as application config/runtime config. + # Example: ["X-Content-Type-Options: nosniff", "Keep-Alive: timeout=5, max=1000"] + custom_headers: [] + ## Configure PostgreSQL part of the application postgres: # DO NOT CHANGE if using OCP Certified helm chart diff --git a/index.yaml b/index.yaml index 9dc86ff34..ed537cd33 100644 --- a/index.yaml +++ b/index.yaml @@ -80,6 +80,63 @@ entries: - assets/datawiza/access-broker-0.1.1.tgz version: 0.1.1 airflow: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Airflow + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: airflow + category: WorkFlow + images: | + - name: airflow-exporter + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r441 + - name: airflow-scheduler + image: docker.io/bitnami/airflow-scheduler:2.8.0-debian-11-r1 + - name: airflow-worker + image: docker.io/bitnami/airflow-worker:2.8.0-debian-11-r1 + - name: airflow + image: docker.io/bitnami/airflow:2.8.0-debian-11-r1 + - name: git + image: docker.io/bitnami/git:2.43.0-debian-11-r5 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r93 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 2.8.0 + created: "2024-01-12T17:06:10.789969854Z" + dependencies: + - condition: redis.enabled + name: redis + repository: file://./charts/redis + version: 18.x.x + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 13.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Airflow is a tool to express and execute workflows as directed + acyclic graphs (DAGs). It includes utilities to schedule tasks, monitor task + progress and handle task dependencies. + digest: 480ebdb9b74ab7863129a1b546827fceed85ba782a36699a2d8030087cebf4c3 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/airflow-1.svg + keywords: + - apache + - airflow + - workflow + - dag + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: airflow + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/airflow + urls: + - assets/bitnami/airflow-16.1.11.tgz + version: 16.1.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Airflow @@ -2463,7 +2520,7 @@ entries: - annotations: artifacthub.io/changes: | - kind: changed - description: Upgrade Argo CD to v2.9.2 + description: DRY cleanup of ServiceAccounts artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -2473,8 +2530,8 @@ entries: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 - appVersion: v2.9.2 - created: "2023-11-22T13:39:17.795899024Z" + appVersion: v2.9.3 + created: "2024-01-12T17:06:09.628982496Z" dependencies: - condition: redis-ha.enabled name: redis-ha @@ -2482,7 +2539,46 @@ entries: version: 4.23.0 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. - digest: 2caab68a66e9ddda3cbb1d8f155a4b7e1cb30f6a4b6e49503df232319ba9b475 + digest: 4aecfb800b9cf01db9ea10a630306baee00112406cec88b5c996a145749894ea + home: https://github.com/argoproj/argo-helm + icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png + keywords: + - argoproj + - argocd + - gitops + kubeVersion: '>=1.23.0-0' + maintainers: + - name: argoproj + url: https://argoproj.github.io/ + name: argo-cd + sources: + - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd + - https://github.com/argoproj/argo-cd + urls: + - assets/argo/argo-cd-5.52.1.tgz + version: 5.52.1 + - annotations: + artifacthub.io/changes: | + - kind: changed + description: Upgrade Argo CD to v2.9.2 + artifacthub.io/signKey: | + fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 + url: https://argoproj.github.io/argo-helm/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Argo CD + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: argo-cd + apiVersion: v2 + appVersion: v2.9.2 + created: "2024-01-12T17:05:40.939913137Z" + dependencies: + - condition: redis-ha.enabled + name: redis-ha + repository: file://./charts/redis-ha + version: 4.23.0 + description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery + tool for Kubernetes. + digest: cd810a797b51ad12dcfa2c1631de47823a2409df2a4d3d41ca76c10c42bd295b home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png keywords: @@ -5947,6 +6043,39 @@ entries: - assets/argo/argo-cd-5.8.0.tgz version: 5.8.0 artifactory-ha: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/release-name: artifactory-ha + apiVersion: v2 + appVersion: 7.71.11 + created: "2024-01-12T17:06:37.187104414Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: 12aff30144f1ab94f2712dcfc60a35b038333505d18c631170dcb74665696061 + home: https://www.jfrog.com/artifactory/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.14.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.71.11.tgz + version: 107.71.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA @@ -7393,6 +7522,40 @@ entries: - assets/jfrog/artifactory-ha-3.0.1400.tgz version: 3.0.1400 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.71.11 + created: "2024-01-12T17:06:37.547256528Z" + dependencies: + - name: artifactory + repository: file://./charts/artifactory + version: 107.71.11 + description: JFrog Container Registry + digest: d369b3e11235fb4b469b93d274d4f367a13ce083bd18aa6abfd7c21cc2436772 + home: https://jfrog.com/container-registry/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.14.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.71.11.tgz + version: 107.71.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -11428,6 +11591,48 @@ entries: - assets/asserts/asserts-1.6.0.tgz version: 1.6.0 cassandra: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Cassandra + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: cassandra + category: Database + images: | + - name: cassandra-exporter + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r431 + - name: cassandra + image: docker.io/bitnami/cassandra:4.1.3-debian-11-r78 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r92 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 4.1.3 + created: "2024-01-12T17:06:10.901471524Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Cassandra is an open source distributed database management + system designed to handle large amounts of data across many servers, providing + high availability with no single point of failure. + digest: f4a8c2bf5e0598dd1874c06a748807d92f17c8da931185f57bba698498b7b7ea + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/cassandra-4.svg + keywords: + - cassandra + - database + - nosql + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: cassandra + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/cassandra + urls: + - assets/bitnami/cassandra-10.6.9.tgz + version: 10.6.9 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Cassandra @@ -12718,6 +12923,40 @@ entries: - assets/bitnami/cassandra-9.7.3.tgz version: 9.7.3 cert-manager: + - annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E + url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: cert-manager + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/namespace: cert-manager + catalog.cattle.io/release-name: cert-manager + apiVersion: v1 + appVersion: v1.13.3 + created: "2024-01-12T17:06:13.331799895Z" + description: A Helm chart for cert-manager + digest: e63c4585f1677a19ee29f1b53be00e158c78738bc2ac4e3770fd2c9ac01c6422 + home: https://github.com/cert-manager/cert-manager + icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png + keywords: + - cert-manager + - kube-lego + - letsencrypt + - tls + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: cert-manager-maintainers@googlegroups.com + name: cert-manager-maintainers + url: https://cert-manager.io + name: cert-manager + sources: + - https://github.com/cert-manager/cert-manager + urls: + - assets/cert-manager/cert-manager-v1.13.3.tgz + version: v1.13.3 - annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/prerelease: "false" @@ -14329,6 +14568,27 @@ entries: - assets/cloudcasa/cloudcasa-0.1.000.tgz version: 0.1.000 cockroachdb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CockroachDB + catalog.cattle.io/kube-version: '>=1.8-0' + catalog.cattle.io/release-name: cockroachdb + apiVersion: v1 + appVersion: 23.1.13 + created: "2024-01-12T17:06:13.445713774Z" + description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. + digest: c3308d96942c58c586b90710563941d01c6e2a4bc4892c6d183ff029cc8e9b4d + home: https://www.cockroachlabs.com + icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png + maintainers: + - email: helm-charts@cockroachlabs.com + name: cockroachlabs + name: cockroachdb + sources: + - https://github.com/cockroachdb/cockroach + urls: + - assets/cockroach-labs/cockroachdb-11.2.3.tgz + version: 11.2.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CockroachDB @@ -14937,6 +15197,36 @@ entries: - assets/cockroach-labs/cockroachdb-4.1.200.tgz version: 4.1.200 community-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MongoDB Community Operator + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: community-operator + apiVersion: v2 + appVersion: 0.9.0 + created: "2024-01-12T17:07:17.150706198Z" + dependencies: + - condition: community-operator-crds.enabled + name: community-operator-crds + repository: file://./charts/community-operator-crds + version: 0.9.0 + description: MongoDB Kubernetes Community Operator + digest: ad70045b0a7bdf493d9236b3f29f4d07e71349ed90132374f5c26898be9eb33b + home: https://github.com/mongodb/mongodb-kubernetes-operator + icon: https://mongodb-images-new.s3.eu-west-1.amazonaws.com/leaf-green-dark.png + keywords: + - mongodb + - database + - nosql + kubeVersion: '>=1.16-0' + maintainers: + - email: support@mongodb.com + name: MongoDB + name: community-operator + type: application + urls: + - assets/mongodb/community-operator-0.9.0.tgz + version: 0.9.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MongoDB Community Operator @@ -15178,6 +15468,32 @@ entries: - assets/mongodb/community-operator-0.7.6.tgz version: 0.7.6 confluent-for-kubernetes: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Confluent For Kubernetes + catalog.cattle.io/kube-version: '>=1.15-0' + catalog.cattle.io/release-name: confluent-for-kubernetes + apiVersion: v1 + appVersion: 2.7.3 + created: "2024-01-12T17:06:13.587751129Z" + description: A Helm chart to deploy Confluent for Kubernetes + digest: a0764bb0e64badd1364768715453f73f5784894bf66df46b07a7a2a6ab71fda5 + home: https://www.confluent.io/ + icon: https://cdn.confluent.io/wp-content/uploads/seo-logo-meadow.png + keywords: + - Confluent + - Confluent Operator + - Confluent Platform + - CFK + maintainers: + - email: operator@confluent.io + name: Confluent Operator + name: confluent-for-kubernetes + sources: + - https://docs.confluent.io/current/index.html + urls: + - assets/confluent/confluent-for-kubernetes-0.824.40.tgz + version: 0.824.40 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Confluent For Kubernetes @@ -15465,6 +15781,47 @@ entries: - assets/confluent/confluent-for-kubernetes-0.174.2101.tgz version: 0.174.2101 consul: + - annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.17.1 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.3.1 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.3.1 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul + apiVersion: v2 + appVersion: 1.17.1 + created: "2024-01-12T17:06:36.627562509Z" + description: Official HashiCorp Consul Chart + digest: 84490b34f7b48b7ceb78c35218fc26cc44e27919e61bb154cf9e183fa90b6599 + home: https://www.consul.io + icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png + kubeVersion: '>=1.22.0-0' + name: consul + sources: + - https://github.com/hashicorp/consul + - https://github.com/hashicorp/consul-k8s + urls: + - assets/hashicorp/consul-1.3.1.tgz + version: 1.3.1 - annotations: artifacthub.io/images: | - name: consul @@ -16136,8 +16493,8 @@ entries: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 - appVersion: 1.107.1 - created: "2023-11-17T13:49:06.728346463Z" + appVersion: 1.108.1 + created: "2024-01-12T17:06:51.840530718Z" dependencies: - condition: global.grafana.enabled name: grafana @@ -16153,7 +16510,38 @@ entries: version: ~0.29.0 description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor cloud costs. - digest: 837b5321d9f0ff562997f72644eec1f9c12aa001dc84120dd87917466d479a87 + digest: 2f5ded432818ec345f1ac834df454611ae49b64dc9dec5d856be76b71f508d34 + icon: https://partner-charts.rancher.io/assets/logos/kubecost.png + name: cost-analyzer + urls: + - assets/kubecost/cost-analyzer-1.108.1.tgz + version: 1.108.1 + - annotations: + artifacthub.io/links: | + - name: Homepage + url: https://www.kubecost.com + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kubecost + catalog.cattle.io/release-name: cost-analyzer + apiVersion: v2 + appVersion: 1.107.1 + created: "2024-01-12T17:06:38.59062925Z" + dependencies: + - condition: global.grafana.enabled + name: grafana + repository: file://./charts/grafana + version: ~1.17.2 + - condition: global.prometheus.enabled + name: prometheus + repository: file://./charts/prometheus + version: ~11.0.2 + - condition: global.thanos.enabled + name: thanos + repository: file://./charts/thanos + version: ~0.29.0 + description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor + cloud costs. + digest: 56752e1717bc400a427b1ee1cf7255b2bb2d0949f9aa919c66e6169fe39501e0 icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer urls: @@ -17533,6 +17921,32 @@ entries: - assets/crate/crate-operator-2.16.0.tgz version: 2.16.0 csi-isilon: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerScale + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' + catalog.cattle.io/release-name: isilon + apiVersion: v2 + appVersion: 2.9.0 + created: "2024-01-12T17:06:14.247094394Z" + description: 'PowerScale CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as an Isilon + StorageClass. ' + digest: 05c03d108e303f19af2d5d16f7d434c5aeffa7621f9d2a42361d1ccee3cbc0de + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.21.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-isilon + sources: + - https://github.com/dell/csi-isilon + type: application + urls: + - assets/dell/csi-isilon-2.9.0.tgz + version: 2.9.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerScale @@ -17584,6 +17998,38 @@ entries: - assets/dell/csi-isilon-2.6.1.tgz version: 2.6.1 csi-powermax: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerMax + catalog.cattle.io/kube-version: '>= 1.23.0 < 1.29.0' + catalog.cattle.io/release-name: csi-powermax + apiVersion: v2 + appVersion: 2.9.0 + created: "2024-01-12T17:06:14.252902973Z" + dependencies: + - condition: required + name: csireverseproxy + repository: file://./charts/csireverseproxy + version: 2.8.0 + description: 'PowerMax CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a PowerMax + StorageClass. ' + digest: 20b312cbcbb52ed031ecf939be1484f5c39149ac86c807a67455e518889ff7b3 + home: https://github.com/dell/csi-powermax + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.23.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-powermax + sources: + - https://github.com/dell/csi-powermax + type: application + urls: + - assets/dell/csi-powermax-2.9.0.tgz + version: 2.9.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerMax @@ -17680,6 +18126,33 @@ entries: - assets/dell/csi-powermax-2.6.0.tgz version: 2.6.0 csi-powerstore: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerStore + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' + catalog.cattle.io/release-name: powerstore + apiVersion: v2 + appVersion: 2.9.0 + created: "2024-01-12T17:06:14.258733212Z" + description: 'PowerStore CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a PowerStore + StorageClass. ' + digest: e79e03e75c97959cec3904d40b51b7644817bddf8a89248395dab152234f4752 + home: https://github.com/dell/csi-powerstore + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.24.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-powerstore + sources: + - https://github.com/dell/csi-powerstore + type: application + urls: + - assets/dell/csi-powerstore-2.9.0.tgz + version: 2.9.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerStore @@ -17811,6 +18284,32 @@ entries: - assets/dell/csi-powerstore-2.4.0.tgz version: 2.4.0 csi-unity: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI Unity + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' + catalog.cattle.io/release-name: unity + apiVersion: v2 + appVersion: 2.9.0 + created: "2024-01-12T17:06:14.26308755Z" + description: 'Unity XT CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a Unity + XT StorageClass. ' + digest: 72399c1e94a5d5175e52eb32632182dd2e4d95a4b411d19c52176623fcfe8b91 + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.24.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-unity + sources: + - https://github.com/dell/csi-unity + type: application + urls: + - assets/dell/csi-unity-2.9.0.tgz + version: 2.9.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI Unity @@ -17914,6 +18413,32 @@ entries: - assets/dell/csi-unity-2.4.0.tgz version: 2.4.0 csi-vxflexos: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerFlex + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' + catalog.cattle.io/namespace: vxflexos + catalog.cattle.io/release-name: vxflexos + apiVersion: v2 + appVersion: 2.9.0 + created: "2024-01-12T17:06:14.267827657Z" + description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a VxFlex + OS StorageClass. ' + digest: 502f0600cfdac5176246dff65a5055ddaf233389e33986899abd80a7eae84c87 + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.21.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-vxflexos + sources: + - https://github.com/dell/csi-vxflexos + urls: + - assets/dell/csi-vxflexos-2.9.0.tgz + version: 2.9.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerFlex @@ -18092,6 +18617,42 @@ entries: - assets/dell/csi-vxflexos-2.1.0.tgz version: 2.1.0 csi-wekafsplugin: + - annotations: + artifacthub.io/category: storage + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: BA9F2D31BE9193E01FA17450BCE0A5CF67AC0C59 + url: https://weka.github.io/csi-wekafs/csi-public.gpg + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WekaFS CSI Driver + catalog.cattle.io/kube-version: '>=1.18.0' + catalog.cattle.io/release-name: csi-wekafsplugin + apiVersion: v2 + appVersion: v2.3.2 + created: "2024-01-12T17:07:19.156952591Z" + description: Helm chart for Deployment of WekaIO Container Storage Interface (CSI) + plugin for WekaFS - the world fastest filesystem + digest: e29bb92b96b88e05199dadb200b20b6177aec8d92747cd18815cd13319794b2b + home: https://github.com/weka/csi-wekafs + icon: https://weka.github.io/csi-wekafs/logo.png + keywords: + - storage + - filesystem + - HPC + kubeVersion: '>=1.18.0' + maintainers: + - email: csi@weka.io + name: WekaIO, Inc. + url: https://weka.io + name: csi-wekafsplugin + sources: + - https://github.com/weka/csi-wekafs/tree/v2.3.2 + type: application + urls: + - assets/weka/csi-wekafsplugin-2.3.2.tgz + version: 2.3.2 - annotations: artifacthub.io/category: storage artifacthub.io/containsSecurityUpdates: "true" @@ -18466,6 +19027,43 @@ entries: - assets/weka/csi-wekafsplugin-0.6.400.tgz version: 0.6.400 datadog: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog + catalog.cattle.io/kube-version: '>=1.10-0' + catalog.cattle.io/release-name: datadog + apiVersion: v1 + appVersion: "7" + created: "2024-01-12T17:06:14.137847372Z" + dependencies: + - condition: clusterAgent.metricsProvider.useDatadogMetrics + name: datadog-crds + repository: https://helm.datadoghq.com + tags: + - install-crds + version: 1.0.1 + - condition: datadog.kubeStateMetricsEnabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 2.13.2 + description: Datadog Agent + digest: acb6a5a17fd38a0362a1413a8d3164b55dff94ac3640a10fe70e20d4818d3f28 + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-3.50.5.tgz + version: 3.50.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog @@ -21410,6 +22008,39 @@ entries: - assets/datadog/datadog-2.4.200.tgz version: 2.4.200 datadog-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog Operator + catalog.cattle.io/release-name: datadog-operator + apiVersion: v2 + appVersion: 1.3.0 + created: "2024-01-12T17:06:14.241478334Z" + dependencies: + - alias: datadogCRDs + condition: installCRDs + name: datadog-crds + repository: file://./charts/datadog-crds + tags: + - install-crds + version: =1.3.0 + description: Datadog Operator + digest: e412647c941f20b952ff34fa0233b705be8ce9a8916f7574ffdc83a528ac349c + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog-operator + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-operator-1.4.1.tgz + version: 1.4.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog Operator @@ -22127,6 +22758,33 @@ entries: - assets/dh2i/dxemssql-1.0.1.tgz version: 1.0.1 dynatrace-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dynatrace Operator + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: dynatrace-operator + apiVersion: v2 + appVersion: 0.15.0 + created: "2024-01-12T17:06:14.305760013Z" + description: The Dynatrace Operator Helm chart for Kubernetes and OpenShift + digest: 58091319f25b31a9fce5d2f34af2c8cdc03c5d8d26381d8610e883da15d32d2e + home: https://www.dynatrace.com/ + icon: https://assets.dynatrace.com/global/resources/Signet_Logo_RGB_CP_512x512px.png + kubeVersion: '>=1.19.0-0' + maintainers: + - email: marcell.sevcsik@dynatrace.com + name: 0sewa0 + - email: christoph.muellner@dynatrace.com + name: chrismuellner + - email: lukas.hinterreiter@dynatrace.com + name: luhi-DT + name: dynatrace-operator + sources: + - https://github.com/Dynatrace/dynatrace-operator + type: application + urls: + - assets/dynatrace/dynatrace-operator-0.15.0.tgz + version: 0.15.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dynatrace Operator @@ -22711,6 +23369,30 @@ entries: - assets/elastic/elasticsearch-7.17.3.tgz version: 7.17.3 external-secrets: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: External Secrets Operator + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: external-secrets + apiVersion: v2 + appVersion: v0.9.11 + created: "2024-01-12T17:06:14.365395924Z" + description: External secret management for Kubernetes + digest: 5d922ab90e3034bad503f0c46f81f79faf3c74e9f7ff7a5ab6a6b01dc6771b26 + home: https://github.com/external-secrets/external-secrets + icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png + keywords: + - kubernetes-external-secrets + - secrets + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: kellinmcavoy@gmail.com + name: mcavoyk + name: external-secrets + type: application + urls: + - assets/external-secrets/external-secrets-0.9.11.tgz + version: 0.9.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: External Secrets Operator @@ -23469,6 +24151,38 @@ entries: - assets/f5/f5-bigip-ctlr-0.0.1901.tgz version: 0.0.1901 falcon-sensor: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CrowdStrike Falcon Platform + catalog.cattle.io/kube-version: '>1.22.0-0' + catalog.cattle.io/release-name: falcon-sensor + apiVersion: v2 + appVersion: 1.24.1 + created: "2024-01-12T17:06:13.620267451Z" + description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes + clusters. + digest: 58267b2684e4bd892dddddef1317af221a722b2e12d5b33f7f8f90db6376e5f6 + home: https://crowdstrike.com + icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg + keywords: + - CrowdStrike + - Falcon + - EDR + - kubernetes + - security + - monitoring + - alerting + kubeVersion: '>1.22.0-0' + maintainers: + - email: integrations@crowdstrike.com + name: CrowdStrike Solutions Architecture + name: falcon-sensor + sources: + - https://github.com/CrowdStrike/falcon-helm + type: application + urls: + - assets/crowdstrike/falcon-sensor-1.24.1.tgz + version: 1.24.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CrowdStrike Falcon Platform @@ -24557,6 +25271,102 @@ entries: - assets/inaccel/fpga-operator-2.5.201.tgz version: 2.5.201 gluu: + - annotations: + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.21-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.21-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.21-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.21-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.21-1 + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.21-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.21-1 + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.0.21-1 + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.21-1 + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/featured: "4" + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu + apiVersion: v2 + appVersion: 5.0.0 + created: "2024-01-12T17:06:36.382416176Z" + dependencies: + - condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.24 + - condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.24 + - condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.24 + - condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.24 + - condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.24 + - condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.24 + - condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.24 + - condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.24 + - condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.24 + - condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.24 + - condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.24 + - condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.24 + description: Gluu Access and Identity Management + digest: 7fee929e1293ca52eaacd857e08de304d4fc55590d11d10c9a9d5418e563b38a + home: https://www.gluu.org + icon: https://gluu.org/docs/gluu-server/favicon.ico + kubeVersion: '>=v1.21.0-0' + maintainers: + - email: support@gluu.org + name: moabu + name: gluu + sources: + - https://docs.gluu.org + urls: + - assets/gluu/gluu-5.0.24.tgz + version: 5.0.24 - annotations: artifacthub.io/changes: | - Chart 5.0.23 release @@ -24586,12 +25396,11 @@ entries: artifacthub.io/prerelease: "true" catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management - catalog.cattle.io/featured: "4" catalog.cattle.io/kube-version: '>=v1.21.0-0' catalog.cattle.io/release-name: gluu apiVersion: v2 appVersion: 5.0.0 - created: "2023-10-16T14:36:27.449179029Z" + created: "2024-01-12T17:06:14.581555146Z" dependencies: - condition: global.config.enabled name: config @@ -24650,7 +25459,7 @@ entries: repository: file://./charts/cn-istio-ingress version: 5.0.23 description: Gluu Access and Identity Management - digest: 0f2ac287a6d0a682c654982c2d422c405d113de063b98ed330f18e198934048d + digest: 8482c8954f8bfc4aac36aa273b86501de18873c14dba00b9b99bd5b669c43eb6 home: https://www.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico kubeVersion: '>=v1.21.0-0' @@ -26115,6 +26924,34 @@ entries: - assets/gopaddle/gopaddle-4.2.5.tgz version: 4.2.5 haproxy: + - annotations: + artifacthub.io/changes: | + - Remove unneeded initContainers from CRD job (#215) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy + apiVersion: v2 + appVersion: 1.10.10 + created: "2024-01-12T17:06:36.475132053Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: 56ce92af8fe67e840c1c6bfce92aa6ac730c71183a76ab109283285f365add56 + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.22.0-0' + maintainers: + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + type: application + urls: + - assets/haproxy/haproxy-1.35.5.tgz + version: 1.35.5 - annotations: artifacthub.io/changes: | - Increase CRD job cleanup TTL to 120s (#213) @@ -27080,6 +27917,37 @@ entries: - assets/haproxy/haproxy-1.4.300.tgz version: 1.4.300 harbor: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor + apiVersion: v1 + appVersion: 2.10.0 + created: "2024-01-12T17:06:36.516898981Z" + description: An open source trusted cloud native registry that stores, signs, + and scans content + digest: a8c133cb426df2b34fa7fcbd0d2421d7585dfa209a32c044cd3bf0151f3f65c6 + home: https://goharbor.io + icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png + keywords: + - docker + - registry + - harbor + maintainers: + - email: yinw@vmware.com + name: Wenkai Yin + - email: hweiwei@vmware.com + name: Weiwei He + - email: yshengwen@vmware.com + name: Shengwen Yu + name: harbor + sources: + - https://github.com/goharbor/harbor + - https://github.com/goharbor/harbor-helm + urls: + - assets/harbor/harbor-1.14.0.tgz + version: 1.14.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Harbor @@ -27819,6 +28687,36 @@ entries: - assets/hpe/hpe-csi-info-metrics-1.0.1.tgz version: 1.0.1 instana-agent: + - annotations: + artifacthub.io/links: | + - name: Instana website + url: https://www.instana.com + - name: Instana Helm charts + url: https://github.com/instana/helm-charts + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Instana Agent + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: instana-agent + apiVersion: v2 + appVersion: 1.262.0 + created: "2024-01-12T17:06:36.704943782Z" + description: Instana Agent for Kubernetes + digest: bc0524a02e657be863fc975f57e8b0c6e5cf972aee7761cf3170687ee16f4eb6 + home: https://www.instana.com/ + icon: https://agents.instana.io/helm/stan-logo-2020.png + maintainers: + - email: felix.marx@ibm.com + name: FelixMarxIBM + - email: henning.treu@ibm.com + name: htreu + - email: torsten.kohn@ibm.com + name: tkohn + name: instana-agent + sources: + - https://github.com/instana/instana-agent-docker + urls: + - assets/instana/instana-agent-1.2.66.tgz + version: 1.2.66 - annotations: artifacthub.io/links: | - name: Instana website @@ -28391,6 +29289,22 @@ entries: - assets/instana/instana-agent-1.0.2900.tgz version: 1.0.2900 intel-device-plugins-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Intel Device Plugins Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: intel-device-plugins-operator + apiVersion: v2 + appVersion: 0.29.0 + created: "2024-01-12T17:06:36.708544026Z" + description: A Helm chart for Intel Device Plugins Operator for Kubernetes + digest: 26fd112f74b80bfc3132e58330f48d801c66fd624fa14c52324d8f358d5f5532 + icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 + name: intel-device-plugins-operator + type: application + urls: + - assets/intel/intel-device-plugins-operator-0.29.0.tgz + version: 0.29.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Intel Device Plugins Operator @@ -28520,6 +29434,22 @@ entries: - assets/intel/intel-device-plugins-operator-0.24.1.tgz version: 0.24.1 intel-device-plugins-qat: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Intel QAT Device Plugin + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: intel-device-plugins-qat + apiVersion: v2 + appVersion: 0.29.0 + created: "2024-01-12T17:06:36.709941111Z" + description: A Helm chart for Intel QAT Device Plugin + digest: 31465d4a41b56d1b9220b9d4bed9aebc1368a98629a117d49b39ecf87df23d44 + icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 + name: intel-device-plugins-qat + type: application + urls: + - assets/intel/intel-device-plugins-qat-0.29.0.tgz + version: 0.29.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Intel QAT Device Plugin @@ -28601,6 +29531,22 @@ entries: - assets/intel/intel-device-plugins-qat-0.26.0.tgz version: 0.26.0 intel-device-plugins-sgx: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Intel SGX Device Plugin + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: intel-device-plugins-sgx + apiVersion: v2 + appVersion: 0.29.0 + created: "2024-01-12T17:06:36.71115253Z" + description: A Helm chart for Intel SGX Device Plugin + digest: 06457c596846eb20b54aed2a33439dcdf9a52f01b63ea796eb253bd78d5a340e + icon: https://avatars.githubusercontent.com/u/17888862?s=200&v=4 + name: intel-device-plugins-sgx + type: application + urls: + - assets/intel/intel-device-plugins-sgx-0.29.0.tgz + version: 0.29.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Intel SGX Device Plugin @@ -28991,6 +29937,64 @@ entries: - assets/jaeger/jaeger-operator-2.36.0.tgz version: 2.36.0 jenkins: + - annotations: + artifacthub.io/category: integration-delivery + artifacthub.io/changes: | + - Fixed documentation for controller.initScripts. + artifacthub.io/images: | + - name: jenkins + image: jenkins/jenkins:2.426.2-jdk17 + - name: k8s-sidecar + image: kiwigrid/k8s-sidecar:1.24.4 + - name: inbound-agent + image: jenkins/inbound-agent:3192.v713e3b_039fb_e-5 + - name: backup + image: maorfr/kube-tasks:0.2.0 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins + - name: Jenkins + url: https://www.jenkins.io/ + - name: support + url: https://github.com/jenkinsci/helm-charts/issues + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Jenkins + catalog.cattle.io/kube-version: '>=1.14-0' + catalog.cattle.io/release-name: jenkins + apiVersion: v2 + appVersion: 2.426.2 + created: "2024-01-12T17:06:36.747099814Z" + description: Jenkins - Build great things at any scale! The leading open source + automation server, Jenkins provides over 1800 plugins to support building, deploying + and automating any project. + digest: 116b09a87e1a116d6d96284e3b3556e28d6105b059254465123163be80f30601 + home: https://jenkins.io/ + icon: https://get.jenkins.io/art/jenkins-logo/logo.svg + keywords: + - jenkins + - ci + - devops + maintainers: + - email: maor.friedman@redhat.com + name: maorfr + - email: mail@torstenwalter.de + name: torstenwalter + - email: garridomota@gmail.com + name: mogaal + - email: wmcdona89@gmail.com + name: wmcdona89 + - email: timjacomb1@gmail.com + name: timja + name: jenkins + sources: + - https://github.com/jenkinsci/jenkins + - https://github.com/jenkinsci/docker-inbound-agent + - https://github.com/maorfr/kube-tasks + - https://github.com/jenkinsci/configuration-as-code-plugin + urls: + - assets/jenkins/jenkins-4.11.2.tgz + version: 4.11.2 - annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | @@ -31206,6 +32210,34 @@ entries: - assets/jenkins/jenkins-4.2.9.tgz version: 4.2.9 k8s-triliovault-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: k8s-triliovault-operator + apiVersion: v2 + appVersion: 4.0.0 + created: "2024-01-12T17:07:19.147461419Z" + dependencies: + - condition: observability.enabled + name: observability + repository: file://./charts/observability + version: ^0.1.0 + description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. + digest: c7380e50e29b50e2bbf607040b814b065a5f1ce58f3706ee8f8301f6fbb32aa3 + home: https://github.com/trilioData/k8s-triliovault-operator + icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png + kubeVersion: '>=1.19.0-0' + maintainers: + - email: prafull.ladha@trilio.io + name: prafull11 + name: k8s-triliovault-operator + sources: + - https://github.com/trilioData/k8s-triliovault-operator + urls: + - assets/trilio/k8s-triliovault-operator-4.0.0.tgz + version: 4.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator @@ -33043,6 +34075,58 @@ entries: - assets/kasten/k10-4.5.900.tgz version: 4.5.900 kafka: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Kafka + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: kafka + category: Infrastructure + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r2 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r134 + - name: kafka + image: docker.io/bitnami/kafka:3.6.1-debian-11-r0 + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.0-debian-11-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r92 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.6.1 + created: "2024-01-12T17:06:11.382051246Z" + dependencies: + - condition: zookeeper.enabled + name: zookeeper + repository: file://./charts/zookeeper + version: 12.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Kafka is a distributed streaming platform designed to build + real-time pipelines and can be used as a message broker or as a replacement + for a log aggregation solution for big data applications. + digest: 7ef3b402e4933742436fa4482405b345ae361a174b144909bc119e6d9d388580 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kafka.svg + keywords: + - kafka + - zookeeper + - streaming + - producer + - consumer + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: kafka + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/kafka + urls: + - assets/bitnami/kafka-26.6.3.tgz + version: 26.6.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Kafka @@ -36024,6 +37108,33 @@ entries: - assets/bitnami/kafka-19.0.1.tgz version: 19.0.1 kamaji: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kamaji + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: kamaji + apiVersion: v2 + appVersion: v0.4.0 + created: "2024-01-12T17:06:13.394204818Z" + description: Kamaji is a Kubernetes Control Plane Manager. + digest: 6ef236841a5ca6a84a4e84657549d70372dd0e0d1d348a820e461fe3329ca422 + home: https://github.com/clastix/kamaji + icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png + kubeVersion: '>=1.21.0-0' + maintainers: + - email: dario@tranchitella.eu + name: Dario Tranchitella + - email: me@maxgio.it + name: Massimiliano Giovagnoli + - email: me@bsctl.io + name: Adriano Pezzuto + name: kamaji + sources: + - https://github.com/clastix/kamaji + type: application + urls: + - assets/clastix/kamaji-0.14.0.tgz + version: 0.14.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kamaji @@ -36621,6 +37732,31 @@ entries: - assets/elastic/kibana-7.17.3.tgz version: 7.17.3 kong: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kong Gateway + catalog.cattle.io/release-name: kong + apiVersion: v2 + appVersion: "3.5" + created: "2024-01-12T17:06:38.29210227Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 + description: The Cloud-Native Ingress and API-management + digest: f0518d44ba42ac0b8dfa205eee6cbfc43fd1c4a9796af534f0b22440c563d0b9 + home: https://konghq.com/ + icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png + maintainers: + - email: team-k8s@konghq.com + name: team-k8s-bot + name: kong + sources: + - https://github.com/Kong/charts/tree/main/charts/kong + urls: + - assets/kong/kong-2.33.3.tgz + version: 2.33.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kong Gateway @@ -38555,6 +39691,33 @@ entries: - assets/avesha/kubeslice-worker-0.4.5.tgz version: 0.4.5 kuma: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kuma + catalog.cattle.io/namespace: kuma-system + catalog.cattle.io/release-name: kuma + apiVersion: v2 + appVersion: 2.5.1 + created: "2024-01-12T17:06:51.951852115Z" + description: A Helm chart for the Kuma Control Plane + digest: 76b9a1eb848521031616ee20012547df61da0090d97fecce1dffc1c84c9d3e52 + home: https://github.com/kumahq/kuma + icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg + keywords: + - service mesh + - control plane + maintainers: + - email: austin.cawley@gmail.com + name: austince + - email: jakub.dyszkiewicz@konghq.com + name: jakubdyszkiewicz + - email: nikolay.nikolaev@konghq.com + name: nickolaev + name: kuma + type: application + urls: + - assets/kuma/kuma-2.5.1.tgz + version: 2.5.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kuma @@ -39077,15 +40240,46 @@ entries: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 - appVersion: stable-2.14.5 - created: "2023-11-24T18:52:25.107762565Z" + appVersion: stable-2.14.8 + created: "2024-01-12T17:07:17.106562491Z" dependencies: - name: partials repository: file://./charts/partials version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: b424b610494ac23114d98094e494a3a86ad91feacdf92f878d838a45cb014761 + digest: 23c8fe3057b9b607ec3b833dbad4a5db45a64ebe73332332217cf690a6799c7c + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.21.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-1.16.9.tgz + version: 1.16.9 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 + appVersion: stable-2.14.5 + created: "2024-01-12T17:06:51.965366328Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: f89c8fff6861b691de527236336c7612ffba78474bdef226bbe0c6df21735e64 home: https://linkerd.io icon: https://linkerd.io/images/logo-only-200h.png keywords: @@ -39924,6 +41118,50 @@ entries: - assets/elastic/logstash-7.17.3.tgz version: 7.17.3 mariadb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MariaDB + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mariadb + category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.2.2-debian-11-r1 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r92 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 11.2.2 + created: "2024-01-12T17:06:11.518760648Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MariaDB is an open source, community-developed SQL database server + that is widely in use around the world due to its enterprise features, flexibility, + and collaboration with leading tech firms. + digest: be4a8bb488dbd01f72134a0b121da51acb2f1fa390c39dfb60a8ea3d21d81173 + home: https://bitnami.com + icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo-vert_black-transparent.png + keywords: + - mariadb + - mysql + - database + - sql + - prometheus + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mariadb + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mariadb + urls: + - assets/bitnami/mariadb-15.0.1.tgz + version: 15.0.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MariaDB @@ -42271,6 +43509,50 @@ entries: - assets/minio/minio-operator-4.4.1700.tgz version: 4.4.1700 mysql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MySQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mysql + category: Database + images: | + - name: mysql + image: docker.io/bitnami/mysql:8.0.35-debian-11-r2 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r93 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 8.0.35 + created: "2024-01-12T17:06:11.586905304Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MySQL is a fast, reliable, scalable, and easy to use open source + relational database system. Designed to handle mission-critical, heavy-load + production applications. + digest: b2e140070f553d46ad0e4d136b3dedd1f56948b1caea4649f50bc585c2ed7311 + home: https://bitnami.com + icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png + keywords: + - mysql + - database + - sql + - cluster + - high availability + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mysql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mysql + urls: + - assets/bitnami/mysql-9.16.1.tgz + version: 9.16.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MySQL @@ -43735,6 +45017,31 @@ entries: - assets/bitnami/mysql-9.4.1.tgz version: 9.4.1 nats: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: nats + apiVersion: v2 + appVersion: 2.10.7 + created: "2024-01-12T17:07:17.196992652Z" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: c91508a57af4d4b4188733b8aa8d4c84fbb013900f82d3179f32d09025a9d85b + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/nats-icon-color.png + keywords: + - nats + - messaging + - cncf + maintainers: + - email: info@nats.io + name: The NATS Authors + url: https://github.com/nats-io + name: nats + urls: + - assets/nats/nats-1.1.6.tgz + version: 1.1.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NATS Server @@ -44514,6 +45821,32 @@ entries: - assets/nats/nats-0.10.0.tgz version: 0.10.0 nginx-ingress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: nginx-ingress + apiVersion: v2 + appVersion: 3.4.0 + created: "2024-01-12T17:06:14.42883303Z" + description: NGINX Ingress Controller + digest: 125e356d6bfcdc8356d2fe9331cc9588b9a1d397c94a33502930cf8a83ea3c48 + home: https://github.com/nginxinc/kubernetes-ingress + icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/charts/nginx-ingress/chart-icon.png + keywords: + - ingress + - nginx + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: kubernetes@nginx.com + name: nginxinc + name: nginx-ingress + sources: + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/charts/nginx-ingress + type: application + urls: + - assets/f5/nginx-ingress-1.1.0.tgz + version: 1.1.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NGINX Ingress Controller @@ -45095,6 +46428,88 @@ entries: - assets/f5/nginx-service-mesh-0.2.100.tgz version: 0.2.100 nri-bundle: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: New Relic + catalog.cattle.io/release-name: nri-bundle + apiVersion: v2 + created: "2024-01-12T17:07:17.635907947Z" + dependencies: + - condition: infrastructure.enabled,newrelic-infrastructure.enabled + name: newrelic-infrastructure + repository: file://./charts/newrelic-infrastructure + version: 3.29.0 + - condition: prometheus.enabled,nri-prometheus.enabled + name: nri-prometheus + repository: file://./charts/nri-prometheus + version: 2.1.17 + - condition: newrelic-prometheus-agent.enabled + name: newrelic-prometheus-agent + repository: file://./charts/newrelic-prometheus-agent + version: 1.8.2 + - condition: webhook.enabled,nri-metadata-injection.enabled + name: nri-metadata-injection + repository: file://./charts/nri-metadata-injection + version: 4.15.2 + - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled + name: newrelic-k8s-metrics-adapter + repository: file://./charts/newrelic-k8s-metrics-adapter + version: 1.8.1 + - condition: ksm.enabled,kube-state-metrics.enabled + name: kube-state-metrics + repository: file://./charts/kube-state-metrics + version: 5.12.1 + - condition: kubeEvents.enabled,nri-kube-events.enabled + name: nri-kube-events + repository: file://./charts/nri-kube-events + version: 3.7.2 + - condition: logging.enabled,newrelic-logging.enabled + name: newrelic-logging + repository: file://./charts/newrelic-logging + version: 1.19.0 + - condition: newrelic-pixie.enabled + name: newrelic-pixie + repository: file://./charts/newrelic-pixie + version: 2.1.2 + - alias: pixie-chart + condition: pixie-chart.enabled + name: pixie-operator-chart + repository: file://./charts/pixie-operator-chart + version: 0.1.4 + - condition: newrelic-infra-operator.enabled + name: newrelic-infra-operator + repository: file://./charts/newrelic-infra-operator + version: 2.8.1 + description: Groups together the individual charts for the New Relic Kubernetes + solution for a more comfortable deployment. + digest: c8de7501e2875cb08457ceb061b253b7785db48aef045f53b68b06e1bacbc204 + home: https://github.com/newrelic/helm-charts + icon: https://newrelic.com/themes/custom/erno/assets/mediakit/new_relic_logo_vertical.svg + keywords: + - infrastructure + - newrelic + - monitoring + maintainers: + - name: juanjjaramillo + url: https://github.com/juanjjaramillo + - name: csongnr + url: https://github.com/csongnr + name: nri-bundle + sources: + - https://github.com/newrelic/nri-bundle/ + - https://github.com/newrelic/nri-bundle/tree/master/charts/nri-bundle + - https://github.com/newrelic/nri-kubernetes/tree/master/charts/newrelic-infrastructure + - https://github.com/newrelic/nri-prometheus/tree/master/charts/nri-prometheus + - https://github.com/newrelic/newrelic-prometheus-configurator/tree/master/charts/newrelic-prometheus-agent + - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection + - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/master/charts/newrelic-k8s-metrics-adapter + - https://github.com/newrelic/nri-kube-events/tree/master/charts/nri-kube-events + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie + - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator + urls: + - assets/new-relic/nri-bundle-5.0.58.tgz + version: 5.0.58 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: New Relic @@ -47859,6 +49274,46 @@ entries: - assets/newrelic/nri-bundle-4.3.200.tgz version: 4.3.200 nutanix-csi-snapshot: + - annotations: + artifacthub.io/changes: | + - Update Snapshot Controller to v6.3.2 + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/displayName: Nutanix CSI Snapshot + artifacthub.io/links: | + - name: Kubernetes CSI Developer Documentation + url: https://kubernetes-csi.github.io/docs/ + artifacthub.io/maintainers: | + - name: Nutanix Cloud Native Team + email: cloudnative@nutanix.com + artifacthub.io/recommendations: | + - url: https://artifacthub.io/packages/helm/nutanix/nutanix-csi-storage + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Nutanix CSI Snapshot + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/release-name: nutanix-csi-snapshot + apiVersion: v2 + appVersion: 6.3.2 + created: "2024-01-12T17:07:17.708511734Z" + description: Snapshot components required for CSI snapshotting and not specific + to any CSI driver + digest: 3206e5984a125d55d2ae3d54428470d82256dcbd127f9f93a9d34644ed4d930b + home: https://github.com/nutanix/helm + icon: https://avatars2.githubusercontent.com/u/6165865?s=200&v=4 + keywords: + - Nutanix + - Storage + - Snapshot + - SnapshotClass + - CSI + kubeVersion: '>= 1.20.0-0' + maintainers: + - email: cloudnative@nutanix.com + name: nutanix-cloud-native-bot + name: nutanix-csi-snapshot + type: application + urls: + - assets/nutanix/nutanix-csi-snapshot-6.3.2.tgz + version: 6.3.2 - annotations: artifacthub.io/changes: | - Update Snapshot Controller version @@ -48019,6 +49474,49 @@ entries: - assets/nutanix/nutanix-csi-snapshot-1.0.0.tgz version: 1.0.0 nutanix-csi-storage: + - annotations: + artifacthub.io/changes: | + - Update Nutanix CSI driver to v2.6.6 + - Update CSI Sidecar version + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/displayName: Nutanix CSI Storage + artifacthub.io/links: | + - name: Nutanix CSI Driver documentation + url: https://portal.nutanix.com/page/documents/details?targetId=CSI-Volume-Driver-v2_6:CSI-Volume-Driver-v2_6 + artifacthub.io/maintainers: | + - name: Nutanix Cloud Native Team + email: cloudnative@nutanix.com + artifacthub.io/recommendations: | + - url: https://artifacthub.io/packages/helm/nutanix/nutanix-csi-snapshot + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Nutanix CSI Storage + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/release-name: nutanix-csi-storage + apiVersion: v1 + appVersion: 2.6.6 + created: "2024-01-12T17:07:17.721143017Z" + description: Nutanix Container Storage Interface (CSI) Driver + digest: 51b203a9f9b411b54abb4d1ee015c4bdc79b666350f802cd550438badc938891 + home: https://github.com/nutanix/helm + icon: https://avatars2.githubusercontent.com/u/6165865?s=200&v=4 + keywords: + - Nutanix + - Storage + - Volumes + - Files + - StorageClass + - RedHat + - CentOS + - Ubuntu + - CSI + kubeVersion: '>= 1.20.0-0' + maintainers: + - email: cloudnative@nutanix.com + name: nutanix-cloud-native-bot + name: nutanix-csi-storage + urls: + - assets/nutanix/nutanix-csi-storage-2.6.6.tgz + version: 2.6.6 - annotations: artifacthub.io/changes: | - Update Nutanix CSI driver to v2.6.4 @@ -48582,6 +50080,71 @@ entries: - assets/ondat/ondat-operator-0.5.200.tgz version: 0.5.200 openebs: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: OpenEBS + catalog.cattle.io/release-name: openebs + apiVersion: v2 + appVersion: 3.10.0 + created: "2024-01-12T17:07:17.791251127Z" + dependencies: + - condition: openebs-ndm.enabled + name: openebs-ndm + repository: file://./charts/openebs-ndm + version: 2.1.0 + - condition: localpv-provisioner.enabled + name: localpv-provisioner + repository: file://./charts/localpv-provisioner + version: 3.5.0 + - condition: cstor.enabled + name: cstor + repository: file://./charts/cstor + version: 3.6.0 + - condition: jiva.enabled + name: jiva + repository: file://./charts/jiva + version: 3.6.0 + - condition: zfs-localpv.enabled + name: zfs-localpv + repository: file://./charts/zfs-localpv + version: 2.4.0 + - condition: lvm-localpv.enabled + name: lvm-localpv + repository: file://./charts/lvm-localpv + version: 1.4.0 + - condition: nfs-provisioner.enabled + name: nfs-provisioner + repository: file://./charts/nfs-provisioner + version: 0.11.0 + - condition: mayastor.enabled + name: mayastor + repository: file://./charts/mayastor + version: 2.5.0 + description: Containerized Attached Storage for Kubernetes + digest: c2be564fe9fdabdd201e1dc28b21af81b59af7804bdfa45edd028d983e048f9b + home: http://www.openebs.io/ + icon: https://raw.githubusercontent.com/cncf/artwork/HEAD/projects/openebs/icon/color/openebs-icon-color.png + keywords: + - cloud-native-storage + - block-storage + - local-storage + - iSCSI + - NVMe + - storage + - kubernetes + maintainers: + - email: kiran.mova@mayadata.io + name: kmova + - email: prateek.pandey@mayadata.io + name: prateekpandey14 + - email: shovan.maity@mayadata.io + name: shovanmaity + name: openebs + sources: + - https://github.com/openebs/openebs + urls: + - assets/openebs/openebs-3.10.0.tgz + version: 3.10.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: OpenEBS @@ -49412,6 +50975,25 @@ entries: - assets/pixie/pixie-operator-chart-0.0.2501.tgz version: 0.0.2501 polaris: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris + apiVersion: v1 + appVersion: "8.5" + created: "2024-01-12T17:06:14.451823702Z" + description: Validation of best practices in your Kubernetes clusters + digest: 61438bd7beabef6dafd080e34962a493a10a944c776ed5d6be648e9189e95e56 + icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: robertb@fairwinds.com + name: rbren + name: polaris + urls: + - assets/fairwinds/polaris-5.17.0.tgz + version: 5.17.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Fairwinds Polaris @@ -49954,6 +51536,51 @@ entries: - assets/portworx/portworx-essentials-2.9.100.tgz version: 2.9.100 postgresql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: PostgreSQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: postgresql + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r93 + - name: postgres-exporter + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r5 + - name: postgresql + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r19 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 16.1.0 + created: "2024-01-12T17:06:11.880081374Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: PostgreSQL (Postgres) is an open source object-relational database + known for reliability and data integrity. ACID-compliant, it supports foreign + keys, joins, views, triggers and stored procedures. + digest: c51168ddf6f4c856dbaee16a46b1aa92028a10781064b638252a256d304805a2 + home: https://bitnami.com + icon: https://wiki.postgresql.org/images/a/a4/PostgreSQL_logo.3colors.svg + keywords: + - postgresql + - postgres + - database + - sql + - replication + - cluster + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: postgresql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/postgresql + urls: + - assets/bitnami/postgresql-13.2.29.tgz + version: 13.2.29 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: PostgreSQL @@ -52775,6 +54402,28 @@ entries: - assets/bitnami/postgresql-11.9.12.tgz version: 11.9.12 psmdb-db: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Server for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-db + apiVersion: v2 + appVersion: 1.15.0 + created: "2024-01-12T17:07:18.000749518Z" + description: A Helm chart for installing Percona Server MongoDB Cluster Databases + using the PSMDB Operator. + digest: ec624b4136fb937e3ab90a2f050f4444f8082d79735c10a41c22bd3407c01664 + home: https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + name: psmdb-db + urls: + - assets/percona/psmdb-db-1.15.1.tgz + version: 1.15.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Server for MongoDB @@ -53114,6 +54763,30 @@ entries: - assets/percona/psmdb-operator-1.13.1.tgz version: 1.13.1 pxc-db: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-db + apiVersion: v2 + appVersion: 1.13.0 + created: "2024-01-12T17:07:18.030342817Z" + description: A Helm chart for installing Percona XtraDB Cluster Databases using + the PXC Operator. + digest: 15cc2cfe69e8956c17d44562864f281599b03696118746d52a5879ab57184e19 + home: https://www.percona.com/doc/kubernetes-operator-for-pxc/kubernetes.html + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: sergey.pronin@percona.com + name: spron-in + - email: natalia.marukovich@percona.com + name: nmarukovich + name: pxc-db + urls: + - assets/percona/pxc-db-1.13.4.tgz + version: 1.13.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona XtraDB Cluster @@ -53583,6 +55256,50 @@ entries: - assets/quobyte/quobyte-cluster-0.1.5.tgz version: 0.1.5 redis: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redis + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: redis + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r93 + - name: redis-exporter + image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r0 + - name: redis-sentinel + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r0 + - name: redis + image: docker.io/bitnami/redis:7.2.4-debian-11-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 7.2.4 + created: "2024-01-12T17:06:12.19377139Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Redis(R) is an open source, advanced key-value store. It is often + referred to as a data structure server since keys can contain strings, hashes, + lists, sets and sorted sets. + digest: 9582ba778da9b92f6742d641cbf715d7ebef5619c1b77dc7e576d65cd51c2cc4 + home: https://bitnami.com + icon: https://redis.com/wp-content/uploads/2021/08/redis-logo.png + keywords: + - redis + - keyvalue + - database + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: redis + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/redis + urls: + - assets/bitnami/redis-18.6.3.tgz + version: 18.6.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Redis @@ -55991,6 +57708,50 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v23.3.1 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.8.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v23.3.1 + created: "2024-01-12T17:07:18.454686982Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 285fbc56f535fc0dc782fc0de7a898fd4309a42bb3e8dcbf471dbe1a58c25d52 + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.7.7.tgz + version: 5.7.7 - annotations: artifacthub.io/images: | - name: redpanda @@ -60889,6 +62650,43 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 spark: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Spark + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: spark + category: Infrastructure + images: | + - name: spark + image: docker.io/bitnami/spark:3.5.0-debian-11-r17 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.5.0 + created: "2024-01-12T17:06:12.292895912Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Spark is a high-performance engine for large-scale computing + tasks, such as data processing, machine learning and real-time data streaming. + It includes APIs for Java, Python, Scala and R. + digest: 83591cc43cfc0f3dffd416c551c462b9543b821e7e4116d9f88c151f995ef06a + home: https://bitnami.com + icon: https://www.apache.org/logos/res/spark/default.png + keywords: + - apache + - spark + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: spark + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/spark + urls: + - assets/bitnami/spark-8.1.8.tgz + version: 8.1.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Spark @@ -62265,6 +64063,37 @@ entries: - assets/bitnami/spark-6.3.8.tgz version: 6.3.8 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.0.4 + created: "2024-01-12T17:07:18.539697751Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 108629bb4875c45dcd52caa7bc2c797177e7bbcb45f2f7ef40d33e111509e4dc + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.0.2.tgz + version: 2.0.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -64464,6 +66293,34 @@ entries: - assets/speedscale/speedscale-operator-0.9.12600.tgz version: 0.9.12600 stackstate-k8s-agent: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: StackState Agent + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: stackstate-k8s-agent + apiVersion: v2 + appVersion: 2.19.1 + created: "2024-01-12T17:07:18.557480555Z" + dependencies: + - alias: httpHeaderInjectorWebhook + name: http-header-injector + repository: file://./charts/http-header-injector + version: 0.0.8 + description: Helm chart for the StackState Agent. + digest: ff8b8c85a91d42f12fb910c066982246b56d0f23c3839c682decd2d75fdf644b + home: https://github.com/StackVista/stackstate-agent + icon: https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/stackstate-k8s-agent/logo.svg + keywords: + - monitoring + - observability + - stackstate + maintainers: + - email: ops@stackstate.com + name: Stackstate + name: stackstate-k8s-agent + urls: + - assets/stackstate/stackstate-k8s-agent-1.0.66.tgz + version: 1.0.66 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: StackState Agent @@ -64814,6 +66671,32 @@ entries: - assets/sumologic/sumologic-2.17.0.tgz version: 2.17.0 sysdig: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Sysdig + catalog.cattle.io/release-name: sysdig + apiVersion: v1 + appVersion: 12.17.1 + created: "2024-01-12T17:07:18.797195002Z" + deprecated: true + description: Sysdig Monitor and Secure agent + digest: be04d09670c9cb6eb5cff6c7744910ba6c7e1d2ba6edc17ea0fb26530f7708e1 + home: https://www.sysdig.com/ + icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 + keywords: + - monitoring + - security + - alerting + - metric + - troubleshooting + - run-time + name: sysdig + sources: + - https://app.sysdigcloud.com/#/settings/user + - https://github.com/draios/sysdig + urls: + - assets/sysdig/sysdig-1.16.24.tgz + version: 1.16.24 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Sysdig @@ -66477,6 +68360,51 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 tomcat: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Tomcat + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: tomcat + category: ApplicationServer + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r93 + - name: tomcat + image: docker.io/bitnami/tomcat:10.1.18-debian-11-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 10.1.18 + created: "2024-01-12T17:06:12.317445747Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Tomcat is an open-source web server designed to host and run + Java-based web applications. It is a lightweight server with a good performance + for applications running in production environments. + digest: b9067d247732fa0046a1e07bf17704e421c9ad07818baba7f6109f3d82da8761 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/tomcat.svg + keywords: + - tomcat + - java + - http + - web + - application server + - jsp + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: tomcat + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/tomcat + urls: + - assets/bitnami/tomcat-10.11.11.tgz + version: 10.11.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Tomcat @@ -68310,6 +70238,50 @@ entries: - assets/bitnami/tomcat-10.4.9.tgz version: 10.4.9 traefik: + - annotations: + artifacthub.io/changes: "- \"fix: \U0001F41B improve confusing suggested value + on openTelemetry.grpc\"\n- \"fix: \U0001F41B declare http3 udp port, with + or without hostport\"\n- \"feat: \U0001F4A5 deployment.podannotations support + interpolation with tpl\"\n- \"feat: allow update of namespace policy for websecure + listener\"\n- \"feat: allow defining startupProbe\"\n- \"feat: add file provider\"\n- + \"feat: :boom: unify plugin import between traefik and this chart\"\n- \"chore(release): + \U0001F680 publish v26\"\n- \"chore(deps): update traefik docker tag to v2.10.6\"\n- + \"Release namespace for Prometheus Operator resources\"\n" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Traefik Proxy + catalog.cattle.io/kube-version: '>=1.16.0-0' + catalog.cattle.io/release-name: traefik + apiVersion: v2 + appVersion: v2.10.6 + created: "2024-01-12T17:07:18.87572802Z" + description: A Traefik based Kubernetes ingress controller + digest: 1992c8cd1d2a78909207d1aafdbcea3ac6156981df1b81e0ef01efff660487cb + home: https://traefik.io/ + icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png + keywords: + - traefik + - ingress + - networking + kubeVersion: '>=1.16.0-0' + maintainers: + - email: emile@vauge.com + name: emilevauge + - email: daniel.tomcej@gmail.com + name: dtomcej + - email: ldez@traefik.io + name: ldez + - email: michel.loiseleur@traefik.io + name: mloiseleur + - email: charlie.haley@traefik.io + name: charlie-haley + name: traefik + sources: + - https://github.com/traefik/traefik + - https://github.com/traefik/traefik-helm-chart + type: application + urls: + - assets/traefik/traefik-26.0.0.tgz + version: 26.0.0 - annotations: artifacthub.io/changes: "- \"feat: ✨ add healthcheck ingressRoute\"\n- \"feat: :boom: support http redirections and http challenges with cert-manager\"\n- @@ -69360,6 +71332,33 @@ entries: - assets/triggermesh/triggermesh-0.3.401.tgz version: 0.3.401 vals-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Vals-Operator + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: vals-operator + apiVersion: v2 + appVersion: v0.7.8 + created: "2024-01-12T17:06:14.278281175Z" + description: 'This helm chart installs the Digitalis Vals Operator to manage and + sync secrets from supported backends into Kubernetes. ## About Vals-Operator + Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/helmfile/vals), + it''s a tool we use daily to keep secrets stored securely. Inspired by this + tool, we have created an operator to manage Kubernetes secrets. *vals-operator* + syncs secrets from any secrets store supported by [vals](https://github.com/helmfile/vals) + into Kubernetes. Also, `vals-operator` supports database secrets as provider + by [HashiCorp Vault Secret Engine](https://developer.hashicorp.com/vault/docs/secrets/databases). ' + digest: 39f9b822179ece069077167a5c37f79e97c54a796adfa40f486b419b119a174c + icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: info@digitalis.io + name: Digitalis.IO + name: vals-operator + type: application + urls: + - assets/digitalis/vals-operator-0.7.8.tgz + version: 0.7.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Vals-Operator @@ -69932,6 +71931,60 @@ entries: - assets/hashicorp/vault-0.22.0.tgz version: 0.22.0 wordpress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WordPress + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: wordpress + category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.5-debian-11-r1 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r93 + - name: wordpress + image: docker.io/bitnami/wordpress:6.4.2-debian-11-r12 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 6.4.2 + created: "2024-01-12T17:06:13.189681038Z" + dependencies: + - condition: memcached.enabled + name: memcached + repository: file://./charts/memcached + version: 6.x.x + - condition: mariadb.enabled + name: mariadb + repository: file://./charts/mariadb + version: 15.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: WordPress is the world's most popular blogging and content management + platform. Powerful yet simple, everyone from students to global corporations + use it to build beautiful, functional websites. + digest: ad6cf00df4b9749894b503db8148e9c69d5be0cdc176fb9446da85ec7a1b3025 + home: https://bitnami.com + icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png + keywords: + - application + - blog + - cms + - http + - php + - web + - wordpress + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: wordpress + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/wordpress + urls: + - assets/bitnami/wordpress-19.0.5.tgz + version: 19.0.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WordPress @@ -74793,6 +76846,32 @@ entries: - assets/bitnami/wordpress-15.2.6.tgz version: 15.2.6 yugabyte: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugabyte + charts.openshift.io/name: yugabyte + apiVersion: v2 + appVersion: 2.18.5.1-b1 + created: "2024-01-12T17:07:19.201472059Z" + description: YugabyteDB is the high-performance distributed SQL database for building + global, internet-scale apps. + digest: 51c25b21bd8f0d4273b14c8417347310a52193112176ab7fc37afbf404bcdf06 + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugabyte + sources: + - https://github.com/yugabyte/yugabyte-db + urls: + - assets/yugabyte/yugabyte-2.18.5.tgz + version: 2.18.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB @@ -75440,6 +77519,32 @@ entries: - assets/yugabyte/yugabyte-2.14.3.tgz version: 2.14.3 yugaware: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB Anywhere + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugaware + charts.openshift.io/name: yugaware + apiVersion: v2 + appVersion: 2.18.5.1-b1 + created: "2024-01-12T17:07:19.238415641Z" + description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring + for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB + cluster with multiple pods provided by Kubernetes or OpenShift and logically + grouped together to form one logical distributed database. + digest: edd235776ea920f5807c280f73e591cbb79491a4e09fb0132c52b841ef74ad78 + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugaware + urls: + - assets/yugabyte/yugaware-2.18.5.tgz + version: 2.18.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB Anywhere @@ -76060,6 +78165,43 @@ entries: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 zookeeper: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Zookeeper + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: zookeeper + category: Infrastructure + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r93 + - name: zookeeper + image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r5 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.9.1 + created: "2024-01-12T17:06:13.275758991Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache ZooKeeper provides a reliable, centralized register of configuration + data and services for distributed applications. + digest: e1c4cba5b954dc3b87dbc7d2e9b2af23eb31b3bcc5d13bb76b22699d192e4d5d + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/zookeeper.svg + keywords: + - zookeeper + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: zookeeper + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper + urls: + - assets/bitnami/zookeeper-12.4.4.tgz + version: 12.4.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Zookeeper