diff --git a/assets/argo/argo-cd-5.43.2.tgz b/assets/argo/argo-cd-5.43.2.tgz index 3fe51576c..f5c4b6e53 100644 Binary files a/assets/argo/argo-cd-5.43.2.tgz and b/assets/argo/argo-cd-5.43.2.tgz differ diff --git a/assets/argo/argo-cd-5.43.3.tgz b/assets/argo/argo-cd-5.43.3.tgz new file mode 100644 index 000000000..5bdf12ab4 Binary files /dev/null and b/assets/argo/argo-cd-5.43.3.tgz differ diff --git a/assets/asserts/asserts-1.52.0.tgz b/assets/asserts/asserts-1.52.0.tgz new file mode 100644 index 000000000..07589b63a Binary files /dev/null and b/assets/asserts/asserts-1.52.0.tgz differ diff --git a/assets/bitnami/kafka-24.0.10.tgz b/assets/bitnami/kafka-24.0.10.tgz new file mode 100644 index 000000000..189b7d182 Binary files /dev/null and b/assets/bitnami/kafka-24.0.10.tgz differ diff --git a/assets/bitnami/mariadb-13.0.2.tgz b/assets/bitnami/mariadb-13.0.2.tgz new file mode 100644 index 000000000..8ba9ec2f7 Binary files /dev/null and b/assets/bitnami/mariadb-13.0.2.tgz differ diff --git a/assets/bitnami/postgresql-12.8.2.tgz b/assets/bitnami/postgresql-12.8.2.tgz new file mode 100644 index 000000000..df752f077 Binary files /dev/null and b/assets/bitnami/postgresql-12.8.2.tgz differ diff --git a/assets/bitnami/redis-17.15.2.tgz b/assets/bitnami/redis-17.15.2.tgz new file mode 100644 index 000000000..59549e093 Binary files /dev/null and b/assets/bitnami/redis-17.15.2.tgz differ diff --git a/assets/crate/crate-operator-2.30.2.tgz b/assets/crate/crate-operator-2.30.2.tgz new file mode 100644 index 000000000..66d5d54d4 Binary files /dev/null and b/assets/crate/crate-operator-2.30.2.tgz differ diff --git a/assets/datadog/datadog-3.33.8.tgz b/assets/datadog/datadog-3.33.8.tgz new file mode 100644 index 000000000..b16b7853a Binary files /dev/null and b/assets/datadog/datadog-3.33.8.tgz differ diff --git a/assets/fairwinds/polaris-5.12.1.tgz b/assets/fairwinds/polaris-5.12.1.tgz new file mode 100644 index 000000000..841e98ab7 Binary files /dev/null and b/assets/fairwinds/polaris-5.12.1.tgz differ diff --git a/assets/haproxy/haproxy-1.32.3.tgz b/assets/haproxy/haproxy-1.32.3.tgz new file mode 100644 index 000000000..8b0f8bb88 Binary files /dev/null and b/assets/haproxy/haproxy-1.32.3.tgz differ diff --git a/assets/hashicorp/consul-1.2.1.tgz b/assets/hashicorp/consul-1.2.1.tgz new file mode 100644 index 000000000..5f239d9a7 Binary files /dev/null and b/assets/hashicorp/consul-1.2.1.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.63.11.tgz b/assets/jfrog/artifactory-ha-107.63.11.tgz new file mode 100644 index 000000000..4f10767f0 Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.63.11.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.63.11.tgz b/assets/jfrog/artifactory-jcr-107.63.11.tgz new file mode 100644 index 000000000..1e22adf99 Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.63.11.tgz differ diff --git a/assets/kong/kong-2.26.0.tgz b/assets/kong/kong-2.26.0.tgz new file mode 100644 index 000000000..4a785cf8c Binary files /dev/null and b/assets/kong/kong-2.26.0.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-1.12.5.tgz b/assets/linkerd/linkerd-control-plane-1.12.5.tgz index 943a7f2ba..f44f47a8b 100644 Binary files a/assets/linkerd/linkerd-control-plane-1.12.5.tgz and b/assets/linkerd/linkerd-control-plane-1.12.5.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-1.12.6.tgz b/assets/linkerd/linkerd-control-plane-1.12.6.tgz new file mode 100644 index 000000000..38170f789 Binary files /dev/null and b/assets/linkerd/linkerd-control-plane-1.12.6.tgz differ diff --git a/assets/loft/loft-3.2.2.tgz b/assets/loft/loft-3.2.2.tgz new file mode 100644 index 000000000..d6518bde9 Binary files /dev/null and b/assets/loft/loft-3.2.2.tgz differ diff --git a/assets/redpanda/redpanda-5.1.2.tgz b/assets/redpanda/redpanda-5.1.2.tgz new file mode 100644 index 000000000..31e27e6e7 Binary files /dev/null and b/assets/redpanda/redpanda-5.1.2.tgz differ diff --git a/assets/traefik/traefik-24.0.0.tgz b/assets/traefik/traefik-24.0.0.tgz new file mode 100644 index 000000000..d0bf4f8a6 Binary files /dev/null and b/assets/traefik/traefik-24.0.0.tgz differ diff --git a/charts/argo/argo-cd/Chart.yaml b/charts/argo/argo-cd/Chart.yaml index 0533d3c7c..2c50fa183 100644 --- a/charts/argo/argo-cd/Chart.yaml +++ b/charts/argo/argo-cd/Chart.yaml @@ -1,9 +1,7 @@ annotations: artifacthub.io/changes: | - - kind: changed - description: Renamed applicationSet.replicaCount to replicas - - kind: deprecated - description: Option applicationSet.replicaCount + - kind: fixed + description: add missing permissions to run actions artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -35,4 +33,4 @@ name: argo-cd sources: - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-cd -version: 5.43.2 +version: 5.43.3 diff --git a/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml b/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml index 0f26d4707..3d2c44b55 100644 --- a/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml @@ -45,4 +45,16 @@ rules: - list - update - watch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create {{- end }} diff --git a/charts/asserts/asserts/Chart.yaml b/charts/asserts/asserts/Chart.yaml index cf3065e46..b13b182fb 100644 --- a/charts/asserts/asserts/Chart.yaml +++ b/charts/asserts/asserts/Chart.yaml @@ -58,4 +58,4 @@ maintainers: url: https://github.com/asserts name: asserts type: application -version: 1.51.0 +version: 1.52.0 diff --git a/charts/asserts/asserts/templates/server/configmap.yaml b/charts/asserts/asserts/templates/server/configmap.yaml index 3661b3aa4..7a291f00f 100644 --- a/charts/asserts/asserts/templates/server/configmap.yaml +++ b/charts/asserts/asserts/templates/server/configmap.yaml @@ -363,6 +363,7 @@ data: prometheus: alertmanager: + remote_validation: false template: url: http://asserts-server.{{ .Release.Namespace }}.svc.cluster.local:8030/api-server/v4/prometheus-alerts?tenant={{ "{{ tenantId }}" }} client: @@ -396,7 +397,7 @@ data: tenant_mode: multi-tenant deployment_mode: multi-tenant-single-instance enabled: {{ .Values.server.awsExporterEnabled | default "false"}} - + hekate: enable: false diff --git a/charts/bitnami/kafka/Chart.yaml b/charts/bitnami/kafka/Chart.yaml index d81afb4fe..94803b998 100644 --- a/charts/bitnami/kafka/Chart.yaml +++ b/charts/bitnami/kafka/Chart.yaml @@ -45,4 +45,4 @@ maintainers: name: kafka sources: - https://github.com/bitnami/charts/tree/main/bitnami/kafka -version: 24.0.8 +version: 24.0.10 diff --git a/charts/bitnami/kafka/README.md b/charts/bitnami/kafka/README.md index 3728a352e..2872345fd 100644 --- a/charts/bitnami/kafka/README.md +++ b/charts/bitnami/kafka/README.md @@ -239,6 +239,7 @@ The command removes all the Kubernetes components associated with the chart and | `controller.podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel | `Parallel` | | `controller.priorityClassName` | Name of the existing priority class to be used by kafka pods | `""` | | `controller.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `controller.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | | `controller.schedulerName` | Name of the k8s scheduler (other than default) | `""` | | `controller.updateStrategy.type` | Kafka statefulset strategy type | `RollingUpdate` | | `controller.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka pod(s) | `[]` | @@ -334,6 +335,7 @@ The command removes all the Kubernetes components associated with the chart and | `broker.podManagementPolicy` | StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel | `Parallel` | | `broker.priorityClassName` | Name of the existing priority class to be used by kafka pods | `""` | | `broker.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` | +| `broker.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | | `broker.schedulerName` | Name of the k8s scheduler (other than default) | `""` | | `broker.updateStrategy.type` | Kafka statefulset strategy type | `RollingUpdate` | | `broker.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka pod(s) | `[]` | @@ -499,6 +501,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.kafka.nodeSelector` | Node labels for pod assignment | `{}` | | `metrics.kafka.tolerations` | Tolerations for pod assignment | `[]` | | `metrics.kafka.schedulerName` | Name of the k8s scheduler (other than default) for Kafka exporter | `""` | +| `metrics.kafka.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | | `metrics.kafka.priorityClassName` | Kafka exporter pods' priorityClassName | `""` | | `metrics.kafka.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | | `metrics.kafka.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka exporter pod(s) | `[]` | @@ -602,6 +605,7 @@ The command removes all the Kubernetes components associated with the chart and | `provisioning.containerSecurityContext.readOnlyRootFilesystem` | Set Kafka provisioning containers' Security Context readOnlyRootFilesystem | `true` | | `provisioning.containerSecurityContext.capabilities.drop` | Set Kafka provisioning containers' Security Context capabilities to be dropped | `["ALL"]` | | `provisioning.schedulerName` | Name of the k8s scheduler (other than default) for kafka provisioning | `""` | +| `provisioning.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | | `provisioning.extraVolumes` | Optionally specify extra list of additional volumes for the Kafka provisioning pod(s) | `[]` | | `provisioning.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Kafka provisioning container(s) | `[]` | | `provisioning.sidecars` | Add additional sidecar containers to the Kafka provisioning pod(s) | `[]` | diff --git a/charts/bitnami/kafka/templates/broker/statefulset.yaml b/charts/bitnami/kafka/templates/broker/statefulset.yaml index 0ae0c7663..17beca3a8 100644 --- a/charts/bitnami/kafka/templates/broker/statefulset.yaml +++ b/charts/bitnami/kafka/templates/broker/statefulset.yaml @@ -92,6 +92,7 @@ spec: securityContext: {{- omit .Values.broker.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ include "kafka.serviceAccountName" . }} + enableServiceLinks: {{ .Values.broker.enableServiceLinks }} initContainers: {{- if and .Values.volumePermissions.enabled .Values.broker.persistence.enabled }} - name: volume-permissions diff --git a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml index 425cc0074..f4a29b46f 100644 --- a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml +++ b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml @@ -92,6 +92,7 @@ spec: securityContext: {{- omit .Values.controller.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ include "kafka.serviceAccountName" . }} + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} initContainers: {{- if and .Values.volumePermissions.enabled .Values.controller.persistence.enabled }} - name: volume-permissions diff --git a/charts/bitnami/kafka/templates/metrics/deployment.yaml b/charts/bitnami/kafka/templates/metrics/deployment.yaml index 33c298e10..51497c5ab 100644 --- a/charts/bitnami/kafka/templates/metrics/deployment.yaml +++ b/charts/bitnami/kafka/templates/metrics/deployment.yaml @@ -69,6 +69,7 @@ spec: securityContext: {{- omit .Values.metrics.kafka.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ template "kafka.metrics.kafka.serviceAccountName" . }} + enableServiceLinks: {{ .Values.metrics.kafka.enableServiceLinks }} {{- if .Values.metrics.kafka.initContainers }} initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.initContainers "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/kafka/templates/provisioning/job.yaml b/charts/bitnami/kafka/templates/provisioning/job.yaml index 70f5f1baf..29a268d7a 100644 --- a/charts/bitnami/kafka/templates/provisioning/job.yaml +++ b/charts/bitnami/kafka/templates/provisioning/job.yaml @@ -34,6 +34,7 @@ spec: {{- end }} spec: serviceAccountName: {{ template "kafka.provisioning.serviceAccountName" . }} + enableServiceLinks: {{ .Values.provisioning.enableServiceLinks }} {{- include "kafka.imagePullSecrets" . | nindent 6 }} {{- if .Values.provisioning.schedulerName }} schedulerName: {{ .Values.provisioning.schedulerName | quote }} @@ -102,7 +103,7 @@ spec: - | echo "Configuring environment" . /opt/bitnami/scripts/libkafka.sh - export CLIENT_CONF="${CLIENT_CONF:-/opt/bitnami/kafka/config/client.properties}" + export CLIENT_CONF="${CLIENT_CONF:-/tmp/client.properties}" if [ ! -f "$CLIENT_CONF" ]; then touch $CLIENT_CONF @@ -242,6 +243,8 @@ spec: readOnly: true {{- end }} {{- end }} + - name: tmp + mountPath: /tmp {{- if .Values.provisioning.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.provisioning.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -262,6 +265,8 @@ spec: defaultMode: 256 {{- end }} {{- end }} + - name: tmp + emptyDir: {} {{- if .Values.provisioning.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.provisioning.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/kafka/values.yaml b/charts/bitnami/kafka/values.yaml index 2f731cf4c..8453aa00c 100644 --- a/charts/bitnami/kafka/values.yaml +++ b/charts/bitnami/kafka/values.yaml @@ -637,6 +637,11 @@ controller: ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ ## runtimeClassName: "" + ## @param controller.enableServiceLinks Whether information about services should be injected into pod's environment variable + ## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace. + ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. + ## + enableServiceLinks: true ## @param controller.schedulerName Name of the k8s scheduler (other than default) ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -1002,6 +1007,11 @@ broker: ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ ## runtimeClassName: "" + ## @param broker.enableServiceLinks Whether information about services should be injected into pod's environment variable + ## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace. + ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. + ## + enableServiceLinks: true ## @param broker.schedulerName Name of the k8s scheduler (other than default) ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -1722,6 +1732,11 @@ metrics: ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" + ## @param metrics.kafka.enableServiceLinks Whether information about services should be injected into pod's environment variable + ## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace. + ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. + ## + enableServiceLinks: true ## @param metrics.kafka.priorityClassName Kafka exporter pods' priorityClassName ## priorityClassName: "" @@ -2187,6 +2202,11 @@ provisioning: ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" + ## @param provisioning.enableServiceLinks Whether information about services should be injected into pod's environment variable + ## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace. + ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. + ## + enableServiceLinks: true ## @param provisioning.extraVolumes Optionally specify extra list of additional volumes for the Kafka provisioning pod(s) ## e.g: ## extraVolumes: diff --git a/charts/bitnami/mariadb/Chart.lock b/charts/bitnami/mariadb/Chart.lock index 6afd81ec1..5d6bd06d4 100644 --- a/charts/bitnami/mariadb/Chart.lock +++ b/charts/bitnami/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.6.0 -digest: sha256:6ce7c85dcb43ad1fc5ff600850f28820ddc2f1a7c8cb25c5ff542fe1f852165a -generated: "2023-07-06T21:34:41.934329163Z" + version: 2.8.0 +digest: sha256:0119fce6b509ebf3eaf5218f87f6ec0af64ec7da15f272115673b0716c4b6919 +generated: "2023-08-11T09:32:02.90916554Z" diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index 0d77d42e5..ca15ac6ec 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -4,6 +4,13 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: mariadb category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.0.2-debian-11-r15 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.0-debian-11-r14 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r34 licenses: Apache-2.0 apiVersion: v2 appVersion: 11.0.2 @@ -30,4 +37,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 13.0.1 +version: 13.0.2 diff --git a/charts/bitnami/mariadb/README.md b/charts/bitnami/mariadb/README.md index 6e8c4c1aa..bd8a0732f 100644 --- a/charts/bitnami/mariadb/README.md +++ b/charts/bitnami/mariadb/README.md @@ -82,28 +82,28 @@ The command removes all the Kubernetes components associated with the chart and ### MariaDB common parameters -| Name | Description | Value | -| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | -| `image.registry` | MariaDB image registry | `docker.io` | -| `image.repository` | MariaDB image repository | `bitnami/mariadb` | -| `image.tag` | MariaDB image tag (immutable tags are recommended) | `11.0.2-debian-11-r2` | -| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | -| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | -| `auth.database` | Name for a custom database to create | `my_database` | -| `auth.username` | Name for a custom user to create | `""` | -| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | -| `auth.replicationUser` | MariaDB replication user | `replicator` | -| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | -| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | -| `auth.forcePassword` | Force users to specify required passwords | `false` | -| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | -| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | -| `initdbScripts` | Dictionary of initdb scripts | `{}` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | +| Name | Description | Value | +| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `image.registry` | MariaDB image registry | `docker.io` | +| `image.repository` | MariaDB image repository | `bitnami/mariadb` | +| `image.tag` | MariaDB image tag (immutable tags are recommended) | `11.0.2-debian-11-r15` | +| `image.digest` | MariaDB image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MariaDB image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `architecture` | MariaDB architecture (`standalone` or `replication`) | `standalone` | +| `auth.rootPassword` | Password for the `root` user. Ignored if existing secret is provided. | `""` | +| `auth.database` | Name for a custom database to create | `my_database` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the new user. Ignored if existing secret is provided | `""` | +| `auth.replicationUser` | MariaDB replication user | `replicator` | +| `auth.replicationPassword` | MariaDB replication user password. Ignored if existing secret is provided | `""` | +| `auth.existingSecret` | Use existing secret for password details (`auth.rootPassword`, `auth.password`, `auth.replicationPassword` will be ignored and picked up from this secret). The secret has to contain the keys `mariadb-root-password`, `mariadb-replication-password` and `mariadb-password` | `""` | +| `auth.forcePassword` | Force users to specify required passwords | `false` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using environment variables | `false` | +| `auth.customPasswordFiles` | Use custom password files when `auth.usePasswordFiles` is set to `true`. Define path for keys `root` and `user`, also define `replicator` if `architecture` is set to `replication` | `{}` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | ### MariaDB Primary parameters @@ -308,7 +308,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r22` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r34` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | @@ -322,7 +322,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.enabled` | Start a side-car prometheus exporter | `false` | | `metrics.image.registry` | Exporter image registry | `docker.io` | | `metrics.image.repository` | Exporter image repository | `bitnami/mysqld-exporter` | -| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.15.0-debian-11-r5` | +| `metrics.image.tag` | Exporter image tag (immutable tags are recommended) | `0.15.0-debian-11-r14` | | `metrics.image.digest` | Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | @@ -561,4 +561,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. +limitations under the License. \ No newline at end of file diff --git a/charts/bitnami/mariadb/charts/common/Chart.yaml b/charts/bitnami/mariadb/charts/common/Chart.yaml index 191699db1..ae71747b6 100644 --- a/charts/bitnami/mariadb/charts/common/Chart.yaml +++ b/charts/bitnami/mariadb/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.6.0 +appVersion: 2.8.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.6.0 +version: 2.8.0 diff --git a/charts/bitnami/mariadb/values.yaml b/charts/bitnami/mariadb/values.yaml index 398f67280..edc58c99c 100644 --- a/charts/bitnami/mariadb/values.yaml +++ b/charts/bitnami/mariadb/values.yaml @@ -90,7 +90,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.0.2-debian-11-r2 + tag: 11.0.2-debian-11-r15 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1004,7 +1004,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r22 + tag: 11-debian-11-r34 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1040,7 +1040,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.0-debian-11-r5 + tag: 0.15.0-debian-11-r14 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index 95bc6dcda..7ba563776 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r31 + image: docker.io/bitnami/os-shell:11-debian-11-r34 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.13.2-debian-11-r12 + image: docker.io/bitnami/postgres-exporter:0.13.2-debian-11-r15 - name: postgresql - image: docker.io/bitnami/postgresql:15.3.0-debian-11-r85 + image: docker.io/bitnami/postgresql:15.4.0-debian-11-r0 licenses: Apache-2.0 apiVersion: v2 -appVersion: 15.3.0 +appVersion: 15.4.0 dependencies: - name: common repository: file://./charts/common @@ -38,4 +38,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 12.8.1 +version: 12.8.2 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index 6c3b276f8..31c0232ae 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -100,7 +100,7 @@ kubectl delete pvc -l release=my-release | ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | | `image.registry` | PostgreSQL image registry | `docker.io` | | `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | -| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.3.0-debian-11-r85` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.4.0-debian-11-r0` | | `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | | `image.pullSecrets` | Specify image pull secrets | `[]` | @@ -419,7 +419,7 @@ kubectl delete pvc -l release=my-release | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r31` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r34` | | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | @@ -450,7 +450,7 @@ kubectl delete pvc -l release=my-release | `metrics.enabled` | Start a prometheus exporter | `false` | | `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | | `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.13.2-debian-11-r12` | +| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.13.2-debian-11-r15` | | `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index 7e6717f5e..beb77e576 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -98,7 +98,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 15.3.0-debian-11-r85 + tag: 15.4.0-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1260,7 +1260,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r31 + tag: 11-debian-11-r34 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1361,7 +1361,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.13.2-debian-11-r12 + tag: 0.13.2-debian-11-r15 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/redis/Chart.yaml b/charts/bitnami/redis/Chart.yaml index 4e3e001e7..b7e5e50ef 100644 --- a/charts/bitnami/redis/Chart.yaml +++ b/charts/bitnami/redis/Chart.yaml @@ -28,4 +28,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 17.15.0 +version: 17.15.2 diff --git a/charts/bitnami/redis/README.md b/charts/bitnami/redis/README.md index 0e43d41fb..beedae248 100644 --- a/charts/bitnami/redis/README.md +++ b/charts/bitnami/redis/README.md @@ -353,7 +353,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | | `sentinel.masterSet` | Master set name | `mymaster` | | `sentinel.quorum` | Sentinel Quorum | `2` | -| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `200` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `99` | | `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | | `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | | `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | diff --git a/charts/bitnami/redis/templates/scripts-configmap.yaml b/charts/bitnami/redis/templates/scripts-configmap.yaml index f401b0afc..a7d2f4f4c 100644 --- a/charts/bitnami/redis/templates/scripts-configmap.yaml +++ b/charts/bitnami/redis/templates/scripts-configmap.yaml @@ -701,6 +701,7 @@ data: } REDISPORT=$(get_port "$HOSTNAME" "REDIS") + HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" diff --git a/charts/bitnami/redis/values.yaml b/charts/bitnami/redis/values.yaml index ed62b66fc..273908b8e 100644 --- a/charts/bitnami/redis/values.yaml +++ b/charts/bitnami/redis/values.yaml @@ -1059,7 +1059,7 @@ sentinel: quorum: 2 ## @param sentinel.getMasterTimeout Amount of time to allow before get_sentinel_master_info() times out. ## - getMasterTimeout: 200 + getMasterTimeout: 99 ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. diff --git a/charts/crate/crate-operator/Chart.lock b/charts/crate/crate-operator/Chart.lock index 89eff1701..682f9366c 100644 --- a/charts/crate/crate-operator/Chart.lock +++ b/charts/crate/crate-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: crate-operator-crds repository: file://../crate-operator-crds - version: 2.30.1 -digest: sha256:4b03b4e1aeac6bfe810e859306af8b07f6093af0cce29ac1b92415917318ecff -generated: "2023-07-06T10:31:25.043287027Z" + version: 2.30.2 +digest: sha256:5b8b40b7c1c3c068df6806a2325b21d4f0b93b69df3387be6bc20092936d153a +generated: "2023-08-10T11:24:24.32953244Z" diff --git a/charts/crate/crate-operator/Chart.yaml b/charts/crate/crate-operator/Chart.yaml index 5bef0b76f..85586deed 100644 --- a/charts/crate/crate-operator/Chart.yaml +++ b/charts/crate/crate-operator/Chart.yaml @@ -3,16 +3,16 @@ annotations: catalog.cattle.io/display-name: CrateDB Operator catalog.cattle.io/release-name: crate-operator apiVersion: v2 -appVersion: 2.30.1 +appVersion: 2.30.2 dependencies: - condition: crate-operator-crds.enabled name: crate-operator-crds repository: file://./charts/crate-operator-crds - version: 2.30.1 + version: 2.30.2 description: Crate Operator - Helm chart for installing and upgrading Crate Operator. icon: https://raw.githubusercontent.com/crate/crate/master/docs/_static/crate-logo.svg maintainers: - name: Crate.io name: crate-operator type: application -version: 2.30.1 +version: 2.30.2 diff --git a/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml b/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml index 0dea51f12..fe4414b27 100644 --- a/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml +++ b/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 2.30.1 +appVersion: 2.30.2 description: Crate Operator CRDs - Helm chart for installing and upgrading Custom Resource Definitions (CRDs) for the Crate Operator. maintainers: - name: Crate.io name: crate-operator-crds type: application -version: 2.30.1 +version: 2.30.2 diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index 80231a666..578ffd5d0 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,5 +1,9 @@ # Datadog changelog +## 3.33.8 + +* Remove `mountPropagation` for `/etc/os-release` files. + ## 3.33.7 * Add additional intakes into `CiliumNetworkPolicy` for node Agent and Cluster Check Runner for profiling, network monitoring, dbm, and remote config diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index 7eef633ef..653398fcb 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.33.7 +version: 3.33.8 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index c2e1218e2..e4f27a176 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.33.7](https://img.shields.io/badge/Version-3.33.7-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.33.8](https://img.shields.io/badge/Version-3.33.8-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). diff --git a/charts/datadog/datadog/templates/_container-host-release-volumemounts.yaml b/charts/datadog/datadog/templates/_container-host-release-volumemounts.yaml index 4746557bc..7e3ad1ac4 100644 --- a/charts/datadog/datadog/templates/_container-host-release-volumemounts.yaml +++ b/charts/datadog/datadog/templates/_container-host-release-volumemounts.yaml @@ -2,12 +2,10 @@ {{- if eq (include "should-enable-system-probe" .) "true" }} - name: os-release-file mountPath: /host{{ .Values.datadog.systemProbe.osReleasePath | default .Values.datadog.osReleasePath }} - mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true {{- else if not .Values.providers.gke.autopilot}} - name: os-release-file mountPath: /host{{ .Values.datadog.osReleasePath }} - mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }} readOnly: true {{- end }} {{- end }} diff --git a/charts/fairwinds/polaris/Chart.yaml b/charts/fairwinds/polaris/Chart.yaml index 9b4654089..bac4f18a1 100644 --- a/charts/fairwinds/polaris/Chart.yaml +++ b/charts/fairwinds/polaris/Chart.yaml @@ -12,4 +12,4 @@ maintainers: - email: robertb@fairwinds.com name: rbren name: polaris -version: 5.12.0 +version: 5.12.1 diff --git a/charts/fairwinds/polaris/README.md b/charts/fairwinds/polaris/README.md index a2fbbf533..5e9ed0452 100644 --- a/charts/fairwinds/polaris/README.md +++ b/charts/fairwinds/polaris/README.md @@ -37,7 +37,7 @@ the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ |-----|------|---------|-------------| | config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | | configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | -| additionExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| additionalExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | | image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | | image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | | image.pullPolicy | string | `"Always"` | Image pull policy | diff --git a/charts/fairwinds/polaris/values.yaml b/charts/fairwinds/polaris/values.yaml index f86788d2f..024462a6f 100644 --- a/charts/fairwinds/polaris/values.yaml +++ b/charts/fairwinds/polaris/values.yaml @@ -5,8 +5,8 @@ config: null # configUrl: https://example.com/config.yaml configUrl: null -# additionExemptions -- List of additional exemptions to append to the exemptions given in `config` -additionExemptions: null +# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionalExemptions: null image: diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/Chart.yaml index 085468a92..8f723e2f3 100644 --- a/charts/haproxy/haproxy/Chart.yaml +++ b/charts/haproxy/haproxy/Chart.yaml @@ -1,12 +1,12 @@ annotations: artifacthub.io/changes: | - - Use Ingress Controller 1.10.5 version for base image + - Use Ingress Controller 1.10.6 version for base image catalog.cattle.io/certified: partner catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: haproxy apiVersion: v2 -appVersion: 1.10.5 +appVersion: 1.10.6 description: A Helm chart for HAProxy Kubernetes Ingress Controller home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png @@ -21,4 +21,4 @@ name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress type: application -version: 1.32.2 +version: 1.32.3 diff --git a/charts/hashicorp/consul/Chart.yaml b/charts/hashicorp/consul/Chart.yaml index 7946adaf8..ea481efea 100644 --- a/charts/hashicorp/consul/Chart.yaml +++ b/charts/hashicorp/consul/Chart.yaml @@ -1,13 +1,13 @@ annotations: artifacthub.io/images: | - name: consul - image: hashicorp/consul:1.16.0 + image: hashicorp/consul:1.16.1 - name: consul-k8s-control-plane - image: hashicorp/consul-k8s-control-plane:1.2.0 + image: hashicorp/consul-k8s-control-plane:1.2.1 - name: consul-dataplane - image: hashicorp/consul-dataplane:1.2.0 + image: hashicorp/consul-dataplane:1.2.1 - name: envoy - image: envoyproxy/envoy:v1.25.1 + image: envoyproxy/envoy:v1.25.9 artifacthub.io/license: MPL-2.0 artifacthub.io/links: | - name: Documentation @@ -25,7 +25,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: consul apiVersion: v2 -appVersion: 1.16.0 +appVersion: 1.16.1 description: Official HashiCorp Consul Chart home: https://www.consul.io icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png @@ -34,4 +34,4 @@ name: consul sources: - https://github.com/hashicorp/consul - https://github.com/hashicorp/consul-k8s -version: 1.2.0 +version: 1.2.1 diff --git a/charts/hashicorp/consul/templates/_helpers.tpl b/charts/hashicorp/consul/templates/_helpers.tpl index 1b866888c..18f57b188 100644 --- a/charts/hashicorp/consul/templates/_helpers.tpl +++ b/charts/hashicorp/consul/templates/_helpers.tpl @@ -15,6 +15,29 @@ as well as the global.name setting. {{- end -}} {{- end -}} +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + {{- define "consul.vaultSecretTemplate" -}} | {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} @@ -422,4 +445,4 @@ Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} {{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} {{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/hashicorp/consul/templates/client-config-configmap.yaml b/charts/hashicorp/consul/templates/client-config-configmap.yaml index f9650a100..d91a4d21b 100644 --- a/charts/hashicorp/consul/templates/client-config-configmap.yaml +++ b/charts/hashicorp/consul/templates/client-config-configmap.yaml @@ -19,6 +19,12 @@ data: "auto_reload_config": true {{- end }} } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } extra-from-values.json: |- {{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} central-config.json: |- diff --git a/charts/hashicorp/consul/templates/client-daemonset.yaml b/charts/hashicorp/consul/templates/client-daemonset.yaml index 09a70b394..345c5c731 100644 --- a/charts/hashicorp/consul/templates/client-daemonset.yaml +++ b/charts/hashicorp/consul/templates/client-daemonset.yaml @@ -510,11 +510,7 @@ spec: value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" {{- end }} - name: CONSUL_LOGIN_DATACENTER - {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} - value: {{ .Values.global.federation.primaryDatacenter }} - {{- else }} value: {{ .Values.global.datacenter }} - {{- end}} command: - "/bin/sh" - "-ec" diff --git a/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml index 8c0bbe9bf..f1f6b3878 100644 --- a/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml @@ -186,4 +186,14 @@ rules: - "get" - "list" - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} {{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml index 479e05b25..e726c9ecc 100644 --- a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml +++ b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml @@ -94,6 +94,7 @@ spec: - containerPort: 8080 name: webhook-server protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} env: - name: NAMESPACE valueFrom: @@ -234,6 +235,19 @@ spec: -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ {{- end }} -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ {{- if .Values.connectInject.initContainer }} {{- $initResources := .Values.connectInject.initContainer.resources }} diff --git a/charts/hashicorp/consul/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/templates/crd-controlplanerequestlimits.yaml index bd1d6118b..2b0c45a62 100644 --- a/charts/hashicorp/consul/templates/crd-controlplanerequestlimits.yaml +++ b/charts/hashicorp/consul/templates/crd-controlplanerequestlimits.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: controlplanerequestlimits.consul.hashicorp.com labels: @@ -194,4 +194,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/templates/crd-exportedservices.yaml index 7ffddf753..591500cb1 100644 --- a/charts/hashicorp/consul/templates/crd-exportedservices.yaml +++ b/charts/hashicorp/consul/templates/crd-exportedservices.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: exportedservices.consul.hashicorp.com labels: @@ -138,4 +138,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml index 65d425edc..8140902f7 100644 --- a/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml +++ b/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: gatewayclassconfigs.consul.hashicorp.com labels: @@ -138,8 +138,27 @@ spec: type: string type: object type: array + openshiftSCCName: + description: The name of an existing SecurityContextConstraints + resource to bind to the managed role when running on OpenShift. + type: string + mapPrivilegedContainerPorts: + type: integer + format: int32 + minimum: 0 + maximum: 64512 + description: mapPrivilegedContainerPorts is the value which Consul will add to privileged container port + values (ports < 1024) defined on a Gateway when the number is greater than 0. This cannot be more than + 64512 as the highest privileged port is 1023, which would then map to 65535, which is the highest + valid port number. type: object type: object served: true storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml index 93435b7fc..f7b039531 100644 --- a/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml +++ b/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml @@ -1,4 +1,6 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -6,7 +8,6 @@ metadata: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 gateway.networking.k8s.io/bundle-version: v0.6.2 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/hashicorp/consul/templates/crd-gateways.yaml b/charts/hashicorp/consul/templates/crd-gateways.yaml index 41df34942..ae5de48de 100644 --- a/charts/hashicorp/consul/templates/crd-gateways.yaml +++ b/charts/hashicorp/consul/templates/crd-gateways.yaml @@ -1,4 +1,6 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -6,7 +8,6 @@ metadata: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 gateway.networking.k8s.io/bundle-version: v0.6.2 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/hashicorp/consul/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/templates/crd-grpcroutes.yaml index 739ed2c65..8f22dbc19 100644 --- a/charts/hashicorp/consul/templates/crd-grpcroutes.yaml +++ b/charts/hashicorp/consul/templates/crd-grpcroutes.yaml @@ -1,4 +1,6 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -6,7 +8,6 @@ metadata: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 gateway.networking.k8s.io/bundle-version: v0.6.2 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/hashicorp/consul/templates/crd-httproutes.yaml b/charts/hashicorp/consul/templates/crd-httproutes.yaml index bba3672d1..2aa4478c6 100644 --- a/charts/hashicorp/consul/templates/crd-httproutes.yaml +++ b/charts/hashicorp/consul/templates/crd-httproutes.yaml @@ -1,4 +1,6 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -6,7 +8,6 @@ metadata: api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 gateway.networking.k8s.io/bundle-version: v0.6.2 gateway.networking.k8s.io/channel: experimental - creationTimestamp: null labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/hashicorp/consul/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/templates/crd-ingressgateways.yaml index ef3389046..a01fafd8d 100644 --- a/charts/hashicorp/consul/templates/crd-ingressgateways.yaml +++ b/charts/hashicorp/consul/templates/crd-ingressgateways.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: ingressgateways.consul.hashicorp.com labels: @@ -368,4 +368,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/templates/crd-jwtproviders.yaml index c7d20883e..8a51d16b6 100644 --- a/charts/hashicorp/consul/templates/crd-jwtproviders.yaml +++ b/charts/hashicorp/consul/templates/crd-jwtproviders.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: jwtproviders.consul.hashicorp.com labels: @@ -256,4 +256,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-meshes.yaml b/charts/hashicorp/consul/templates/crd-meshes.yaml index cdc11b6ed..0710d4128 100644 --- a/charts/hashicorp/consul/templates/crd-meshes.yaml +++ b/charts/hashicorp/consul/templates/crd-meshes.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: meshes.consul.hashicorp.com labels: @@ -206,4 +206,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-meshservices.yaml b/charts/hashicorp/consul/templates/crd-meshservices.yaml index 859c8683e..df8f673bd 100644 --- a/charts/hashicorp/consul/templates/crd-meshservices.yaml +++ b/charts/hashicorp/consul/templates/crd-meshservices.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: meshservices.consul.hashicorp.com labels: @@ -55,4 +55,10 @@ spec: type: object served: true storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/templates/crd-peeringacceptors.yaml index 3822f3bdf..e06e830f0 100644 --- a/charts/hashicorp/consul/templates/crd-peeringacceptors.yaml +++ b/charts/hashicorp/consul/templates/crd-peeringacceptors.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: peeringacceptors.consul.hashicorp.com labels: @@ -145,4 +145,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/templates/crd-peeringdialers.yaml index 405361c48..e24401e76 100644 --- a/charts/hashicorp/consul/templates/crd-peeringdialers.yaml +++ b/charts/hashicorp/consul/templates/crd-peeringdialers.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: peeringdialers.consul.hashicorp.com labels: @@ -145,4 +145,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/templates/crd-proxydefaults.yaml index 30dd25f67..362672c1c 100644 --- a/charts/hashicorp/consul/templates/crd-proxydefaults.yaml +++ b/charts/hashicorp/consul/templates/crd-proxydefaults.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: proxydefaults.consul.hashicorp.com labels: @@ -254,4 +254,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-referencegrants.yaml b/charts/hashicorp/consul/templates/crd-referencegrants.yaml index db9cf1202..d50211291 100644 --- a/charts/hashicorp/consul/templates/crd-referencegrants.yaml +++ b/charts/hashicorp/consul/templates/crd-referencegrants.yaml @@ -1,4 +1,7 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/charts/hashicorp/consul/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/templates/crd-samenessgroups.yaml index c1d1c85a8..60beb5662 100644 --- a/charts/hashicorp/consul/templates/crd-samenessgroups.yaml +++ b/charts/hashicorp/consul/templates/crd-samenessgroups.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: samenessgroups.consul.hashicorp.com labels: @@ -128,4 +128,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/templates/crd-servicedefaults.yaml index c926ece62..870f5ad86 100644 --- a/charts/hashicorp/consul/templates/crd-servicedefaults.yaml +++ b/charts/hashicorp/consul/templates/crd-servicedefaults.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicedefaults.consul.hashicorp.com labels: @@ -494,4 +494,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/templates/crd-serviceintentions.yaml index 335d2eff7..c4d2b5f20 100644 --- a/charts/hashicorp/consul/templates/crd-serviceintentions.yaml +++ b/charts/hashicorp/consul/templates/crd-serviceintentions.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: serviceintentions.consul.hashicorp.com labels: @@ -310,4 +310,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/templates/crd-serviceresolvers.yaml index ed95c1584..0d46f8353 100644 --- a/charts/hashicorp/consul/templates/crd-serviceresolvers.yaml +++ b/charts/hashicorp/consul/templates/crd-serviceresolvers.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: serviceresolvers.consul.hashicorp.com labels: @@ -266,6 +266,10 @@ spec: If empty the default subset is used. type: string type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string subsets: additionalProperties: properties: @@ -333,4 +337,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/templates/crd-servicerouters.yaml index 0157f646b..f28da9e7c 100644 --- a/charts/hashicorp/consul/templates/crd-servicerouters.yaml +++ b/charts/hashicorp/consul/templates/crd-servicerouters.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicerouters.consul.hashicorp.com labels: @@ -311,4 +311,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/templates/crd-servicesplitters.yaml index 18fb10341..a2af050c3 100644 --- a/charts/hashicorp/consul/templates/crd-servicesplitters.yaml +++ b/charts/hashicorp/consul/templates/crd-servicesplitters.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: servicesplitters.consul.hashicorp.com labels: @@ -185,4 +185,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/templates/crd-tcproutes.yaml index b5bc7be13..a17f457a7 100644 --- a/charts/hashicorp/consul/templates/crd-tcproutes.yaml +++ b/charts/hashicorp/consul/templates/crd-tcproutes.yaml @@ -1,4 +1,7 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/charts/hashicorp/consul/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/templates/crd-terminatinggateways.yaml index 955496aee..583c218be 100644 --- a/charts/hashicorp/consul/templates/crd-terminatinggateways.yaml +++ b/charts/hashicorp/consul/templates/crd-terminatinggateways.yaml @@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.10.0 + controller-gen.kubebuilder.io/version: v0.8.0 creationTimestamp: null name: terminatinggateways.consul.hashicorp.com labels: @@ -136,4 +136,10 @@ spec: storage: true subresources: status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] {{- end }} diff --git a/charts/hashicorp/consul/templates/crd-tlsroutes.yaml b/charts/hashicorp/consul/templates/crd-tlsroutes.yaml index 1acd1b973..be72f47d6 100644 --- a/charts/hashicorp/consul/templates/crd-tlsroutes.yaml +++ b/charts/hashicorp/consul/templates/crd-tlsroutes.yaml @@ -1,4 +1,7 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/charts/hashicorp/consul/templates/crd-udproutes.yaml b/charts/hashicorp/consul/templates/crd-udproutes.yaml index 0661b24c1..fe331cca3 100644 --- a/charts/hashicorp/consul/templates/crd-udproutes.yaml +++ b/charts/hashicorp/consul/templates/crd-udproutes.yaml @@ -1,4 +1,7 @@ {{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/charts/hashicorp/consul/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/templates/create-federation-secret-job.yaml index 4f83a1f82..678a2af3b 100644 --- a/charts/hashicorp/consul/templates/create-federation-secret-job.yaml +++ b/charts/hashicorp/consul/templates/create-federation-secret-job.yaml @@ -93,6 +93,7 @@ spec: containers: - name: create-federation-secret image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} env: - name: NAMESPACE valueFrom: @@ -119,7 +120,7 @@ spec: - "-ec" - | consul-k8s-control-plane create-federation-secret \ - -log-level={{ .Values.global.logLevel }} \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} -gossip-key-file=/consul/gossip/gossip.key \ diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml index 44f032b5f..a987c3b59 100644 --- a/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml +++ b/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml @@ -31,12 +31,16 @@ spec: {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup containers: - name: gateway-cleanup image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} command: - consul-k8s-control-plane args: diff --git a/charts/hashicorp/consul/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/templates/gateway-resources-job.yaml index 441e64eb1..de64e2d70 100644 --- a/charts/hashicorp/consul/templates/gateway-resources-job.yaml +++ b/charts/hashicorp/consul/templates/gateway-resources-job.yaml @@ -31,12 +31,16 @@ spec: {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources containers: - name: gateway-resources image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} command: - consul-k8s-control-plane args: @@ -84,15 +88,21 @@ spec: {{- end}} {{- end}} {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} - - -node-selector={{ .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} {{- end }} {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} {{- end }} {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} - - -service-annotations={{ .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} {{- end }} - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} {{- end}} resources: requests: diff --git a/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-job.yaml index 9d296478a..02fb3ea16 100644 --- a/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-job.yaml +++ b/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-job.yaml @@ -48,6 +48,7 @@ spec: containers: - name: gossip-encryption-autogen image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} command: - "/bin/sh" - "-ec" @@ -56,7 +57,7 @@ spec: -namespace={{ .Release.Namespace }} \ -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ -secret-key="key" \ - -log-level={{ .Values.global.logLevel }} \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ -log-json={{ .Values.global.logJSON }} resources: requests: diff --git a/charts/hashicorp/consul/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/templates/ingress-gateways-deployment.yaml index 4f7203185..c10f1549f 100644 --- a/charts/hashicorp/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/hashicorp/consul/templates/ingress-gateways-deployment.yaml @@ -175,6 +175,7 @@ spec: # ingress-gateway-init registers the ingress gateway service with Consul. - name: ingress-gateway-init image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} env: - name: NAMESPACE valueFrom: @@ -211,7 +212,7 @@ spec: -gateway-kind="ingress-gateway" \ -proxy-id-file=/consul/service/proxy-id \ -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ - -log-level={{ default $root.Values.global.logLevel }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ -log-json={{ $root.Values.global.logJSON }} volumeMounts: - name: consul-service @@ -233,6 +234,7 @@ spec: containers: - name: ingress-gateway image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} {{- if (default $defaults.resources .resources) }} resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} {{- end }} @@ -319,7 +321,7 @@ spec: {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }} {{- end }} - - -log-level={{ default $root.Values.global.logLevel }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} - -log-json={{ $root.Values.global.logJSON }} {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path=/metrics diff --git a/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml index 449d6ae49..1936138db 100644 --- a/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml @@ -161,7 +161,7 @@ spec: -gateway-kind="mesh-gateway" \ -proxy-id-file=/consul/service/proxy-id \ -service-name={{ .Values.meshGateway.consulServiceName }} \ - -log-level={{ default .Values.global.logLevel }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ -log-json={{ .Values.global.logJSON }} volumeMounts: - name: consul-service @@ -267,7 +267,7 @@ spec: {{- if .Values.global.adminPartitions.enabled }} - -service-partition={{ .Values.global.adminPartitions.name }} {{- end }} - - -log-level={{ default .Values.global.logLevel }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} - -log-json={{ .Values.global.logJSON }} {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path=/metrics diff --git a/charts/hashicorp/consul/templates/partition-init-job.yaml b/charts/hashicorp/consul/templates/partition-init-job.yaml index db73ef783..9209f850c 100644 --- a/charts/hashicorp/consul/templates/partition-init-job.yaml +++ b/charts/hashicorp/consul/templates/partition-init-job.yaml @@ -81,6 +81,7 @@ spec: containers: - name: partition-init-job image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} env: {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} diff --git a/charts/hashicorp/consul/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/templates/server-acl-init-cleanup-job.yaml index 35b0877ab..39754d6c6 100644 --- a/charts/hashicorp/consul/templates/server-acl-init-cleanup-job.yaml +++ b/charts/hashicorp/consul/templates/server-acl-init-cleanup-job.yaml @@ -47,27 +47,34 @@ spec: {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} containers: - name: server-acl-init-cleanup image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} command: - consul-k8s-control-plane args: - delete-completed-job - - -log-level={{ .Values.global.logLevel }} + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} - -log-json={{ .Values.global.logJSON }} - -k8s-namespace={{ .Release.Namespace }} - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "50Mi" - cpu: "50m" + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} {{- if .Values.global.acls.tolerations }} tolerations: {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} diff --git a/charts/hashicorp/consul/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/templates/server-acl-init-job.yaml index e62db41ec..e8a06cf7a 100644 --- a/charts/hashicorp/consul/templates/server-acl-init-job.yaml +++ b/charts/hashicorp/consul/templates/server-acl-init-job.yaml @@ -46,6 +46,9 @@ spec: {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} {{- if .Values.global.secretsBackend.vault.enabled }} {{- /* Run the Vault agent as both an init container and sidecar. @@ -94,6 +97,10 @@ spec: spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} volumes: {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} @@ -122,6 +129,9 @@ spec: containers: - name: server-acl-init-job image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} env: - name: NAMESPACE valueFrom: @@ -161,7 +171,7 @@ spec: CONSUL_FULLNAME="{{template "consul.fullname" . }}" consul-k8s-control-plane server-acl-init \ - -log-level={{ .Values.global.logLevel }} \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ -log-json={{ .Values.global.logJSON }} \ -resource-prefix=${CONSUL_FULLNAME} \ -k8s-namespace={{ .Release.Namespace }} \ @@ -307,13 +317,10 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.global.acls.resources }} resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "50Mi" - cpu: "50m" + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} {{- if .Values.global.acls.tolerations }} tolerations: {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} diff --git a/charts/hashicorp/consul/templates/server-config-configmap.yaml b/charts/hashicorp/consul/templates/server-config-configmap.yaml index 1ad04a42b..6c102f0ae 100644 --- a/charts/hashicorp/consul/templates/server-config-configmap.yaml +++ b/charts/hashicorp/consul/templates/server-config-configmap.yaml @@ -1,6 +1,6 @@ {{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} {{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} - +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} # StatefulSet to run the actual Consul server cluster. apiVersion: v1 kind: ConfigMap @@ -27,6 +27,9 @@ data: }, "datacenter": "{{ .Values.global.datacenter }}", "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} "domain": "{{ .Values.global.domain }}", "limits": { "request_limits": { @@ -187,4 +190,27 @@ data: } } {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ $element.name }}": { + {{- $firstKeyValuePair := false }} + {{- range $k, $v := $element }} + {{- if ne $k "name" }} + {{- if ne $firstKeyValuePair false }},{{end}} + {{- $firstKeyValuePair = true }} + "{{ $k }}": "{{ $v }}" + {{- end }} + {{- end }} + } + {{- end }} + } + } + } + {{- end }} {{- end }} diff --git a/charts/hashicorp/consul/templates/server-statefulset.yaml b/charts/hashicorp/consul/templates/server-statefulset.yaml index 0bde9b881..04c84df71 100644 --- a/charts/hashicorp/consul/templates/server-statefulset.yaml +++ b/charts/hashicorp/consul/templates/server-statefulset.yaml @@ -238,6 +238,7 @@ spec: volumeMounts: - name: extra-config mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} containers: - name: consul image: "{{ default .Values.global.image .Values.server.image }}" @@ -526,9 +527,11 @@ spec: {{- toYaml .Values.server.resources | nindent 12 }} {{- end }} {{- end }} - {{- if not .Values.global.openshift.enabled }} + {{- if .Values.server.containerSecurityContext.server }} securityContext: {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} {{- end }} {{- if .Values.server.extraContainers }} {{ toYaml .Values.server.extraContainers | nindent 8 }} diff --git a/charts/hashicorp/consul/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/templates/sync-catalog-deployment.yaml index e88adea53..a8793ef6f 100644 --- a/charts/hashicorp/consul/templates/sync-catalog-deployment.yaml +++ b/charts/hashicorp/consul/templates/sync-catalog-deployment.yaml @@ -77,6 +77,7 @@ spec: containers: - name: sync-catalog image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} env: {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} {{- if .Values.global.acls.manageSystemACLs }} diff --git a/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml index 62b8868f1..bf00fd9a0 100644 --- a/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml +++ b/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml @@ -115,7 +115,7 @@ spec: - -ec - |- consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ - -log-level={{ default .Values.global.logLevel }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ -service-account-name="consul-telemetry-collector" \ -service-name="" \ @@ -303,7 +303,7 @@ spec: {{- if .Values.global.metrics.enabled }} - -telemetry-prom-scrape-path=/metrics {{- end }} - - -log-level={{ default .Values.global.logLevel }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} - -log-json={{ .Values.global.logJSON }} - -envoy-concurrency=2 {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} diff --git a/charts/hashicorp/consul/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/templates/terminating-gateways-deployment.yaml index 2f2cb9a92..9433e44bc 100644 --- a/charts/hashicorp/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/hashicorp/consul/templates/terminating-gateways-deployment.yaml @@ -160,6 +160,7 @@ spec: # terminating-gateway-init registers the terminating gateway service with Consul. - name: terminating-gateway-init image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} env: - name: NAMESPACE valueFrom: @@ -196,7 +197,7 @@ spec: -gateway-kind="terminating-gateway" \ -proxy-id-file=/consul/service/proxy-id \ -service-name={{ .name }} \ - -log-level={{ default $root.Values.global.logLevel }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ -log-json={{ $root.Values.global.logJSON }} volumeMounts: - name: consul-service @@ -218,6 +219,7 @@ spec: containers: - name: terminating-gateway image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} volumeMounts: - name: consul-service mountPath: /consul/service @@ -300,7 +302,7 @@ spec: {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }} {{- end }} - - -log-level={{ default $root.Values.global.logLevel }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} - -log-json={{ $root.Values.global.logJSON }} {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path=/metrics diff --git a/charts/hashicorp/consul/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/templates/tls-init-cleanup-job.yaml index ba29bb84a..2254a38ed 100644 --- a/charts/hashicorp/consul/templates/tls-init-cleanup-job.yaml +++ b/charts/hashicorp/consul/templates/tls-init-cleanup-job.yaml @@ -35,12 +35,22 @@ spec: {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} containers: - name: tls-init-cleanup image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} env: - name: NAMESPACE valueFrom: diff --git a/charts/hashicorp/consul/templates/tls-init-job.yaml b/charts/hashicorp/consul/templates/tls-init-job.yaml index d002ae7a7..47651fe14 100644 --- a/charts/hashicorp/consul/templates/tls-init-job.yaml +++ b/charts/hashicorp/consul/templates/tls-init-job.yaml @@ -35,9 +35,16 @@ spec: {{- end }} annotations: "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} spec: restartPolicy: Never serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} volumes: - name: consul-ca-cert @@ -56,6 +63,9 @@ spec: containers: - name: tls-init image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} env: - name: NAMESPACE valueFrom: @@ -70,7 +80,7 @@ spec: # and use * at the start of the dns name when setting -additional-dnsname. set -o noglob consul-k8s-control-plane tls-init \ - -log-level={{ .Values.global.logLevel }} \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ -domain={{ .Values.global.domain }} \ -days=730 \ diff --git a/charts/hashicorp/consul/templates/ui-ingress.yaml b/charts/hashicorp/consul/templates/ui-ingress.yaml index 0414a7cc2..f8c7f92a7 100644 --- a/charts/hashicorp/consul/templates/ui-ingress.yaml +++ b/charts/hashicorp/consul/templates/ui-ingress.yaml @@ -25,9 +25,11 @@ metadata: {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} {{- end }} spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} rules: - {{ $global := .Values.global }} + {{- $global := .Values.global }} {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} {{- range .Values.ui.ingress.hosts }} - host: {{ .host | quote }} diff --git a/charts/hashicorp/consul/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/templates/webhook-cert-manager-deployment.yaml index dd93c039d..7ba25b330 100644 --- a/charts/hashicorp/consul/templates/webhook-cert-manager-deployment.yaml +++ b/charts/hashicorp/consul/templates/webhook-cert-manager-deployment.yaml @@ -51,6 +51,7 @@ spec: -deployment-namespace={{ .Release.Namespace }} image: {{ .Values.global.imageK8S }} name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} resources: limits: cpu: 100m diff --git a/charts/hashicorp/consul/values.yaml b/charts/hashicorp/consul/values.yaml index 0ea313e4b..c0bdc40f9 100644 --- a/charts/hashicorp/consul/values.yaml +++ b/charts/hashicorp/consul/values.yaml @@ -63,10 +63,10 @@ global: # # Consul 1.10.0 # image: "consul:1.10.0" # # Consul Enterprise 1.10.0 - # image: hashicorp/consul:1.16.0" + # image: "hashicorp/consul-enterprise:1.10.0-ent" # ``` # @default: hashicorp/consul: - image: hashicorp/consul:1.16.0 + image: hashicorp/consul:1.16.1 # Array of objects containing image pull secret names that will be applied to each service account. # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. @@ -86,7 +86,7 @@ global: # image that is used for functionality such as catalog sync. # This can be overridden per component. # @default: hashicorp/consul-k8s-control-plane: - imageK8S: hashicorp/consul-k8s-control-plane:1.2.0 + imageK8S: hashicorp/consul-k8s-control-plane:1.2.1 # The name of the datacenter that the agents should # register as. This can't be changed once the Consul cluster is up and running @@ -289,6 +289,9 @@ global: # The key within the Kubernetes secret or Vault secret key that holds the gossip # encryption key. secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. # These values are given as `-recursor` flags to Consul servers and clients. @@ -307,6 +310,10 @@ global: # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). enabled: false + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # If true, turns on the auto-encrypt feature on clients and servers. # It also switches consul-k8s-control-plane components to retrieve the CA from the servers # via the API. Requires Consul 1.7.1+. @@ -379,6 +386,18 @@ global: # @type: string secretKey: null + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would # like to make use of configuration beyond registering everything into @@ -394,6 +413,10 @@ global: # This requires Consul >= 1.4. manageSystemACLs: false + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` # are unset, a default secret name and secret key are used. If the secret is populated, then @@ -430,6 +453,33 @@ global: # @type: string secretKey: null + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. # This value should only be provided in the default partition and only when setting # the `global.secretsBackend.vault.enabled` value to true. @@ -462,6 +512,18 @@ global: # @type: string nodeSelector: null + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created # that contains your enterprise license. It is required if you are using an # enterprise binary. Defining it here applies it to your cluster once a leader @@ -484,8 +546,9 @@ global: # If enabled, this datacenter will be federation-capable. Only federation # via mesh gateways is supported. # Mesh gateways and servers will be configured to allow federation. - # Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled` - # to be true. Requires Consul 1.8+. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. enabled: false # If true, the chart will create a Kubernetes secret that can be imported @@ -501,8 +564,8 @@ global: # @type: string primaryDatacenter: null - # A list of addresses of the primary mesh gateways in the form `:`. - # (e.g. ["1.1.1.1:443", "2.3.4.5:443"] + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). # @type: array primaryGateways: [] @@ -513,6 +576,9 @@ global: # from the one used by the Consul Service Mesh. # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # # You can retrieve this value from your `kubeconfig` by running: # # ```shell-session @@ -523,6 +589,10 @@ global: # @type: string k8sAuthMethodHost: null + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # Configures metrics for Consul service mesh metrics: # Configures the Helm chart’s components @@ -557,7 +627,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: "hashicorp/consul-dataplane:1.2.0" + imageConsulDataplane: hashicorp/consul-dataplane:1.2.1 # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. @@ -663,7 +733,7 @@ global: # ] # ``` # @type: array - trustedCAs: [ ] + trustedCAs: [] # Server, when enabled, configures a server cluster to run. This should # be disabled if you plan on connecting to a Consul cluster external to @@ -676,6 +746,10 @@ server: # @type: boolean enabled: "-" + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # The name of the Docker image (including any tag) for the containers running # Consul server agents. # @type: string @@ -778,11 +852,11 @@ server: # @type: string storageClass: null - # This will enable/disable [Connect](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true # _will not_ automatically secure pod communication, this # setting will only enable usage of the feature. Consul will automatically initialize - # a new CA and set of certificates. Additional Connect settings can be configured - # by setting the `server.extraConfig` value. + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). connect: true serviceAccount: @@ -850,6 +924,14 @@ server: # @type: map # @recurse: false server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null # This value is used to carefully # control a rolling update of Consul server agents. This value specifies the @@ -1181,6 +1263,60 @@ server: # @type: integer writeRate: -1 + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + # Configuration for Consul servers when the servers are running outside of Kubernetes. # When running external servers, configuring these values is recommended # if setting `global.tls.enableAutoEncrypt` to true @@ -1226,6 +1362,9 @@ externalServers: # This address must be reachable from the Consul servers. # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # # You could retrieve this value from your `kubeconfig` by running: # # ```shell-session @@ -1248,6 +1387,10 @@ client: # @type: boolean enabled: false + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # The name of the Docker image (including any tag) for the containers # running Consul client agents. # @type: string @@ -1530,7 +1673,7 @@ dns: # @type: boolean enabled: "-" - # If true, services using Consul Connect will use Consul DNS + # If true, services using Consul service mesh will use Consul DNS # for default DNS resolution. The DNS lookups fall back to the nameserver IPs # listed in /etc/resolv.conf if not found in Consul. # @type: boolean @@ -2027,7 +2170,7 @@ connectInject: # @type: string nodeSelector: null - # Toleration settings for gateway pods created with the managed gateway class. + # Toleration settings for gateway pods created with the managed gateway class. # This should be a multi-line string matching the # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. # @@ -2053,11 +2196,22 @@ connectInject: service: null # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways - deployment: + deployment: defaultInstances: 1 maxInstances: 1 minInstances: 1 + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + # Configuration for the ServiceAccount created for the api-gateway component serviceAccount: # This value defines additional annotations for the client service account. This should be formatted as a multi-line @@ -2183,7 +2337,7 @@ connectInject: # @type: map meta: null - # Configures metrics for Consul Connect services. All values are overridable + # Configures metrics for Consul service mesh services. All values are overridable # via annotations on a per-pod basis. metrics: # If true, the connect-injector will automatically @@ -2333,7 +2487,7 @@ connectInject: # annotated. Use `["*"]` to automatically allow all k8s namespaces. # # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s - # namespaces `namespace1` and `namespace2` to have Connect sidecars injected + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected # and registered with Consul. All other k8s namespaces will be ignored. # # To deny all namespaces, set this to `[]`. @@ -2473,6 +2627,26 @@ connectInject: # Recommended production default: 100m # @type: string cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" # The resource settings for the Connect injected init container. If null, the resources # won't be set for the initContainer. The defaults are optimized for developer instances of @@ -2498,11 +2672,15 @@ connectInject: # [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. meshGateway: # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs - # gateways and Consul Connect will be configured to use gateways. + # gateways and Consul service mesh will be configured to use gateways. # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. enabled: false + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # Number of replicas for the Deployment. replicas: 1 @@ -2715,6 +2893,10 @@ ingressGateways: # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. enabled: false + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # Defaults sets default values for all gateway fields. With the exception # of annotations, defining any of these values in the `gateways` list # will override the default values provided here. Annotations will @@ -2881,6 +3063,10 @@ terminatingGateways: # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. enabled: false + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # Defaults sets default values for all gateway fields. With the exception # of annotations, defining any of these values in the `gateways` list # will override the default values provided here. Annotations will @@ -3026,7 +3212,7 @@ apiGateway: # The name (and tag) of the Envoy Docker image used for the # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. # @default: envoyproxy/envoy: - imageEnvoy: "envoyproxy/envoy:v1.25.1" + imageEnvoy: "envoyproxy/envoy:v1.25.9" # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". # @type: string @@ -3219,6 +3405,10 @@ telemetryCollector: # @type: boolean enabled: false + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + # The name of the Docker image (including any tag) for the containers running # the consul-telemetry-collector # @type: string @@ -3302,4 +3492,4 @@ telemetryCollector: # feature, in case kubernetes cluster is behind egress http proxies. Additionally, # it could be used to configure custom consul parameters. # @type: map - extraEnvironmentVars: { } + extraEnvironmentVars: {} diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index 1e7289e7d..834d12d2b 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,13 +1,16 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.63.10] - Jul 20, 2023 +## [107.63.11] - Aug 7, 2023 * Added support for Openshift by adding the securityContext in container level. * **IMPORTANT** -* Nginx deployment is disabled on openshift. * Disable securityContext in container and pod level to deploy postgres on openshift. -* Fixed support for fsGroup in non openshift environemnt and runAsGroup in openshift environment. +* Fixed support for fsGroup in non openshift environment and runAsGroup in openshift environment. * Fixed - Helm Template Error when using artifactory.loggers [GH-1791](https://github.com/jfrog/charts/issues/1791) +* Removed the nginx disable condition for openshift +* Added support to configure event.webhooks within generated system.yaml +* Fixed an issue to generate ssl certificate should support artifactory-ha fullname +* Added 'multiPartLimit' and 'multipartElementSize' parameters to awsS3V3 binary providers. ## [107.62.0] - Jun 5, 2023 * Added support for 'port' and 'useHttp' parameters for s3-storage-v3 binary provider [GH-1767](https://github.com/jfrog/charts/issues/1767) diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index d39327a29..7810a3afa 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.14.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.63.10 +appVersion: 7.63.11 dependencies: - condition: postgresql.enabled name: postgresql @@ -26,4 +26,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.63.10 +version: 107.63.11 diff --git a/charts/jfrog/artifactory-ha/files/binarystore.xml b/charts/jfrog/artifactory-ha/files/binarystore.xml index abb30be3e..358466279 100644 --- a/charts/jfrog/artifactory-ha/files/binarystore.xml +++ b/charts/jfrog/artifactory-ha/files/binarystore.xml @@ -293,6 +293,12 @@ {{- with .enablePathStyleAccess }} {{ . }} {{- end }} + {{- with .multiPartLimit }} + {{ . }} + {{- end }} + {{- with .multipartElementSize }} + {{ . }} + {{- end }} {{- end }} diff --git a/charts/jfrog/artifactory-ha/templates/_helpers.tpl b/charts/jfrog/artifactory-ha/templates/_helpers.tpl index f974a6a1d..c6ef87daf 100644 --- a/charts/jfrog/artifactory-ha/templates/_helpers.tpl +++ b/charts/jfrog/artifactory-ha/templates/_helpers.tpl @@ -121,9 +121,9 @@ Create chart name and version as used by the chart label. Generate SSL certificates */}} {{- define "artifactory-ha.gen-certs" -}} -{{- $altNames := list ( printf "%s.%s" (include "artifactory-ha.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory-ha.name" .) .Release.Namespace ) -}} +{{- $altNames := list ( printf "%s.%s" (include "artifactory-ha.fullname" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory-ha.fullname" .) .Release.Namespace ) -}} {{- $ca := genCA "artifactory-ca" 365 -}} -{{- $cert := genSignedCert ( include "artifactory-ha.name" . ) nil $altNames 365 $ca -}} +{{- $cert := genSignedCert ( include "artifactory-ha.fullname" . ) nil $altNames 365 $ca -}} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end -}} diff --git a/charts/jfrog/artifactory-ha/templates/nginx-artifactory-conf.yaml b/charts/jfrog/artifactory-ha/templates/nginx-artifactory-conf.yaml index fa7689b06..eb1f0e698 100644 --- a/charts/jfrog/artifactory-ha/templates/nginx-artifactory-conf.yaml +++ b/charts/jfrog/artifactory-ha/templates/nginx-artifactory-conf.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} apiVersion: v1 kind: ConfigMap @@ -12,5 +11,4 @@ metadata: data: artifactory.conf: | {{ tpl .Values.nginx.artifactoryConf . | indent 4 }} -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/templates/nginx-certificate-secret.yaml b/charts/jfrog/artifactory-ha/templates/nginx-certificate-secret.yaml index 4bf31bceb..29c77ad5a 100644 --- a/charts/jfrog/artifactory-ha/templates/nginx-certificate-secret.yaml +++ b/charts/jfrog/artifactory-ha/templates/nginx-certificate-secret.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled .Values.nginx.https.enabled }} apiVersion: v1 kind: Secret @@ -13,4 +12,3 @@ metadata: data: {{ ( include "artifactory-ha.gen-certs" . ) | indent 2 }} {{- end }} -{{- end }} diff --git a/charts/jfrog/artifactory-ha/templates/nginx-conf.yaml b/charts/jfrog/artifactory-ha/templates/nginx-conf.yaml index 8df96815a..5f424d52a 100644 --- a/charts/jfrog/artifactory-ha/templates/nginx-conf.yaml +++ b/charts/jfrog/artifactory-ha/templates/nginx-conf.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} apiVersion: v1 kind: ConfigMap @@ -13,4 +12,3 @@ data: nginx.conf: | {{ tpl .Values.nginx.mainConf . | indent 4 }} {{- end }} -{{- end }} diff --git a/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml b/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml index e8d45acd3..80e2def21 100644 --- a/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml +++ b/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if .Values.nginx.enabled -}} {{- $serviceName := include "artifactory-ha.fullname" . -}} {{- $servicePort := .Values.artifactory.externalPort -}} @@ -213,4 +212,3 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} diff --git a/charts/jfrog/artifactory-ha/templates/nginx-pdb.yaml b/charts/jfrog/artifactory-ha/templates/nginx-pdb.yaml index 9c88d319c..0aed99368 100644 --- a/charts/jfrog/artifactory-ha/templates/nginx-pdb.yaml +++ b/charts/jfrog/artifactory-ha/templates/nginx-pdb.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if .Values.nginx.enabled -}} {{- if semverCompare "= 1.14.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.63.10 +appVersion: 7.63.11 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.63.10 + version: 107.63.11 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.63.10 +version: 107.63.11 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index 562afed6d..e712bc7e8 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,13 +1,17 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.63.10] - Jul 20, 2023 +## [107.63.11] - Aug 7, 2023 * Added support for Openshift by adding the securityContext in container level. * **IMPORTANT** -* Nginx deployment is disabled on openshift. * Disable securityContext in container and pod level to deploy postgres on openshift. -* Fixed support for fsGroup in non openshift environemnt and runAsGroup in openshift environment. +* Fixed support for fsGroup in non openshift environment and runAsGroup in openshift environment. * Fixed - Helm Template Error when using artifactory.loggers [GH-1791](https://github.com/jfrog/charts/issues/1791) +* Removed the nginx disable condition for openshift +* Added support to configure event.webhooks within generated system.yaml +* Fixed an issue to generate ssl certificate should support artifactory fullname +* Added binarystore.xml template to persistence storage type `nfs`. The default Filestore location configured according to artifactory.persistence.nfs.dataDir. +* Added 'multiPartLimit' and 'multipartElementSize' parameters to awsS3V3 binary providers. ## [107.62.0] - Jun 5, 2023 * Upgraded to autoscaling/v2 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index 0109011e3..a380d91d6 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.63.10 +appVersion: 7.63.11 dependencies: - condition: postgresql.enabled name: postgresql @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.63.10 +version: 107.63.11 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml b/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml index 93eadaa16..8b2ba01f1 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml @@ -1,3 +1,29 @@ +{{- if eq .Values.artifactory.persistence.type "nfs" -}} + + {{- if (.Values.artifactory.persistence.maxCacheSize) }} + + + + + + {{- else }} + + + + {{- end }} + + {{- if .Values.artifactory.persistence.maxCacheSize }} + + {{ .Values.artifactory.persistence.maxCacheSize | int64 }} + {{ .Values.artifactory.persistence.cacheProviderDir }} + + {{- end }} + + + {{ .Values.artifactory.persistence.nfs.dataDir }}/filestore + + +{{- end }} {{- if eq .Values.artifactory.persistence.type "file-system" -}} @@ -253,6 +279,12 @@ {{- with .enablePathStyleAccess }} {{ . }} {{- end }} + {{- with .multiPartLimit }} + {{ . }} + {{- end }} + {{- with .multipartElementSize }} + {{ . }} + {{- end }} {{- end }} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl index 9f4ec768a..a28776f87 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl @@ -88,9 +88,9 @@ Create chart name and version as used by the chart label. Generate SSL certificates */}} {{- define "artifactory.gen-certs" -}} -{{- $altNames := list ( printf "%s.%s" (include "artifactory.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory.name" .) .Release.Namespace ) -}} +{{- $altNames := list ( printf "%s.%s" (include "artifactory.fullname" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "artifactory.fullname" .) .Release.Namespace ) -}} {{- $ca := genCA "artifactory-ca" 365 -}} -{{- $cert := genSignedCert ( include "artifactory.name" . ) nil $altNames 365 $ca -}} +{{- $cert := genSignedCert ( include "artifactory.fullname" . ) nil $altNames 365 $ca -}} tls.crt: {{ $cert.Cert | b64enc }} tls.key: {{ $cert.Key | b64enc }} {{- end -}} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-artifactory-conf.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-artifactory-conf.yaml index a08d2cdad..bd2ebea96 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-artifactory-conf.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-artifactory-conf.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if and (not .Values.nginx.customArtifactoryConfigMap) .Values.nginx.enabled }} apiVersion: v1 kind: ConfigMap @@ -12,5 +11,4 @@ metadata: data: artifactory.conf: | {{ tpl .Values.nginx.artifactoryConf . | indent 4 }} -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml index 1f402f70f..f13d40174 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-certificate-secret.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if and (not .Values.nginx.tlsSecretName) .Values.nginx.enabled .Values.nginx.https.enabled }} apiVersion: v1 kind: Secret @@ -13,4 +12,3 @@ metadata: data: {{ ( include "artifactory.gen-certs" . ) | indent 2 }} {{- end }} -{{- end }} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-conf.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-conf.yaml index a06b72cc1..851eae247 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-conf.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-conf.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if and (not .Values.nginx.customConfigMap) .Values.nginx.enabled }} apiVersion: v1 kind: ConfigMap @@ -13,4 +12,3 @@ data: nginx.conf: | {{ tpl .Values.nginx.mainConf . | indent 4 }} {{- end }} -{{- end }} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml index 42b4cce60..ff7c78c5d 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if .Values.nginx.enabled -}} {{- $serviceName := include "artifactory.fullname" . -}} {{- $servicePort := .Values.artifactory.externalPort -}} @@ -214,5 +213,4 @@ spec: secretName: {{ template "artifactory.fullname" . }}-nginx-certificate {{- end }} {{- end }} -{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-pdb.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-pdb.yaml index b0bcf8e58..dff0c23a3 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-pdb.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-pdb.yaml @@ -1,4 +1,3 @@ -{{- if not (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} {{- if .Values.nginx.enabled -}} {{- if semverCompare "= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update +{{- end }} {{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - "" @@ -1600,3 +1618,13 @@ networking.k8s.io/v1beta1 extensions/v1beta1 {{- end -}} {{- end -}} + +{{- define "kong.proxy.compatibleReadiness" -}} +{{- $proxyReadiness := .Values.readinessProbe -}} +{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}} + {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}} + {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}} + {{- end -}} +{{- end -}} +{{- (toYaml $proxyReadiness) -}} +{{- end -}} diff --git a/charts/kong/kong/templates/deployment.yaml b/charts/kong/kong/templates/deployment.yaml index 24823b9e5..0d9e28a66 100644 --- a/charts/kong/kong/templates/deployment.yaml +++ b/charts/kong/kong/templates/deployment.yaml @@ -270,7 +270,7 @@ spec: {{- include "kong.volumeMounts" . | nindent 10 }} {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} readinessProbe: -{{ toYaml .Values.readinessProbe | indent 10 }} +{{ include "kong.proxy.compatibleReadiness" . | indent 10 }} livenessProbe: {{ toYaml .Values.livenessProbe | indent 10 }} {{- if .Values.startupProbe }} diff --git a/charts/kong/kong/templates/migrations-pre-upgrade.yaml b/charts/kong/kong/templates/migrations-pre-upgrade.yaml index f8fe4a1ff..a98213d2a 100644 --- a/charts/kong/kong/templates/migrations-pre-upgrade.yaml +++ b/charts/kong/kong/templates/migrations-pre-upgrade.yaml @@ -13,6 +13,8 @@ metadata: annotations: helm.sh/hook: "pre-upgrade" helm.sh/hook-delete-policy: "before-hook-creation" + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation {{- range $key, $value := .Values.migrations.jobAnnotations }} {{ $key }}: {{ $value | quote }} {{- end }} diff --git a/charts/kong/kong/templates/migrations.yaml b/charts/kong/kong/templates/migrations.yaml index 5b918abc8..c410a4a71 100644 --- a/charts/kong/kong/templates/migrations.yaml +++ b/charts/kong/kong/templates/migrations.yaml @@ -21,6 +21,8 @@ metadata: {{- include "kong.metaLabels" . | nindent 4 }} app.kubernetes.io/component: init-migrations annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation {{- range $key, $value := .Values.migrations.jobAnnotations }} {{ $key }}: {{ $value | quote }} {{- end }} diff --git a/charts/kong/kong/values.yaml b/charts/kong/kong/values.yaml index b419a4395..ebec4f55d 100644 --- a/charts/kong/kong/values.yaml +++ b/charts/kong/kong/values.yaml @@ -86,7 +86,7 @@ env: database: "off" # the chart uses the traditional router (for Kong 3.x+) because the ingress # controller generates traditional routes. if you do not use the controller, - # you may set this to "traditional_compatible" or "expression" to use the new + # you may set this to "traditional_compatible" or "expressions" to use the new # DSL-based router router_flavor: "traditional" nginx_worker_processes: "2" @@ -514,7 +514,7 @@ ingressController: enabled: true image: repository: kong/kubernetes-ingress-controller - tag: "2.10" + tag: "2.11" # Optionally set a semantic version for version-gated features. This can normally # be left unset. You only need to set this if your tag is not a semver string, # such as when you are using a "next" tag. Set this to the effective semantic @@ -800,7 +800,7 @@ resources: {} # readinessProbe for Kong pods readinessProbe: httpGet: - path: "/status" + path: "/status/ready" port: status scheme: HTTP initialDelaySeconds: 5 diff --git a/charts/linkerd/linkerd-control-plane/Chart.yaml b/charts/linkerd/linkerd-control-plane/Chart.yaml index 0a9cd7683..492a01394 100644 --- a/charts/linkerd/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 -appVersion: stable-2.13.5 +appVersion: stable-2.13.6 dependencies: - name: partials repository: file://./charts/partials @@ -25,4 +25,4 @@ name: linkerd-control-plane sources: - https://github.com/linkerd/linkerd2/ type: application -version: 1.12.5 +version: 1.12.6 diff --git a/charts/linkerd/linkerd-control-plane/README.md b/charts/linkerd/linkerd-control-plane/README.md index 60a73dca7..9dc5651fc 100644 --- a/charts/linkerd/linkerd-control-plane/README.md +++ b/charts/linkerd/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 1.12.5](https://img.shields.io/badge/Version-1.12.5-informational?style=flat-square) +![Version: 1.12.6](https://img.shields.io/badge/Version-1.12.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) diff --git a/charts/linkerd/linkerd-control-plane/values.yaml b/charts/linkerd/linkerd-control-plane/values.yaml index 121c989ed..be120f992 100644 --- a/charts/linkerd/linkerd-control-plane/values.yaml +++ b/charts/linkerd/linkerd-control-plane/values.yaml @@ -22,7 +22,7 @@ controlPlaneTracing: false # -- namespace to send control plane traces to controlPlaneTracingNamespace: linkerd-jaeger # -- control plane version. See Proxy section for proxy version -linkerdVersion: stable-2.13.5 +linkerdVersion: stable-2.13.6 # -- default kubernetes deployment strategy deploymentStrategy: rollingUpdate: diff --git a/charts/loft/loft/Chart.yaml b/charts/loft/loft/Chart.yaml index cba5f5b98..6c0a1c0c8 100644 --- a/charts/loft/loft/Chart.yaml +++ b/charts/loft/loft/Chart.yaml @@ -28,4 +28,4 @@ name: loft sources: - https://github.com/loft-sh/loft type: application -version: 3.2.1 +version: 3.2.2 diff --git a/charts/redpanda/redpanda/Chart.lock b/charts/redpanda/redpanda/Chart.lock index a2f0bcd68..87c6f86c5 100644 --- a/charts/redpanda/redpanda/Chart.lock +++ b/charts/redpanda/redpanda/Chart.lock @@ -2,5 +2,8 @@ dependencies: - name: console repository: https://charts.redpanda.com version: 0.6.9 -digest: sha256:fe29342975df64efd6eb1eb5697bd132f3617b694ea6f6c7998565a74934aa4f -generated: "2023-08-09T02:14:17.821759561Z" +- name: connectors + repository: https://charts.redpanda.com + version: 0.1.5 +digest: sha256:a6551592297729ade6278eb5df5ffe545bcc0aadb94606886cc15555eec0204f +generated: "2023-08-10T19:27:23.75568026Z" diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 1eebc3a39..733ffaca1 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -23,6 +23,10 @@ dependencies: name: console repository: file://./charts/console version: '>=0.5 <1.0' +- condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' description: Redpanda is the real-time engine for modern apps. icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg kubeVersion: '>=1.21-0' @@ -33,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.0.10 +version: 5.1.2 diff --git a/charts/redpanda/redpanda/charts/connectors/.helmignore b/charts/redpanda/redpanda/charts/connectors/.helmignore new file mode 100644 index 000000000..04ecd888b --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/redpanda/redpanda/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/charts/connectors/Chart.yaml new file mode 100644 index 000000000..c0becc328 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/images: | + - name: connectors + image: docker.redpanda.com/redpandadata/connectors:v1.0.2 + - name: rpk + image: docker.redpanda.com/redpandadata/redpanda:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v1.0.2 +description: Redpanda managed Connectors helm chart +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: ^1.21.0-0 +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: connectors +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.1.5 diff --git a/charts/redpanda/redpanda/charts/connectors/LICENSE b/charts/redpanda/redpanda/charts/connectors/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/charts/connectors/README.md b/charts/redpanda/redpanda/charts/connectors/README.md new file mode 100644 index 000000000..8d32cbdf0 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/README.md @@ -0,0 +1,963 @@ +--- +title: Redpanda Helm Chart Specification +tags: + - Kubernetes + - Helm configuration +description: Find the default values and descriptions of settings in the Redpanda Helm chart. +--- + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.2](https://img.shields.io/badge/AppVersion-v1.0.2-informational?style=flat-square) + +This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) + +## Source Code + +* + +## Requirements + +Kubernetes: `^1.21.0-0` + +## Settings + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). + +**Default:** + +``` +{"sasl":{"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[{"mechanism":"SCRAM-SHA-512","name":"admin","password":"change-me"}]}} +``` + +### [auth.sasl.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.enabled) + +Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + +**Default:** `false` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your superuser credentials. The file must include an empty line at the end. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + +**Default:** `"redpanda-users"` + +### [auth.sasl.users](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.users) + +Optional list of superusers. These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. If this list is empty, the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. + +**Default:** + +``` +[{"mechanism":"SCRAM-SHA-512","name":"admin","password":"change-me"}] +``` + +### [clusterDomain](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=clusterDomain) + +Default Kubernetes cluster domain. + +**Default:** `"cluster.local"` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config) + +This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). + +**Default:** + +``` +{"cluster":{},"node":{},"rpk":{},"tunable":{"compacted_log_segment_size":67108864,"group_topic_partitions":16,"kafka_batch_max_bytes":1048576,"kafka_connection_rate_limit":1000,"log_segment_size":134217728,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912,"topic_partitions_per_shard":1000}} +``` + +### [config.node](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node) + +Node (broker) properties. See the [property reference documentation](https://docs.redpanda.com/docs/reference/node-properties/). + +**Default:** `{}` + +### [config.tunable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable) + +Tunable cluster properties. + +**Default:** + +``` +{"compacted_log_segment_size":67108864,"group_topic_partitions":16,"kafka_batch_max_bytes":1048576,"kafka_connection_rate_limit":1000,"log_segment_size":134217728,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912,"topic_partitions_per_shard":1000} +``` + +### [config.tunable.compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#compacted_log_segment_size). + +**Default:** `67108864` + +### [config.tunable.group_topic_partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.group_topic_partitions) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#group_topic_partitions). + +**Default:** `16` + +### [config.tunable.kafka_batch_max_bytes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_batch_max_bytes) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#kafka_batch_max_bytes). + +**Default:** `1048576` + +### [config.tunable.kafka_connection_rate_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_connection_rate_limit) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + +**Default:** `1000` + +### [config.tunable.log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size). + +**Default:** `134217728` + +### [config.tunable.log_segment_size_max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_max) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size_max). + +**Default:** `268435456` + +### [config.tunable.log_segment_size_min](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_min) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size_min). + +**Default:** `16777216` + +### [config.tunable.max_compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.max_compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#max_compacted_log_segment_size). + +**Default:** `536870912` + +### [config.tunable.topic_partitions_per_shard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.topic_partitions_per_shard) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#topic_partitions_per_shard). + +**Default:** `1000` + +### [console](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console) + +Redpanda Console settings. For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** + +``` +{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}} +``` + +### [external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external) + +External access settings. For details, see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). + +**Default:** + +``` +{"enabled":true,"type":"NodePort"} +``` + +### [external.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.enabled) + +Enable external access for each Service. You can toggle external access for each listener in `listeners..external..enabled`. + +**Default:** `true` + +### [external.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.type) + +External access type. Only `NodePort` and `LoadBalancer` are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority. + +**Default:** `"NodePort"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride) + +Override `redpanda.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [license_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_key) + +Enterprise license key (optional). For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** `""` + +### [license_secret_ref](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_secret_ref) + +Secret name and secret key where the license key is stored. + +**Default:** `{}` + +### [listeners](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners) + +Listener settings. Override global settings configured above for individual listeners. For details, see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). + +**Default:** + +``` +{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}} +``` + +### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin) + +Admin API listener (only one). + +**Default:** + +``` +{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.admin.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external) + +Optional external access settings. + +**Default:** + +``` +{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}} +``` + +### [listeners.admin.external.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default) + +Name of the external listener. + +**Default:** + +``` +{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}} +``` + +### [listeners.admin.external.default.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default.tls) + +The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, `listeners.admin.port` is used. + +**Default:** `{"cert":"external"}` + +### [listeners.admin.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.port) + +The port for both internal and external connections to the Admin API. + +**Default:** `9644` + +### [listeners.admin.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls) + +Optional TLS section (required if global TLS is enabled) + +**Default:** + +``` +{"cert":"default","requireClientAuth":false} +``` + +### [listeners.admin.tls.cert](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.cert) + +Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + +**Default:** `"default"` + +### [listeners.admin.tls.requireClientAuth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.requireClientAuth) + +If true, the truststore file for this listener is included in the ConfigMap. + +**Default:** `false` + +### [listeners.http](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.http) + +HTTP API listeners (aka PandaProxy). + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka) + +Kafka API listeners. + +**Default:** + +``` +{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka.external.default.advertisedPorts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.advertisedPorts) + +If undefined, `listeners.kafka.external.default.port` is used. + +**Default:** `[31092]` + +### [listeners.kafka.external.default.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.port) + +The port used for external client connections. + +**Default:** `9094` + +### [listeners.kafka.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.port) + +The port for internal client connections. + +**Default:** `9093` + +### [listeners.rpc](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.rpc) + +RPC listener (this is never externally accessible). + +**Default:** + +``` +{"port":33145,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.schemaRegistry](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.schemaRegistry) + +Schema registry listeners. + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging) + +Log-level settings. + +**Default:** + +``` +{"logLevel":"info","usageStats":{"enabled":true}} +``` + +### [logging.logLevel](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.logLevel) + +Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + +**Default:** `"info"` + +### [logging.usageStats](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.usageStats) + +Send usage statistics back to Redpanda Data. For details, see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + +**Default:** `{"enabled":true}` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=monitoring) + +Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"enabled":false,"labels":{},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride) + +Override `redpanda.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector) + +Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [post_install_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.enabled) + +**Default:** `true` + +### [post_upgrade_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.enabled) + +**Default:** `true` + +### [rackAwareness](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness) + +Rack Awareness settings. For details, see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). + +**Default:** + +``` +{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"} +``` + +### [rackAwareness.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.enabled) + +When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true` and `rbac.enabled=true`. + +**Default:** `false` + +### [rackAwareness.nodeAnnotation](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.nodeAnnotation) + +The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation. + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [rbac](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac) + +Role Based Access Control. + +**Default:** + +``` +{"annotations":{},"enabled":false} +``` + +### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations) + +Annotations to add to the `rbac` resources. + +**Default:** `{}` + +### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled) + +Enable for features that need extra privileges. + +**Default:** `false` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources) + +Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). + +**Default:** + +``` +{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}} +``` + +### [resources.cpu](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu) + +CPU resources. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + +**Default:** `{"cores":1}` + +### [resources.cpu.cores](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu.cores) + +Redpanda makes use of a thread per core model. For details, see this [blog](https://redpanda.com/blog/tpc-buffers). For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is not currently supported. See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. For production, use `4` or greater. + +**Default:** `1` + +### [resources.memory](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory) + +Memory resources For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + +**Default:** + +``` +{"container":{"max":"2.5Gi"}} +``` + +### [resources.memory.container.max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container.max) + +Maximum memory count for each Redpanda broker. Equivalent to `resources.limits.memory`. For production, use `10Gi` or greater. + +**Default:** `"2.5Gi"` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount) + +Service account management. + +**Default:** + +``` +{"annotations":{},"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `redpanda.fullname` template. + +**Default:** `""` + +### [statefulset.additionalRedpandaCmdFlags](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalRedpandaCmdFlags) + +Additional flags to pass to redpanda, + +**Default:** `[]` + +### [statefulset.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.annotations) + +Additional annotations to apply to the Pods of this StatefulSet. + +**Default:** `{}` + +### [statefulset.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.budget.maxUnavailable) + +**Default:** `1` + +### [statefulset.initContainerImage.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.repository) + +**Default:** `"busybox"` + +### [statefulset.initContainerImage.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.tag) + +**Default:** `"latest"` + +### [statefulset.initContainers.configurator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.resources) + +**Default:** `{}` + +### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled) + +In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration. + +**Default:** `false` + +### [statefulset.initContainers.setDataDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.resources) + +**Default:** `{}` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.resources) + +**Default:** `{}` + +### [statefulset.initContainers.tuning.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.resources) + +**Default:** `{}` + +### [statefulset.livenessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.livenessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.initialDelaySeconds) + +**Default:** `10` + +### [statefulset.livenessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector) + +Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global nodeSelector value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [statefulset.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [statefulset.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [statefulset.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [statefulset.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.topologyKey) + +The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [statefulset.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types. + +**Default:** `100` + +### [statefulset.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.priorityClassName) + +PriorityClassName given to Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [statefulset.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.initialDelaySeconds) + +**Default:** `1` + +### [statefulset.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.successThreshold) + +**Default:** `1` + +### [statefulset.replicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.replicas) + +Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + +**Default:** `3` + +### [statefulset.securityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext.fsGroup) + +**Default:** `101` + +### [statefulset.securityContext.fsGroupChangePolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext.fsGroupChangePolicy) + +**Default:** `"OnRootMismatch"` + +### [statefulset.securityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext.runAsUser) + +**Default:** `101` + +### [statefulset.sideCars.configWatcher.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.enabled) + +**Default:** `true` + +### [statefulset.sideCars.configWatcher.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.resources) + +**Default:** `{}` + +### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext) + +**Default:** `{}` + +### [statefulset.startupProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.startupProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10} +``` + +### [statefulset.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.terminationGracePeriodSeconds) + +**Default:** `90` + +### [statefulset.tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.tolerations) + +Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [statefulset.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [statefulset.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [statefulset.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [statefulset.updateStrategy.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.updateStrategy.type) + +**Default:** `"RollingUpdate"` + +### [storage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage) + +Persistence settings. For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). + +**Default:** + +``` +{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""},"tieredConfig":{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""},"tieredStorageHostPath":"","tieredStoragePersistentVolume":{"annotations":{},"enabled":false,"labels":{},"storageClass":""}} +``` + +### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath) + +Absolute path on the host to store Redpanda's data. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + +**Default:** `""` + +### [storage.persistentVolume](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume) + +If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + +**Default:** + +``` +{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""} +``` + +### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass) + +To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [storage.tieredConfig](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig) + +Tiered Storage settings Requires `license_key` or `license_secret_ref` For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). + +**Default:** + +``` +{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""} +``` + +### [storage.tieredConfig.cloud_storage_access_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_access_key) + +Required for AWS and GCS authentication with access keys. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_access_key). + +**Default:** `""` + +### [storage.tieredConfig.cloud_storage_api_endpoint](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_api_endpoint) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). + +**Default:** `""` + +### [storage.tieredConfig.cloud_storage_azure_container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_azure_container) + +Required for ABS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_container). + +**Default:** `nil` + +### [storage.tieredConfig.cloud_storage_azure_shared_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_azure_shared_key) + +Required for ABS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_shared_key). + +**Default:** `nil` + +### [storage.tieredConfig.cloud_storage_azure_storage_account](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_azure_storage_account) + +Required for ABS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_storage_account). + +**Default:** `nil` + +### [storage.tieredConfig.cloud_storage_bucket](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_bucket) + +Required for AWS and GCS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_bucket). + +**Default:** `""` + +### [storage.tieredConfig.cloud_storage_cache_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_cache_size) + +Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_cache_size). + +**Default:** `5368709120` + +### [storage.tieredConfig.cloud_storage_credentials_source](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_credentials_source) + +Required for AWS and GCS authentication with IAM roles. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_credentials_source). + +**Default:** `"config_file"` + +### [storage.tieredConfig.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_enable_remote_read) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). + +**Default:** `true` + +### [storage.tieredConfig.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_enable_remote_write) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_write). + +**Default:** `true` + +### [storage.tieredConfig.cloud_storage_enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_enabled) + +Global flag that enables Tiered Storage if a license key is provided. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_enabled). + +**Default:** `false` + +### [storage.tieredConfig.cloud_storage_region](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_region) + +Required for AWS and GCS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_region). + +**Default:** `""` + +### [storage.tieredConfig.cloud_storage_secret_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredConfig.cloud_storage_secret_key) + +Required for AWS and GCS authentication with access keys. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_secret_key). + +**Default:** `""` + +### [storage.tieredStorageHostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredStorageHostPath) + +Absolute path on the host to store Redpanda's Tiered Storage cache. If unspecified, then an `emptyDir` volume is used. If specified but `tieredStoragePersistentVolume.enabled` is `true`, `storage.tieredStorageHostPath` has no effect. + +**Default:** `""` + +### [storage.tieredStoragePersistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredStoragePersistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tieredStoragePersistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredStoragePersistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tieredStoragePersistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tieredStoragePersistentVolume.storageClass) + +To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls) + +TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). + +**Default:** + +``` +{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true} +``` + +### [tls.certs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs) + +List all Certificates here, then you can reference a specific Certificate's name in each listener's `listeners..tls.cert` setting. + +**Default:** + +``` +{"default":{"caEnabled":true},"external":{"caEnabled":true}} +``` + +### [tls.certs.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default) + +This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in `listeners..tls.cert`. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled) + +Set the `caEnabled` flag to `true` only for Certificates that are not authenticated using public authorities. + +**Default:** `true` + +### [tls.certs.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external) + +Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled) + +Set the `caEnabled` flag to `true` only for Certificates that are not authenticated using public authorities. + +**Default:** `true` + +### [tls.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.enabled) + +Enable TLS globally for all listeners. Each listener must include a Certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. See `listeners..tls.enabled`. + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations) + +Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [tuning](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning) + +Redpanda tuning settings. Each is set to their default values in Redpanda. + +**Default:** `{"tune_aio_events":true}` + +### [tuning.tune_aio_events](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning.tune_aio_events) + +Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + +**Default:** `true` + diff --git a/charts/redpanda/redpanda/charts/connectors/ci/01-default-values.yaml b/charts/redpanda/redpanda/charts/connectors/ci/01-default-values.yaml new file mode 100644 index 000000000..f1caf00fa --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/ci/01-default-values.yaml @@ -0,0 +1,24 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +connectors: + bootstrapServers: "redpanda-0.redpanda.redpanda.svc.cluster.local.:9093,redpanda-1.redpanda.redpanda.svc.cluster.local.:9093,redpanda-2.redpanda.redpanda.svc.cluster.local.:9093" + brokerTLS: + enabled: true + ca: + secretRef: redpanda-default-cert + +logging: + level: trace diff --git a/charts/redpanda/redpanda/charts/connectors/templates/_helpers.tpl b/charts/redpanda/redpanda/charts/connectors/templates/_helpers.tpl new file mode 100644 index 000000000..6563f8195 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "connectors.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "connectors.fullname" }} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{ $required := dict +"helm.sh/chart" ( include "connectors.chart" . ) +"app.kubernetes.io/managed-by" ( .Release.Service ) }} +{{- toYaml ( merge $required (fromYaml (include "connectors-pod-labels" .))) }} +{{- end -}} + +{{/* +pod labels merged with common labels +*/}} +{{- define "connectors-pod-labels" -}} +{{ $required := dict +"app.kubernetes.io/name" ( include "connectors.name" . ) +"app.kubernetes.io/instance" ( .Release.Name ) +"app.kubernetes.io/component" ( include "connectors.name" . ) }} +{{- toYaml ( merge $required .Values.commonLabels ) }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "connectors.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Get the version of redpanda being used as an image +*/}} +{{- define "connectors.semver" -}} +{{ include "connectors.tag" . | trimPrefix "v" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "connectors.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "connectors.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service to use +*/}} +{{- define "connectors.serviceName" -}} +{{- default (include "connectors.fullname" .) .Values.service.name }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "connectors.tag" -}} +{{- $tag := default .Chart.AppVersion .Values.image.tag -}} +{{- $matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- $match := mustRegexMatch $matchString $tag -}} +{{- if not $match -}} + {{/* + This error message is for end users. This can also occur if + AppVersion doesn't start with a 'v' in Chart.yaml. + */}} + {{ fail "image.tag must start with a 'v' and be valid semver" }} +{{- end -}} +{{- $tag -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/charts/connectors/templates/deployment.yaml b/charts/redpanda/redpanda/charts/connectors/templates/deployment.yaml new file mode 100644 index 000000000..bbbb11902 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/templates/deployment.yaml @@ -0,0 +1,260 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.deployment.create -}} +{{- $root := deepCopy . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "connectors.fullname" . }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} +{{- with $.Values.deployment.annotations }} + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + progressDeadlineSeconds: {{ .Values.deployment.progressDeadlineSeconds }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + selector: + matchLabels: {{ (include "connectors-pod-labels" .) | nindent 6 }} + strategy: {{- toYaml .Values.deployment.strategy | nindent 4 }} + template: + metadata: + {{- with $.Values.deployment.annotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- with include "connectors-pod-labels" . }} + {{- . | nindent 8 }} + {{- end }} + spec: + terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} + affinity: + {{- with .Values.deployment.nodeAffinity }} + nodeAffinity: {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.deployment.podAffinity }} + podAffinity: {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.deployment.podAntiAffinity }} + podAntiAffinity: + {{- if eq .Values.deployment.podAntiAffinity.type "hard" }} + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.deployment.podAntiAffinity.topologyKey }} + namespaces: + - {{ .Release.Namespace | quote }} + labelSelector: + matchLabels: {{ include "connectors-pod-labels" . | nindent 18 }} + {{- else if eq .Values.deployment.podAntiAffinity.type "soft" }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: {{ .Values.deployment.podAntiAffinity.weight | int64 }} + podAffinityTerm: + topologyKey: {{ .Values.deployment.podAntiAffinity.topologyKey }} + labelSelector: + matchLabels: {{ include "connectors-pod-labels" . | nindent 20 }} + {{- else if eq .Values.deployment.podAntiAffinity.type "custom" }} + {{- toYaml .Values.deployment.podAntiAffinity.custom | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "connectors.serviceAccountName" . }} + containers: + - name: connectors-cluster + image: {{ .Values.image.repository }}:{{ include "connectors.tag" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- with .Values.container.securityContext }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.deployment.command }} + command: {{ toJson . }} + {{- end }} + env: + - name: CONNECT_CONFIGURATION + value: | + rest.advertised.port={{ .Values.connectors.restPort }} + rest.port={{ .Values.connectors.restPort }} + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id={{ .Values.connectors.groupID }} + offset.storage.topic={{ .Values.connectors.storage.topic.offset }} + config.storage.topic={{ .Values.connectors.storage.topic.config }} + status.storage.topic={{ .Values.connectors.storage.topic.status }} + offset.storage.redpanda.remote.read={{ .Values.connectors.storage.remote.read.offset }} + offset.storage.redpanda.remote.write={{ .Values.connectors.storage.remote.write.offset }} + config.storage.redpanda.remote.read={{ .Values.connectors.storage.remote.read.config }} + config.storage.redpanda.remote.write={{ .Values.connectors.storage.remote.write.config }} + status.storage.redpanda.remote.read={{ .Values.connectors.storage.remote.read.status }} + status.storage.redpanda.remote.write={{ .Values.connectors.storage.remote.write.status }} + offset.storage.replication.factor={{ .Values.connectors.storage.replicationFactor.offset }} + config.storage.replication.factor={{ .Values.connectors.storage.replicationFactor.config }} + status.storage.replication.factor={{ .Values.connectors.storage.replicationFactor.status }} + producer.linger.ms={{ .Values.connectors.producerLingerMS }} + producer.batch.size={{ .Values.connectors.producerBatchSize }} + config.providers=file,secretsManager + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + {{- if .Values.connectors.secretManager.enabled }} + config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider + config.providers.secretsManager.param.secret.prefix={{ .Values.connectors.secretManager.consolePrefix }}{{ .Values.connectors.secretManager.connectorsPrefix }} + config.providers.secretsManager.param.aws.region={{ .Values.connectors.secretManager.region }} + {{- end }} + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: {{ .Values.connectors.additionalConfiguration | quote }} + - name: CONNECT_BOOTSTRAP_SERVERS + value: {{ .Values.connectors.bootstrapServers | quote }} + {{- if .Values.connectors.schemaRegistryURL }} + - name: SCHEMA_REGISTRY_URL + value: {{ .Values.connectors.schemaRegistryURL | quote }} + {{- end }} + - name: CONNECT_GC_LOG_ENABLED + value: {{ .Values.container.javaGCLogEnabled | quote }} + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx{{ .Values.container.resources.javaMaxHeapSize }} + - name: CONNECT_LOG_LEVEL + value: {{ .Values.logging.level }} + {{- if and .Values.auth.sasl.userName .Values.auth.sasl.mechanism .Values.auth.sasl.secretRef }} + - name: CONNECT_SASL_USERNAME + value: {{ .Values.auth.sasl.userName }} + - name: CONNECT_SASL_MECHANISM + value: {{ .Values.auth.sasl.mechanism }} + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + {{- end }} + - name: CONNECT_TLS_ENABLED + value: {{ .Values.connectors.brokerTLS.enabled | quote }} + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: CONNECT_TRUSTED_CERTS + value: {{ printf "ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }} + {{- end }} + {{- if .Values.connectors.brokerTLS.cert.secretRef }} + - name: CONNECT_TLS_AUTH_CERT + value: {{ printf "cert/%s" (default "tls.crt" .Values.connectors.brokerTLS.cert.secretNameOverwrite) }} + {{- end }} + {{- if .Values.connectors.brokerTLS.key.secretRef }} + - name: CONNECT_TLS_AUTH_KEY + value: {{ printf "key/%s" (default "tls.key" .Values.connectors.brokerTLS.key.secretNameOverwrite) }} + {{- end }} + {{- with .Values.deployment.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: {{ .Values.deployment.livenessProbe.initialDelaySeconds }} + failureThreshold: {{ .Values.deployment.livenessProbe.failureThreshold }} + periodSeconds: {{ .Values.deployment.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.deployment.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.deployment.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: {{ .Values.deployment.readinessProbe.initialDelaySeconds }} + failureThreshold: {{ .Values.deployment.readinessProbe.failureThreshold }} + periodSeconds: {{ .Values.deployment.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.deployment.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.deployment.readinessProbe.timeoutSeconds }} + ports: + - containerPort: {{ .Values.connectors.restPort }} + name: rest-api + protocol: TCP + {{- range $port := .Values.service.ports }} + - containerPort: {{ $port.port }} + name: {{ $port.name }} + protocol: TCP + {{- end }} + resources: + requests: {{ toYaml .Values.container.resources.request | nindent 14 }} + limits: {{ toYaml .Values.container.resources.limits | nindent 14 }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + {{- if and .Values.auth.sasl.userName .Values.auth.sasl.mechanism .Values.auth.sasl.secretRef }} + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + {{- end }} + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: truststore + # The /opt/kafka/connect-certs is fixed path within Connectors + mountPath: /opt/kafka/connect-certs/ca + {{- end }} + {{- if .Values.connectors.brokerTLS.cert.secretRef }} + - name: cert + # The /opt/kafka/connect-certs is fixed path within Connectors + mountPath: /opt/kafka/connect-certs/cert + {{- end }} + {{- if .Values.connectors.brokerTLS.key.secretRef }} + - name: key + # The /opt/kafka/connect-certs is fixed path within Connectors + mountPath: /opt/kafka/connect-certs/key + {{- end }} + {{- toYaml .Values.storage.volumeMounts | nindent 12 }} + dnsPolicy: ClusterFirst + restartPolicy: {{ .Values.deployment.restartPolicy }} + {{- with .Values.deployment.schedulerName }} + schedulerName: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.deployment.nodeSelector }} + nodeSelector: {{- . | nindent 8 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.deployment.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.deployment.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + topologySpreadConstraints: + {{- range $spread := .Values.deployment.topologySpreadConstraints }} + - labelSelector: + matchLabels: {{ include "connectors-pod-labels" $root | nindent 14 }} + maxSkew: {{ $spread.maxSkew }} + topologyKey: {{ $spread.topologyKey }} + whenUnsatisfiable: {{ $spread.whenUnsatisfiable }} + {{- end }} + volumes: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: truststore + secret: + defaultMode: 0o444 + secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }} + {{- end }} + {{- if .Values.connectors.brokerTLS.cert.secretRef }} + - name: truststore + secret: + defaultMode: 0o444 + secretName: {{ .Values.connectors.brokerTLS.cert.secretRef }} + {{- end }} + {{- if .Values.connectors.brokerTLS.key.secretRef }} + - name: truststore + secret: + defaultMode: 0o444 + secretName: {{ .Values.connectors.brokerTLS.key.secretRef }} + {{- end }} + {{- if and .Values.auth.sasl.userName .Values.auth.sasl.mechanism .Values.auth.sasl.secretRef }} + - name: rc-credentials + secret: + defaultMode: 0o444 + secretName: {{ .Values.auth.sasl.secretRef }} + {{- end }} + {{- toYaml .Values.storage.volume | nindent 8 }} +{{- end }} diff --git a/charts/redpanda/redpanda/charts/connectors/templates/pod-monitor.yaml b/charts/redpanda/redpanda/charts/connectors/templates/pod-monitor.yaml new file mode 100644 index 000000000..e542fc16e --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/templates/pod-monitor.yaml @@ -0,0 +1,40 @@ +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.monitoring.enabled }} +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "connectors.fullname" . }} + labels: +{{- with .Values.monitoring.labels }} + {{- . | nindent 4 }} +{{- end }} + annotations: +{{- with .Values.monitoring.annotations }} + {{- . | nindent 4 }} +{{- end }} +spec: +{{- with .Values.monitoring.namespaceSelector }} + namespaceSelector: {{- toYaml . | nindent 4}} +{{- end }} + podMetricsEndpoints: + - path: / + port: prometheus + selector: + matchLabels: {{ (include "connectors-pod-labels" .) | nindent 6 }} +{{- end }} diff --git a/charts/redpanda/redpanda/charts/connectors/templates/service.yaml b/charts/redpanda/redpanda/charts/connectors/templates/service.yaml new file mode 100644 index 000000000..7030afcdf --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/templates/service.yaml @@ -0,0 +1,48 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "connectors.serviceName" . }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} +{{- with $.Values.service.annotations }} + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: {{ .Values.connectors.restPort }} + targetPort: {{ .Values.connectors.restPort }} + protocol: TCP + {{- range $port := .Values.service.ports }} + - name: {{ $port.name }} + port: {{ $port.port }} + targetPort: {{ $port.port }} + protocol: TCP + {{- end }} + selector: + {{- with include "connectors-pod-labels" . }} + {{- . | nindent 6 }} + {{- end }} + sessionAffinity: None + type: ClusterIP diff --git a/charts/redpanda/redpanda/charts/connectors/templates/serviceaccount.yaml b/charts/redpanda/redpanda/charts/connectors/templates/serviceaccount.yaml new file mode 100644 index 000000000..3de13fc10 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/templates/serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +--- +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "connectors.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} +{{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/redpanda/redpanda/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/charts/connectors/templates/tests/01-mm2-values.yaml new file mode 100644 index 000000000..bc37e8b01 --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/templates/tests/01-mm2-values.yaml @@ -0,0 +1,191 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.test.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "connectors.fullname" . }}-mm2-test-{{ randNumeric 3 }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: create-mm2 + image: docker.redpanda.com/redpandadata/redpanda:latest + command: + - /bin/bash + - -c + - | + set -x + + curl http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors && echo + + rpk profile create test + rpk profile set tls.enabled={{.Values.connectors.brokerTLS.enabled}} brokers={{ .Values.connectors.bootstrapServers }} + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + rpk profile set tls.ca={{ printf "/redpanda-certs/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }} + {{- end }} + + SASL_MECHANISM="PLAIN" + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print) + CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then + rpk profile set user=$CONNECT_SASL_USERNAME pass=$KAFKA_SASL_PASSWORD sasl.mechanism=$CONNECT_SASL_MECHANISM + SASL_MECHANISM=$CONNECT_SASL_MECHANISM + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + fi + + set -x + set +e + {{- end }} + + {{- if .Values.connectors.brokerTLS.enabled }} + CONNECT_TLS_ENABLED=true + {{- else }} + CONNECT_TLS_ENABLED=false + {{- end }} + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$CONNECT_SASL_MECHANISM" && $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + rpk topic list + rpk topic create test-topic + rpk topic list + echo "Test message!" | rpk topic produce test-topic + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "name": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "test-topic", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.alias": "test-only", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + "target.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM", + "offset-syncs.topic.replication.factor": 1 + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + max_iteration=10 + for i in $(seq 1 $max_iteration) + do + curl -v -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json && echo + result=$? + if [[ $result -eq 0 ]] + then + echo "Result successful" + break + else + echo "Result unsuccessful" + sleep 1 + fi + done + + if [[ $result -ne 0 ]] + then + echo "mm2 connector can not be created!!!" + exit 1 + fi + + rpk topic consume source.test-topic -n 1 | grep "Test message!" + + for i in $(seq 1 $max_iteration) + do + curl -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME && echo + result=$? + if [[ $result -eq 0 ]] + then + echo "Result successful" + break + else + echo "Result unsuccessful" + sleep 1 + fi + done + + if [[ $result -ne 0 ]] + then + echo "mm2 connector can not be destroyed!!!" + exit 1 + fi + + curl http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors && echo + + rpk topic delete test-topic source.test-topic mm2-offset-syncs.test-only.internal + volumeMounts: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - mountPath: /redpanda-certs + name: redpanda-ca + {{- end }} + {{- toYaml .Values.storage.volumeMounts | nindent 8 }} + volumes: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: redpanda-ca + secret: + defaultMode: 0444 + secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }} + {{- end }} + {{- toYaml .Values.storage.volume | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/charts/connectors/values.yaml b/charts/redpanda/redpanda/charts/connectors/values.yaml new file mode 100644 index 000000000..ad72d946b --- /dev/null +++ b/charts/redpanda/redpanda/charts/connectors/values.yaml @@ -0,0 +1,289 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `connectors.name` template. +nameOverride: "" +# -- Override `connectors.fullname` template. +fullnameOverride: "" +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Taints to be tolerated by Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/connectors + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +test: + create: true + +connectors: + restPort: 8083 + # -- Bootstrap servers list is coma separated list of individual Redpanda brokers as single line string + bootstrapServers: "" + # -- List of Redpanda IP:Port or DNS:Port separated by coma. + schemaRegistryURL: "" + # -- TODO the schema + additionalConfiguration: "" + secretManager: + enabled: false + region: "" + consolePrefix: "" + connectorsPrefix: "" + producerBatchSize: 131072 + producerLingerMS: 1 + storage: + replicationFactor: + offset: -1 + config: -1 + status: -1 + remote: + read: + offset: false + config: false + status: false + write: + offset: false + config: false + status: false + topic: + offset: _internal_connectors_offsets + config: _internal_connectors_configs + status: _internal_connectors_status + groupID: connectors-cluster + brokerTLS: + enabled: false + ca: + # -- The name of the secret where ca.crt is located + secretRef: "" + # -- If secretRef points to secret where Certificate Authority is not under + # ca.crt key then please use secretNameOverwrite to overwrite it e.g. corp-ca.crt + secretNameOverwrite: "" + cert: + # -- The name of the secret where client signed certificate is located + secretRef: "" + # -- If secretRef points to secret where client signed certificate is not under + # tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + secretNameOverwrite: "" + key: + # -- The name of the secret where client private key is located + secretRef: "" + # -- If secretRef points to secret where client private key is not under + # tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + secretNameOverwrite: "" + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +auth: + sasl: + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + mechanism: scram-sha-512 + # -- A Secret that contains your SASL user password. + secretRef: "" + userName: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + level: warn + +# -- Monitoring. +# This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + annotations: {} + namespaceSelector: + any: true + +container: + # + # -- Security context for managed Connectors container. + # See also deployment.securityContext for pod level. + securityContext: + allowPrivilegeEscalation: false + # -- Pod resource management. + resources: + request: + cpu: 1 + memory: 2350Mi + limits: + cpu: 1 + memory: 2350Mi + # -- Java maximum heap size can not be greater than $container.resources.limits.memory + javaMaxHeapSize: 2G + javaGCLogEnabled: "false" + +deployment: + create: true + # Command could be used to change the entrypoint for connectors deployment. + # command: [] + strategy: + type: RollingUpdate + schedulerName: "" + updateStrategy: + type: RollingUpdate + budget: + maxUnavailable: 1 + # -- Additional annotations to apply to the Pods of this StatefulSet. + annotations: {} + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + initialDelaySeconds: 60 + failureThreshold: 2 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + + # -- Additional environment variables for the Connectors Deployment. + extraEnv: [] + # - name: RACK_ID + # value: "1" + + # -- The maximum time in seconds for a deployment to make progress before it is + # considered to be failed. The deployment controller will continue to process + # failed deployments and a condition with a ProgressDeadlineExceeded reason + # will be surfaced in the deployment status. Note that progress will not be + # estimated during the time a deployment is paused. Defaults to 600s. + progressDeadlineSeconds: 600 + + # -- The number of old ReplicaSets to retain to allow rollback. This is a pointer + # to distinguish between explicit zero and not specified. Defaults to 10. + revisionHistoryLimit: 10 + + # -- Inter-Pod Affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Node Affinity rules for scheduling Pods of this Deployment. + # The suggestion would be to spread Pods according to topology zone. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + nodeAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The topologyKey to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply for other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this StatefulSet. + # These constraints override the global nodeSelector value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this StatefulSet. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + terminationGracePeriodSeconds: 30 + restartPolicy: Always + +storage: + volume: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + +# -- Service account management. +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `connectors.fullname` template. + name: "" + +# -- Service management. +service: + # -- Annotations to add to the service. + annotations: {} + # -- The name of the service to use. + # If not set, a name is generated using the `connectors.fullname` template. + name: "" + ports: + - name: prometheus + port: 9404 diff --git a/charts/redpanda/redpanda/templates/configmap.yaml b/charts/redpanda/redpanda/templates/configmap.yaml index 2393cf947..6e92b99f2 100644 --- a/charts/redpanda/redpanda/templates/configmap.yaml +++ b/charts/redpanda/redpanda/templates/configmap.yaml @@ -39,7 +39,7 @@ limitations under the License. {{- fail (join "\n" (list (printf "\n\nError: Cannot do a rolling restart to enable or disable tls at the RPC layer: changing listeners.rpc.tls.enabled (redpanda.yaml:repdanda.rpc_server_tls.enabled) from %v to %v" $currentRPCTLS $wantedRPCTLS) "***WARNING The following instructions will result in a short period of downtime." - "To accept this risk, run the upgrade again adding `--set force=true` and do the following:\n" + "To accept this risk, run the upgrade again adding `--force=true` and do the following:\n" "While helm is upgrading the release, manually delete ALL the pods:" (printf " kubectl -n %s delete pod -l app.kubernetes.io/component=redpanda-statefulset" .Release.Namespace) "\nIf you got here thinking rpc tls was already enabled, see technical service bulletin 2023-01." diff --git a/charts/redpanda/redpanda/templates/connectors/connectors.yaml b/charts/redpanda/redpanda/templates/connectors/connectors.yaml new file mode 100644 index 000000000..784d0d176 --- /dev/null +++ b/charts/redpanda/redpanda/templates/connectors/connectors.yaml @@ -0,0 +1,103 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{ if and .Values.connectors.enabled (not .Values.connectors.deployment.create) }} + +{{ $values := .Values }} + +{{/* brokers */}} +{{ $kafkaBrokers := list }} +{{ range (include "seed-server-list" . | mustFromJson) }} + {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }} +{{ end }} + +{{ $connectorsValues := dict + "Values" (dict + "connectors" (dict + "bootstrapServers" (join "," $kafkaBrokers) + "brokerTLS" (dict + "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool + "ca" (dict + "secretRef" (ternary (printf "%s-default-cert" (include "redpanda.fullname" .)) "" (include "kafka-internal-tls-enabled" . | fromJson).bool) + ) + ) + ) + ) +}} + +{{ $extraVolumes := list }} +{{ $extraVolumeMounts := list }} +{{ $command := list }} +{{ if (include "sasl-enabled" . | fromJson).bool }} + {{ $command = concat $command (list "sh" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print); CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s}; export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD_FILE CONNECT_SASL_MECHANISM;" (( include "sasl-mechanism" . ) | lower)) }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export CONNECT_SASL_MECHANISM;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " echo $KAFKA_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " exec /opt/kafka/bin/kafka_connect_run.sh" }} + {{ $command = append $command $consoleSASLConfig }} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "secret" (dict + "secretName" .Values.auth.sasl.secretRef + ) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "mountPath" "/mnt/users" + "readOnly" true + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "emptyDir" (dict) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "mountPath" "/opt/kafka/connect-password/rc-credentials" + )}} + {{ $connectorsValues := merge $connectorsValues (dict + "Values" (dict + "storage" (dict + "volumeMounts" $extraVolumeMounts + "volume" $extraVolumes + ) + "auth" (dict + "sasl" (dict + "enabled" .Values.auth.sasl.enabled + ) + ) + "deployment" (dict + "command" $command + "extraEnv" (list + (dict + "name" "CONNECT_SASL_PASSWORD_FILE" + "value" "rc-credentials/password" + ) + ) + ) + ) + )}} +{{ end }} + +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "deployment" (dict "create" (not .Values.connectors.deployment.create)))) }} +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "test" (dict "create" (not .Values.connectors.test.create)))) }} +{{ $helmVars := deepCopy .Subcharts.connectors }} +{{ $helmVars := merge $connectorsValues $helmVars }} +{{ include (print .Subcharts.connectors.Template.BasePath "/deployment.yaml") $helmVars }} +--- +{{ include (print .Subcharts.connectors.Template.BasePath "/tests/01-mm2-values.yaml") $helmVars }} +{{ end }} diff --git a/charts/redpanda/redpanda/templates/console/deployment.yaml b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml similarity index 64% rename from charts/redpanda/redpanda/templates/console/deployment.yaml rename to charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml index 91eb135ff..265b22be6 100644 --- a/charts/redpanda/redpanda/templates/console/deployment.yaml +++ b/charts/redpanda/redpanda/templates/console/configmap-and-deployment.yaml @@ -14,6 +14,99 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} +{{ $values := .Values }} +{{ $configmap := dict }} +{{/* if the console chart has the creation of the configmap disabled, create it here instead */}} +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleConfigmap := dict "create" true }} + +{{/* kafka section */}} + +{{/* brokers */}} +{{ $kafkaBrokers := list }} +{{ range (include "seed-server-list" . | mustFromJson) }} + {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }} +{{ end }} + +{{/* sasl */}} +{{/* the rest of sasl is configured through the secret */}} +{{ $kafkaSASL := dict "enabled" (include "sasl-enabled" . | fromJson).bool }} + +{{/* tls */}} +{{/* the rest of tls is configured through the secret */}} +{{ $kafkaTLS := dict "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool }} + +{{/* schemaRegistry */}} +{{- $urls := list -}} +{{ $proto := "http" }} +{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} + {{ $proto = "https" }} +{{ end }} +{{ $port := int $values.listeners.schemaRegistry.port }} +{{ range (include "seed-server-list" . | mustFromJson) }} + {{ $urls = append $urls (printf "%s://%s:%d" $proto . $port) }} +{{ end }} +{{/* tls */}} +{{/* the rest of tls is configured through the secret */}} +{{ $schemaRegistryTLS := dict "enabled" (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} + +{{ $connectConfig := dict }} +{{ if .Values.connectors.enabled }} +{{ $connectorsValues := deepCopy .Subcharts.connectors }} +{{ $connectorsValues = merge $connectorsValues .Values.connectors }} +{{/* Connector */}} +{{/* Currently Kafka connect helm chart does not support TLS configuraiton. That's why tls enabled is set explicitly to false*/}} +{{/* Currently Kafka connect helm chart does not support basic auth. That's why username and password is set explicitly to empty string*/}} +{{ $connectConfig = dict + "enabled" $values.connectors.enabled + "clusters" (list + (dict + "url" (printf "http://%s.%s.svc.cluster.local:%s" (include "connectors.serviceName" $connectorsValues) .Release.Namespace ($values.connectors.connectors.restPort | toString )) + "name" "connectors" + "tls" (dict + "enabled" "false" + "caFilepath" "" + "certFilepath" "" + "keyFilepath" "" + "insecureSkipTlsVerify" "false" + ) + "username" "" + "password" "" + "token" "" + ) + ) +}} +{{ end }} + +{{ $kafkaSchemaRegistry := dict + "enabled" (and .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool) + "urls" $urls + "tls" $schemaRegistryTLS +}} +{{ $consoleConfigKafka := dict + "brokers" $kafkaBrokers + "sasl" $kafkaSASL + "tls" $kafkaTLS + "schemaRegistry" $kafkaSchemaRegistry +}} +{{ $consoleConfig := dict + "kafka" $consoleConfigKafka + "connect" $connectConfig +}} +{{ $config := dict + "Values" (dict + "console" (dict "config" $consoleConfig) + "configmap" $consoleConfigmap + ) +}} + +{{ $console := deepCopy .Subcharts.console }} +{{ $console = merge $config $console }} + +{{ include (print .Subcharts.console.Template.BasePath "/configmap.yaml") $console }} +{{ $configmap = include (print .Subcharts.console.Template.BasePath "/configmap.yaml") $console }} +{{ end }} +{{/* Deployment */}} {{ if and .Values.console.enabled (not .Values.console.deployment.create) }} {{ $extraVolumes := list }} @@ -146,7 +239,13 @@ limitations under the License. {{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "command" $command))) }} {{ end }} {{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "create" (not .Values.console.deployment.create)))) }} + +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleValues := merge $consoleValues (dict "Values" (dict "podAnnotations" (dict "checksum-redpanda-chart/config" ( $configmap | toYaml | sha256sum )))) }} +{{ end }} + {{ $helmVars := deepCopy .Subcharts.console }} {{ $helmVars := merge $consoleValues $helmVars }} +--- {{ include (print .Subcharts.console.Template.BasePath "/deployment.yaml") $helmVars }} {{ end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/templates/console/configmap.yaml b/charts/redpanda/redpanda/templates/console/configmap.yaml deleted file mode 100644 index 7302c5c8b..000000000 --- a/charts/redpanda/redpanda/templates/console/configmap.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* -Licensed to the Apache Software Foundation (ASF) under one or more -contributor license agreements. See the NOTICE file distributed with -this work for additional information regarding copyright ownership. -The ASF licenses this file to You under the Apache License, Version 2.0 -(the "License"); you may not use this file except in compliance with -the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} -{{ $values := .Values }} - -{{/* if the console chart has the creation of the configmap disabled, create it here instead */}} -{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} -{{ $consoleConfigmap := dict "create" true }} - -{{/* kafka section */}} - -{{/* brokers */}} -{{ $kafkaBrokers := list }} -{{ range (include "seed-server-list" . | mustFromJson) }} - {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }} -{{ end }} - -{{/* sasl */}} -{{/* the rest of sasl is configured through the secret */}} -{{ $kafkaSASL := dict "enabled" (include "sasl-enabled" . | fromJson).bool }} - -{{/* tls */}} -{{/* the rest of tls is configured through the secret */}} -{{ $kafkaTLS := dict "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool }} - -{{/* schemaRegistry */}} -{{- $urls := list -}} -{{ $proto := "http" }} -{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} - {{ $proto = "https" }} -{{ end }} -{{ $port := int $values.listeners.schemaRegistry.port }} -{{ range (include "seed-server-list" . | mustFromJson) }} - {{ $urls = append $urls (printf "%s://%s:%d" $proto . $port) }} -{{ end }} -{{/* tls */}} -{{/* the rest of tls is configured through the secret */}} -{{ $schemaRegistryTLS := dict "enabled" (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} - -{{ $kafkaSchemaRegistry := dict - "enabled" (and .Values.listeners.schemaRegistry.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool) - "urls" $urls - "tls" $schemaRegistryTLS -}} -{{ $consoleConfigKafka := dict - "brokers" $kafkaBrokers - "sasl" $kafkaSASL - "tls" $kafkaTLS - "schemaRegistry" $kafkaSchemaRegistry -}} -{{ $consoleConfig := dict "kafka" $consoleConfigKafka }} -{{ $config := dict - "Values" (dict - "console" (dict "config" $consoleConfig) - "configmap" $consoleConfigmap - ) -}} - -{{ $console := deepCopy .Subcharts.console }} -{{ $console := merge $config $console }} - -{{ include (print .Subcharts.console.Template.BasePath "/configmap.yaml") $console }} -{{ end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/templates/secrets.yaml b/charts/redpanda/redpanda/templates/secrets.yaml index 246d403b2..9289f9f50 100644 --- a/charts/redpanda/redpanda/templates/secrets.yaml +++ b/charts/redpanda/redpanda/templates/secrets.yaml @@ -47,10 +47,11 @@ stringData: # path below should match the path defined on the statefulset source /var/lifecycle/common.sh -{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }} postStartHook () { set -x + touch /tmp/postStartHookStarted + until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do sleep 0.5 done @@ -62,33 +63,33 @@ stringData: status=$(${CURL_MAINTENANCE_DELETE_CMD}) sleep 0.5 done - } - - export -f postStartHook - timeout {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -c "postStartHook" - true -{{- end }} {{- if and .Values.auth.sasl.enabled (not (empty .Values.auth.sasl.secretRef )) }} - set +x - - # Setup and export SASL bootstrap-user - IFS=":" read -r USER_NAME PASSWORD MECHANISM < $(find /etc/secrets/users/* -print) - MECHANISM=${MECHANISM:-{{- include "sasl-mechanism" . }}} - rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} {{ template "rpk-flags-no-brokers-no-sasl" $ }} || true + # Setup and export SASL bootstrap-user + IFS=":" read -r USER_NAME PASSWORD MECHANISM < $(find /etc/secrets/users/* -print) + MECHANISM=${MECHANISM:-{{- include "sasl-mechanism" . }}} + rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} {{ template "rpk-flags-no-brokers-no-sasl" $ }} || true {{- end }} + touch /tmp/postStartHookFinished + } + + postStartHook + true + + preStop.sh: |- #!/usr/bin/env bash # This code should be similar if not exactly the same as that found in the panda-operator, see # https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go + touch /tmp/preStopHookStarted + # path below should match the path defined on the statefulset source /var/lifecycle/common.sh set -x -{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }} preStopHook () { until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do sleep 0.5 @@ -107,12 +108,17 @@ stringData: draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$') sleep 0.5 done + + touch /tmp/preStopHookFinished } - export -f preStopHook - timeout {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -c "preStopHook" - true +{{- if gt ( .Values.statefulset.replicas | int64 ) 2 }} + preStopHook +{{- else }} + touch /tmp/preStopHookFinished + echo "Not enough replicas to put a broker into maintenance mode." {{- end }} + true {{- if and (not (empty .Values.auth.sasl.secretRef)) (and .Values.auth.sasl.enabled .Values.auth.sasl.users) }} --- apiVersion: v1 @@ -155,18 +161,18 @@ stringData: sasl-user.sh: |- #!/usr/bin/env bash set -e - + ready_result_exit_code=1 while [[ ${ready_result_exit_code} -ne 0 ]]; do ready_result=$(rpk cluster health {{ include "rpk-acl-user-flags" . }} | grep 'Healthy:.*true' 2>&1) && ready_result_exit_code=$? sleep 2 done - + while true; do {{- if and $sasl.enabled (not (empty $sasl.secretRef )) }} echo "RUNNING: Monitoring and Updating SASL users" USERS_DIR="/etc/secrets/users" - + new_users_list(){ LIST=$1 NEW_USER=$2 @@ -175,10 +181,10 @@ stringData: else LIST="${NEW_USER}" fi - + echo "${LIST}" } - + process_users() { USERS_DIR=${1-"/etc/secrets/users"} USERS_FILE=$(find ${USERS_DIR}/* -print) @@ -227,21 +233,21 @@ stringData: USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}") fi done < $USERS_FILE - + if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then echo "Setting superusers configurations with users [${USERS_LIST}]" superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] {{ template "rpk-acl-user-flags" $ }} 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$? if [[ $superuser_result_exit_code -ne 0 ]]; then echo "Setting superusers configurations failed: ${superuser_result}" else - echo "Completed setting superusers configurations" + echo "Completed setting superusers configurations" fi fi } - + # first time processing process_users $USERS_DIR - + # subsequent changes detected here # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/ USERS_FILE=$(find ${USERS_DIR}/* -print) diff --git a/charts/redpanda/redpanda/templates/statefulset.yaml b/charts/redpanda/redpanda/templates/statefulset.yaml index 96fc4457d..a101a48de 100644 --- a/charts/redpanda/redpanda/templates/statefulset.yaml +++ b/charts/redpanda/redpanda/templates/statefulset.yaml @@ -30,7 +30,7 @@ limitations under the License. {{- if not (include "redpanda-atleast-22-2-0" . | fromJson).bool -}} {{- if eq (get .Values "force" | default false) false -}} {{- fail ( - printf "\n\nError: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--set force=true`\n" (( include "redpanda.semver" . )) + printf "\n\nError: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--force=true`\n" (( include "redpanda.semver" . )) ) -}} {{- end -}} @@ -237,13 +237,24 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP + # finish the lifecycle scripts with "true" to prevent them from terminating the pod prematurely lifecycle: postStart: exec: - command: ["/bin/bash", "-c", "./var/lifecycle/postStart.sh"] + command: + - /bin/bash + - -c + - | + timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh + true preStop: exec: - command: ["/bin/bash", "-c", "./var/lifecycle/preStop.sh"] + command: + - /bin/bash + - -c + - | + timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh + true # do not fail and cause the pod to terminate # the startupProbe checks to see that the admin api is listening and that the broker has a node_id assigned. This # check is only used to delay the start of the liveness and readiness probes until it passes. startupProbe: @@ -384,7 +395,7 @@ spec: - name: lifecycle-scripts secret: secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle - defaultMode: 0774 + defaultMode: 0o775 - name: datadir {{- if .Values.storage.persistentVolume.enabled }} persistentVolumeClaim: @@ -441,7 +452,7 @@ spec: secret: secretName: {{ template "redpanda.fullname" . }}-config-watcher optional: false - defaultMode: 0774 + defaultMode: 0o775 {{- if or .Values.statefulset.nodeAffinity .Values.statefulset.podAffinity .Values.statefulset.podAntiAffinity }} affinity: {{- with .Values.statefulset.nodeAffinity }} diff --git a/charts/redpanda/redpanda/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/templates/tests/test-connector-via-console.yaml new file mode 100644 index 000000000..edf6112cb --- /dev/null +++ b/charts/redpanda/redpanda/templates/tests/test-connector-via-console.yaml @@ -0,0 +1,210 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.connectors.enabled .Values.console.enabled }} +{{- $sasl := .Values.auth.sasl }} +{{- $root := deepCopy . }} +{{- $values := .Values }} +{{ $consoleValues := dict "Values" (deepCopy .Values.console) "Release" .Release "Chart" .Subcharts.console.Chart }} +{{/* brokers */}} +{{- $kafkaBrokers := list }} +{{- range (include "seed-server-list" . | mustFromJson) }} + {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }} +{{- end }} +{{- $brokersString := join "," $kafkaBrokers}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + test-name: test-connectors-via-console + annotations: + test-name: test-connectors-via-console + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: TLS_ENABLED + value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }} + rpk topic create {{ $testTopic }} {{ include "rpk-topic-flags" . }} + rpk topic list {{ include "rpk-topic-flags" . }} + echo "Test message!" | rpk topic produce {{ $testTopic }} {{ include "rpk-topic-flags" . }} + + SASL_MECHANISM="PLAIN" + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /etc/secrets/users/* -print) + CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then + SASL_MECHANISM=$CONNECT_SASL_MECHANISM + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + fi + + set -x + set +e + {{- end }} + + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$CONNECT_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "connectorName": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "{{ $testTopic }}", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.alias": "test-only-redpanda", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM" + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + max_iteration=10 + for i in $(seq 1 $max_iteration) + do + curl -v -H 'Content-Type: application/json' http://{{ include "console.fullname" $consoleValues }}:{{ include "console.containerPort" $consoleValues }}/api/kafka-connect/clusters/connectors/connectors \ + -d @/tmp/mm2-conf.json && echo + + result=$? + if [[ $result -eq 0 ]] + then + echo "Result successful" + break + else + echo "Result unsuccessful" + sleep 1 + fi + done + + if [[ $result -ne 0 ]] + then + echo "mm2 connector can not be created!!!" + exit 1 + fi + + rpk topic consume source.{{ $testTopic }} -n 1 {{ include "rpk-topic-flags" . }} + + for i in $(seq 1 $max_iteration) + do + curl -v -X DELETE http://{{ include "console.fullname" $consoleValues }}:{{ include "console.containerPort" $consoleValues }}/api/kafka-connect/clusters/connectors/connectors/$CONNECTOR_NAME && echo + + result=$? + if [[ $result -eq 0 ]] + then + echo "Result successful" + break + else + echo "Result unsuccessful" + sleep 1 + fi + done + + if [[ $result -ne 0 ]] + then + echo "mm2 connector can not be destroyed!!!" + exit 1 + fi + + rpk topic list {{ include "rpk-topic-flags" . }} + rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal {{ include "rpk-topic-flags" . }} + volumeMounts: +{{- if (include "tls-enabled" . | fromJson).bool -}} + {{- range $name, $cert := .Values.tls.certs }} + - name: redpanda-{{ $name }}-cert + mountPath: {{ printf "/etc/tls/certs/%s" $name }} + {{- end }} +{{- end }} +{{- if $sasl.enabled }} + - name: {{ $sasl.secretRef }} + mountPath: "/etc/secrets/users" + readOnly: true +{{- end}} + volumes: +{{- if $sasl.enabled }} + - name: {{ $sasl.secretRef }} + secret: + secretName: {{ $sasl.secretRef }} + optional: false +{{- end }} +{{- if (include "tls-enabled" . | fromJson).bool }} + {{- range $name, $cert := .Values.tls.certs }} + {{- $r := set $root "tempCert" ( dict "name" $name "cert" $cert ) }} + - name: redpanda-{{ $name }}-cert + secret: + defaultMode: 0644 + secretName: {{ template "cert-secret-name" $r }} + {{- end }} +{{- end -}} +{{- end }} diff --git a/charts/redpanda/redpanda/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/templates/tests/test-lifecycle-scripts.yaml new file mode 100644 index 000000000..d87204ee8 --- /dev/null +++ b/charts/redpanda/redpanda/templates/tests/test-lifecycle-scripts.yaml @@ -0,0 +1,90 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-lifecycle" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: SERVICE_NAME + value: {{ include "redpanda.fullname" . }}-0 + command: + - /bin/timeout + - "{{ mul .Values.statefulset.terminationGracePeriodSecond 2 }}" + - bash + - -xec + - | + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh + ls -l /tmp/preStop* + test -f /tmp/preStopHookStarted + test -f /tmp/preStopHookFinished + + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh + ls -l /tmp/postStart* + test -f /tmp/postStartHookStarted + test -f /tmp/postStartHookFinished + volumeMounts: + - name: lifecycle-scripts + mountPath: /var/lifecycle +{{- if (include "tls-enabled" . | fromJson).bool }} + {{- range $name, $cert := .Values.tls.certs }} + - name: redpanda-{{ $name }}-cert + mountPath: {{ printf "/etc/tls/certs/%s" $name }} + readOnly: true + {{- end }} +{{- end }} + volumes: + - name: lifecycle-scripts + secret: + secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle + defaultMode: 0o775 +{{- if (include "tls-enabled" . | fromJson).bool }} + {{- range $name, $cert := .Values.tls.certs }} + {{- $r := set $ "tempCert" ( dict "name" $name "cert" $cert ) }} + - name: redpanda-{{ $name }}-cert + secret: + defaultMode: 420 + items: + - key: tls.key + path: tls.key + - key: tls.crt + path: tls.crt + {{- if $cert.caEnabled }} + - key: ca.crt + path: ca.crt + {{- end }} + secretName: {{ template "cert-secret-name" $r }} + {{- end }} +{{- end }} diff --git a/charts/redpanda/redpanda/values.yaml b/charts/redpanda/redpanda/values.yaml index 5594ddf68..ed38c395b 100644 --- a/charts/redpanda/redpanda/values.yaml +++ b/charts/redpanda/redpanda/values.yaml @@ -97,6 +97,17 @@ console: create: false config: {} +# +# -- Redpanda Managed Connectors settings +# For a reference of configuration settings, +# see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). +connectors: + enabled: false + deployment: + create: false + test: + create: false + # -- Authentication settings. # For details, # see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). diff --git a/charts/traefik/traefik/Changelog.md b/charts/traefik/traefik/Changelog.md index 59ba81ccd..77ba13a50 100644 --- a/charts/traefik/traefik/Changelog.md +++ b/charts/traefik/traefik/Changelog.md @@ -1,8 +1,77 @@ # Change Log +## 24.0.0 ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) + +**Release date:** 2023-08-10 + +* chore(release): 🚀 publish v24.0.0 +* fix: http3 support broken when advertisedPort set +* fix: tracing.opentelemetry.tls is optional for all values +* chore(deps): update docker.io/helmunittest/helm-unittest docker tag to v3.12.2 +* chore(tests): 🔧 fix typo on tracing test +* fix: 💥 BREAKING CHANGE on healthchecks and traefik port +* feat: multi namespace RBAC manifests + +### Default value changes + +```diff +diff --git a/traefik/values.yaml b/traefik/values.yaml +index 947ba56..aeec85c 100644 +--- a/traefik/values.yaml ++++ b/traefik/values.yaml +@@ -28,6 +28,13 @@ deployment: + terminationGracePeriodSeconds: 60 + # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available + minReadySeconds: 0 ++ ## Override the liveness/readiness port. This is useful to integrate traefik ++ ## with an external Load Balancer that performs healthchecks. ++ ## Default: ports.traefik.port ++ # healthchecksPort: 9000 ++ ## Override the liveness/readiness scheme. Useful for getting ping to ++ ## respond on websecure entryPoint. ++ # healthchecksScheme: HTTPS + # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) + annotations: {} + # -- Additional deployment labels (e.g. for filtering deployment by custom labels) +@@ -112,7 +119,7 @@ experimental: + #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" + #v3: + # -- Enable traefik version 3 +- # enabled: false ++ # enabled: false + plugins: + # -- Enable traefik experimental plugins + enabled: false +@@ -564,15 +571,6 @@ ports: + # only. + # hostIP: 192.168.100.10 + +- # Override the liveness/readiness port. This is useful to integrate traefik +- # with an external Load Balancer that performs healthchecks. +- # Default: ports.traefik.port +- # healthchecksPort: 9000 +- +- # Override the liveness/readiness scheme. Useful for getting ping to +- # respond on websecure entryPoint. +- # healthchecksScheme: HTTPS +- + # Defines whether the port is exposed if service.type is LoadBalancer or + # NodePort. + # +@@ -877,7 +875,7 @@ affinity: {} + nodeSelector: {} + # -- Tolerations allow the scheduler to schedule pods with matching taints. + tolerations: [] +-# -- You can use topology spread constraints to control ++# -- You can use topology spread constraints to control + # how Pods are spread across your cluster among failure-domains. + topologySpreadConstraints: [] + # This example topologySpreadConstraints forces the scheduler to put traefik pods +``` + ## 23.2.0 ![AppVersion: v2.10.4](https://img.shields.io/static/v1?label=AppVersion&message=v2.10.4&color=success&logo=) ![Kubernetes: >=1.16.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.16.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm) -**Release date:** 2023-07-13 +**Release date:** 2023-07-27 * release: :rocket: publish v23.2.0 * feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry diff --git a/charts/traefik/traefik/Chart.yaml b/charts/traefik/traefik/Chart.yaml index de8d8693b..1f239f206 100644 --- a/charts/traefik/traefik/Chart.yaml +++ b/charts/traefik/traefik/Chart.yaml @@ -1,13 +1,10 @@ annotations: - artifacthub.io/changes: "- \"release: :rocket: publish v23.2.0\"\n- \"feat: ✨ add - support for traefik v3.0.0-beta3 and openTelemetry\"\n- \"feat: add pod_name as - default in values.yaml\"\n- \"fix: ingressclass name should be customizable (#864)\"\n- - \"chore(deps): update traefik docker tag to v2.10.4\"\n- \"fix: \U0001F41B traefik - or metrics port can be disabled\"\n- \"feat: disable allowPrivilegeEscalation\"\n- - \"fix: \U0001F41B update traefik.containo.us CRDs to v2.10\"\n- \"chore(tests): - \U0001F527 use more accurate asserts on refactor'd isNull test\"\n- \"chore(deps): - update docker.io/helmunittest/helm-unittest docker tag to v3.11.3\"\n- \"⬆️ Upgrade - traefik Docker tag to v2.10.3\"\n" + artifacthub.io/changes: "- \"chore(release): \U0001F680 publish v24.0.0\"\n- \"fix: + http3 support broken when advertisedPort set\"\n- \"fix: tracing.opentelemetry.tls + is optional for all values\"\n- \"chore(deps): update docker.io/helmunittest/helm-unittest + docker tag to v3.12.2\"\n- \"chore(tests): \U0001F527 fix typo on tracing test\"\n- + \"fix: \U0001F4A5 BREAKING CHANGE on healthchecks and traefik port\"\n- \"feat: + multi namespace RBAC manifests\"\n" catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Traefik Proxy catalog.cattle.io/kube-version: '>=1.16.0-0' @@ -38,4 +35,4 @@ sources: - https://github.com/traefik/traefik - https://github.com/traefik/traefik-helm-chart type: application -version: 23.2.0 +version: 24.0.0 diff --git a/charts/traefik/traefik/templates/_helpers.tpl b/charts/traefik/traefik/templates/_helpers.tpl index 3b0d12ee0..a6c8b9fa4 100644 --- a/charts/traefik/traefik/templates/_helpers.tpl +++ b/charts/traefik/traefik/templates/_helpers.tpl @@ -108,10 +108,10 @@ Users can provide an override for an explicit service they want bound via `.Valu Construct a comma-separated list of whitelisted namespaces */}} {{- define "providers.kubernetesIngress.namespaces" -}} -{{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }} {{- end -}} {{- define "providers.kubernetesCRD.namespaces" -}} -{{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }} {{- end -}} {{/* diff --git a/charts/traefik/traefik/templates/_podtemplate.tpl b/charts/traefik/traefik/templates/_podtemplate.tpl index 62b5e7b4d..8e2de9a3d 100644 --- a/charts/traefik/traefik/templates/_podtemplate.tpl +++ b/charts/traefik/traefik/templates/_podtemplate.tpl @@ -57,12 +57,11 @@ {{- with .Values.resources }} {{- toYaml . | nindent 10 }} {{- end }} - {{- $healthchecksPort := .Values.ports.web.port }} - {{- $healthchecksScheme := "HTTP" }} - {{- if .Values.ports.traefik }} - {{- $healthchecksPort = (default .Values.ports.traefik.port .Values.ports.traefik.healthchecksPort) }} - {{- $healthchecksScheme = (default "HTTP" .Values.ports.traefik.healthchecksScheme) }} + {{- if (and (empty .Values.ports.traefik) (empty .Values.deployment.healthchecksPort)) }} + {{- fail "ERROR: When disabling traefik port, you need to specify `deployment.healthchecksPort`" }} {{- end }} + {{- $healthchecksPort := (default (.Values.ports.traefik).port .Values.deployment.healthchecksPort) }} + {{- $healthchecksScheme := (default "HTTP" .Values.deployment.healthchecksScheme) }} readinessProbe: httpGet: path: /ping @@ -359,12 +358,10 @@ {{- if .Values.tracing.openTelemetry }} {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }} - {{- fail "ERROR: OpenTelemetry features are only available on Traefik v3. Please update `image.tag` to `v3.0`." }} + {{- fail "ERROR: OpenTelemetry features are only available on Traefik v3. Please set `image.tag` to `v3.x`." }} {{- end }} - "--tracing.openTelemetry=true" - {{- if .Values.tracing.openTelemetry.address }} - - "--tracing.openTelemetry.address={{ .Values.tracing.openTelemetry.address }}" - {{- end }} + - "--tracing.openTelemetry.address={{ required "ERROR: When enabling openTelemetry on tracing, `tracing.openTelemetry.address` is required." .Values.tracing.openTelemetry.address }}" {{- range $key, $value := .Values.tracing.openTelemetry.headers }} - "--tracing.openTelemetry.headers.{{ $key }}={{ $value }}" {{- end }} @@ -374,6 +371,7 @@ {{- if .Values.tracing.openTelemetry.path }} - "--tracing.openTelemetry.path={{ .Values.tracing.openTelemetry.path }}" {{- end }} + {{- if .Values.tracing.openTelemetry.tls }} {{- if .Values.tracing.openTelemetry.tls.ca }} - "--tracing.openTelemetry.tls.ca={{ .Values.tracing.openTelemetry.tls.ca }}" {{- end }} @@ -386,6 +384,7 @@ {{- if .Values.tracing.openTelemetry.tls.insecureSkipVerify }} - "--tracing.openTelemetry.tls.insecureSkipVerify={{ .Values.tracing.openTelemetry.tls.insecureSkipVerify }}" {{- end }} + {{- end }} {{- if .Values.tracing.openTelemetry.grpc }} - "--tracing.openTelemetry.grpc=true" {{- end }} @@ -596,14 +595,13 @@ - "--experimental.http3=true" {{- end }} {{- if semverCompare ">=2.6.0-0" (default $.Chart.AppVersion $.Values.image.tag)}} - {{- if $config.http3.advertisedPort }} - - "--entrypoints.{{ $entrypoint }}.http3.advertisedPort={{ $config.http3.advertisedPort }}" - {{- else }} - "--entrypoints.{{ $entrypoint }}.http3" - {{- end }} {{- else }} - "--entrypoints.{{ $entrypoint }}.enableHTTP3=true" {{- end }} + {{- if $config.http3.advertisedPort }} + - "--entrypoints.{{ $entrypoint }}.http3.advertisedPort={{ $config.http3.advertisedPort }}" + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/traefik/traefik/templates/rbac/role.yaml b/charts/traefik/traefik/templates/rbac/role.yaml index 5be815953..be0f90f71 100644 --- a/charts/traefik/traefik/templates/rbac/role.yaml +++ b/charts/traefik/traefik/templates/rbac/role.yaml @@ -1,11 +1,17 @@ -{{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}} + +{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}} +{{- range $allNamespaces }} +--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "traefik.fullname" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} labels: - {{- include "traefik.labels" . | nindent 4 }} + {{- include "traefik.labels" $ | nindent 4 }} rules: - apiGroups: - "" @@ -17,7 +23,7 @@ rules: - get - list - watch -{{- if .Values.providers.kubernetesIngress.enabled }} +{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }} - apiGroups: - extensions - networking.k8s.io @@ -35,7 +41,7 @@ rules: verbs: - update {{- end -}} -{{- if .Values.providers.kubernetesCRD.enabled }} +{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }} - apiGroups: - traefik.io {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }} @@ -59,14 +65,15 @@ rules: - list - watch {{- end -}} -{{- if .Values.podSecurityPolicy.enabled }} +{{- if $.Values.podSecurityPolicy.enabled }} - apiGroups: - extensions resourceNames: - - {{ template "traefik.fullname" . }} + - {{ template "traefik.fullname" $ }} resources: - podsecuritypolicies verbs: - use {{- end -}} {{- end -}} +{{- end -}} diff --git a/charts/traefik/traefik/templates/rbac/rolebinding.yaml b/charts/traefik/traefik/templates/rbac/rolebinding.yaml index 91334b4b2..263a2e05a 100644 --- a/charts/traefik/traefik/templates/rbac/rolebinding.yaml +++ b/charts/traefik/traefik/templates/rbac/rolebinding.yaml @@ -1,17 +1,24 @@ +{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}} + {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +{{- range $allNamespaces }} +--- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "traefik.fullname" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} labels: - {{- include "traefik.labels" . | nindent 4 }} + {{- include "traefik.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "traefik.fullname" . }} + name: {{ template "traefik.fullname" $ }} subjects: - kind: ServiceAccount - name: {{ include "traefik.serviceAccountName" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ include "traefik.serviceAccountName" $ }} + namespace: {{ template "traefik.namespace" $ }} +{{- end -}} {{- end -}} diff --git a/charts/traefik/traefik/values.yaml b/charts/traefik/traefik/values.yaml index 947ba5679..aeec85cec 100644 --- a/charts/traefik/traefik/values.yaml +++ b/charts/traefik/traefik/values.yaml @@ -28,6 +28,13 @@ deployment: terminationGracePeriodSeconds: 60 # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available minReadySeconds: 0 + ## Override the liveness/readiness port. This is useful to integrate traefik + ## with an external Load Balancer that performs healthchecks. + ## Default: ports.traefik.port + # healthchecksPort: 9000 + ## Override the liveness/readiness scheme. Useful for getting ping to + ## respond on websecure entryPoint. + # healthchecksScheme: HTTPS # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection) annotations: {} # -- Additional deployment labels (e.g. for filtering deployment by custom labels) @@ -112,7 +119,7 @@ experimental: #This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3" #v3: # -- Enable traefik version 3 - # enabled: false + # enabled: false plugins: # -- Enable traefik experimental plugins enabled: false @@ -564,15 +571,6 @@ ports: # only. # hostIP: 192.168.100.10 - # Override the liveness/readiness port. This is useful to integrate traefik - # with an external Load Balancer that performs healthchecks. - # Default: ports.traefik.port - # healthchecksPort: 9000 - - # Override the liveness/readiness scheme. Useful for getting ping to - # respond on websecure entryPoint. - # healthchecksScheme: HTTPS - # Defines whether the port is exposed if service.type is LoadBalancer or # NodePort. # @@ -877,7 +875,7 @@ affinity: {} nodeSelector: {} # -- Tolerations allow the scheduler to schedule pods with matching taints. tolerations: [] -# -- You can use topology spread constraints to control +# -- You can use topology spread constraints to control # how Pods are spread across your cluster among failure-domains. topologySpreadConstraints: [] # This example topologySpreadConstraints forces the scheduler to put traefik pods diff --git a/index.yaml b/index.yaml index b4686d5b8..340ae54b2 100644 --- a/index.yaml +++ b/index.yaml @@ -1404,10 +1404,8 @@ entries: argo-cd: - annotations: artifacthub.io/changes: | - - kind: changed - description: Renamed applicationSet.replicaCount to replicas - - kind: deprecated - description: Option applicationSet.replicaCount + - kind: fixed + description: add missing permissions to run actions artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -1418,7 +1416,7 @@ entries: catalog.cattle.io/release-name: argo-cd apiVersion: v2 appVersion: v2.8.0 - created: "2023-08-09T19:59:08.080135235Z" + created: "2023-08-11T18:30:14.726381291Z" dependencies: - condition: redis-ha.enabled name: redis-ha @@ -1426,7 +1424,48 @@ entries: version: 4.23.0 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. - digest: 92dd3bf9f268ac7a75ea0d26a80d41055ce94b0dac9c8a717a28e2d0a8e51d95 + digest: e5b8fd0cbe834c33661b4d52ff2f19fdde4e36da5db8c7c6821c1d03ad9435f2 + home: https://github.com/argoproj/argo-helm + icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png + keywords: + - argoproj + - argocd + - gitops + kubeVersion: '>=1.23.0-0' + maintainers: + - name: argoproj + url: https://argoproj.github.io/ + name: argo-cd + sources: + - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd + - https://github.com/argoproj/argo-cd + urls: + - assets/argo/argo-cd-5.43.3.tgz + version: 5.43.3 + - annotations: + artifacthub.io/changes: | + - kind: changed + description: Renamed applicationSet.replicaCount to replicas + - kind: deprecated + description: Option applicationSet.replicaCount + artifacthub.io/signKey: | + fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 + url: https://argoproj.github.io/argo-helm/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Argo CD + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: argo-cd + apiVersion: v2 + appVersion: v2.8.0 + created: "2023-08-11T18:29:57.481429618Z" + dependencies: + - condition: redis-ha.enabled + name: redis-ha + repository: file://./charts/redis-ha + version: 4.23.0 + description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery + tool for Kubernetes. + digest: 28af28eea7eef2d5889c4c70cd53727de72c824fc46f428aedeb3c6afdc50ce5 home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png keywords: @@ -4107,6 +4146,39 @@ entries: - assets/argo/argo-cd-5.8.0.tgz version: 5.8.0 artifactory-ha: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/release-name: artifactory-ha + apiVersion: v2 + appVersion: 7.63.11 + created: "2023-08-11T18:30:20.090639159Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: 2b0d56e399810fdc94c2b5fb6ee58962cef28c21e560a3a5fdcb659a0baeb0b7 + home: https://www.jfrog.com/artifactory/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.14.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.63.11.tgz + version: 107.63.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA @@ -5190,6 +5262,40 @@ entries: - assets/jfrog/artifactory-ha-3.0.1400.tgz version: 3.0.1400 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.63.11 + created: "2023-08-11T18:30:20.465186221Z" + dependencies: + - name: artifactory + repository: file://./charts/artifactory + version: 107.63.11 + description: JFrog Container Registry + digest: b1e84129eb12998b485fe4a80e35f3430c31f760468fac98c228fca931dc86a3 + home: https://jfrog.com/container-registry/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.14.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.63.11.tgz + version: 107.63.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -6276,6 +6382,71 @@ entries: - assets/jfrog/artifactory-jcr-2.5.100.tgz version: 2.5.100 asserts: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Asserts + catalog.cattle.io/kube-version: '>=1.17-0' + catalog.cattle.io/release-name: asserts + apiVersion: v2 + created: "2023-08-11T18:30:15.364590843Z" + dependencies: + - condition: knowledge-sensor.enabled + name: knowledge-sensor + repository: file://./charts/knowledge-sensor + version: 1.1.0 + - alias: tsdb + condition: tsdb.enabled + name: victoria-metrics-single + repository: file://./charts/victoria-metrics-single + version: 1.1.0 + - condition: alertmanager.enabled + name: alertmanager + repository: file://./charts/alertmanager + version: 1.0.0 + - alias: promxyruler + condition: promxyruler.enabled + name: promxy + repository: file://./charts/promxy + version: 0.8.0 + - alias: promxyuser + condition: promxyuser.enabled + name: promxy + repository: file://./charts/promxy + version: 0.8.0 + - alias: ebpfProbe + condition: ebpfProbe.enabled + name: ebpf-probe + repository: file://./charts/ebpf-probe + version: 0.8.0 + - name: common + repository: file://./charts/common + version: 1.x.x + - alias: redisgraph + condition: redisgraph.enabled + name: redis + repository: file://./charts/redis + version: 16.13.2 + - alias: redisearch + condition: redisearch.enabled + name: redis + repository: file://./charts/redis + version: 16.13.2 + - alias: postgres + condition: postgres.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 + description: Asserts Helm Chart to configure entire asserts stack + digest: d8fd37efb610d10fabda9c74635cf3b69e382f04bd2e0a4b11b94b15f586d971 + icon: https://www.asserts.ai/favicon.png + maintainers: + - name: Asserts + url: https://github.com/asserts + name: asserts + type: application + urls: + - assets/asserts/asserts-1.52.0.tgz + version: 1.52.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Asserts @@ -11465,6 +11636,47 @@ entries: - assets/confluent/confluent-for-kubernetes-0.174.2101.tgz version: 0.174.2101 consul: + - annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.16.1 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.2.1 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.2.1 + - name: envoy + image: envoyproxy/envoy:v1.25.9 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul + apiVersion: v2 + appVersion: 1.16.1 + created: "2023-08-11T18:30:19.545366488Z" + description: Official HashiCorp Consul Chart + digest: 4ad832469c7aab380a75cfabb4f11465953014b484056be14dbbd49d6b736b94 + home: https://www.consul.io + icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png + kubeVersion: '>=1.22.0-0' + name: consul + sources: + - https://github.com/hashicorp/consul + - https://github.com/hashicorp/consul-k8s + urls: + - assets/hashicorp/consul-1.2.1.tgz + version: 1.2.1 - annotations: artifacthub.io/images: | - name: consul @@ -12680,6 +12892,28 @@ entries: - assets/kubecost/cost-analyzer-1.70.000.tgz version: 1.70.000 crate-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CrateDB Operator + catalog.cattle.io/release-name: crate-operator + apiVersion: v2 + appVersion: 2.30.2 + created: "2023-08-11T18:30:18.415092443Z" + dependencies: + - condition: crate-operator-crds.enabled + name: crate-operator-crds + repository: file://./charts/crate-operator-crds + version: 2.30.2 + description: Crate Operator - Helm chart for installing and upgrading Crate Operator. + digest: 381deb7b361b1f286197bfe6d994484f8872f79d4b5cf0a6e0a4d402f350ceb0 + icon: https://raw.githubusercontent.com/crate/crate/master/docs/_static/crate-logo.svg + maintainers: + - name: Crate.io + name: crate-operator + type: application + urls: + - assets/crate/crate-operator-2.30.2.tgz + version: 2.30.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CrateDB Operator @@ -13840,6 +14074,43 @@ entries: - assets/weka/csi-wekafsplugin-0.6.400.tgz version: 0.6.400 datadog: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog + catalog.cattle.io/kube-version: '>=1.10-0' + catalog.cattle.io/release-name: datadog + apiVersion: v1 + appVersion: "7" + created: "2023-08-11T18:30:18.848531814Z" + dependencies: + - condition: clusterAgent.metricsProvider.useDatadogMetrics + name: datadog-crds + repository: https://helm.datadoghq.com + tags: + - install-crds + version: 1.0.1 + - condition: datadog.kubeStateMetricsEnabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 2.13.2 + description: Datadog Agent + digest: 82c08a2d87467d77891b04916cca90beec2e419b665e5d79743933f00bb5d39a + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-3.33.8.tgz + version: 3.33.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog @@ -19471,6 +19742,34 @@ entries: - assets/gopaddle/gopaddle-4.2.5.tgz version: 4.2.5 haproxy: + - annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.6 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy + apiVersion: v2 + appVersion: 1.10.6 + created: "2023-08-11T18:30:19.403768833Z" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: d8bc0eda2dd5f85084e602d138cbb5231b74e89ca6b2290570a338291132d2b3 + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.22.0-0' + maintainers: + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + type: application + urls: + - assets/haproxy/haproxy-1.32.3.tgz + version: 1.32.3 - annotations: artifacthub.io/changes: | - Use Ingress Controller 1.10.5 version for base image @@ -24859,6 +25158,58 @@ entries: - assets/kasten/k10-4.5.900.tgz version: 4.5.900 kafka: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Kafka + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: kafka + category: Infrastructure + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.19.0-debian-11-r36 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r72 + - name: kafka + image: docker.io/bitnami/kafka:3.5.1-debian-11-r16 + - name: kubectl + image: docker.io/bitnami/kubectl:1.25.12-debian-11-r17 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r31 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.5.1 + created: "2023-08-11T18:30:16.354879132Z" + dependencies: + - condition: zookeeper.enabled + name: zookeeper + repository: file://./charts/zookeeper + version: 11.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Kafka is a distributed streaming platform designed to build + real-time pipelines and can be used as a message broker or as a replacement + for a log aggregation solution for big data applications. + digest: 8ed21e12f8324dd9c6fee93e67e813a6295b4ebefb8db7f1031d5cad81f508c1 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kafka.svg + keywords: + - kafka + - zookeeper + - streaming + - producer + - consumer + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: kafka + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/kafka + urls: + - assets/bitnami/kafka-24.0.10.tgz + version: 24.0.10 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Kafka @@ -27081,6 +27432,33 @@ entries: - assets/elastic/kibana-7.17.3.tgz version: 7.17.3 kong: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kong Gateway + catalog.cattle.io/release-name: kong + apiVersion: v2 + appVersion: "3.3" + created: "2023-08-11T18:30:21.242742365Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 + description: The Cloud-Native Ingress and API-management + digest: 19d4fc17859cf3671d75ee61fb70b4c383434d5d8e8b6ad241c5c9799c0780e6 + home: https://konghq.com/ + icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png + maintainers: + - email: harry@konghq.com + name: hbagdi + - email: traines@konghq.com + name: rainest + name: kong + sources: + - https://github.com/Kong/charts/tree/main/charts/kong + urls: + - assets/kong/kong-2.26.0.tgz + version: 2.26.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kong Gateway @@ -28744,15 +29122,46 @@ entries: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 - appVersion: stable-2.13.5 - created: "2023-07-10T10:16:03.989725225-06:00" + appVersion: stable-2.13.6 + created: "2023-08-11T18:30:33.356842302Z" dependencies: - name: partials repository: file://./charts/partials version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: 6bd3195c05f564b890004407818f36bf37fc3ce6cec23bea4ffc25446eb32b53 + digest: 670aafa16b43070e80658ce0e99cb21966bdce34e4a1e5b5210dc1c7c95840ba + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.21.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-1.12.6.tgz + version: 1.12.6 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 + appVersion: stable-2.13.5 + created: "2023-08-11T18:30:21.654296653Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 79f733c79ea282b07574a70e33674cfa79a93489912d5b9cfa836282e5ab5fed home: https://linkerd.io icon: https://linkerd.io/images/logo-only-200h.png keywords: @@ -28770,6 +29179,41 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 loft: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Loft + catalog.cattle.io/kube-version: '>=1.22-0' + catalog.cattle.io/release-name: loft + apiVersion: v2 + created: "2023-08-11T18:30:33.365251011Z" + description: Secure Cluster Sharing, Self-Service Namespace Provisioning and Virtual + Clusters + digest: a12cf0a317cf708eb1124667e49c3d750196bbd270caf827da03e8dd4c50902b + home: https://loft.sh + icon: https://static.loft.sh/loft/logo/loft-logo.svg + keywords: + - developer + - development + - sharing + - share + - multi-tenancy + - tenancy + - cluster + - space + - namespace + - vcluster + - vclusters + maintainers: + - email: info@loft.sh + name: Loft Labs, Inc. + url: https://twitter.com/loft_sh + name: loft + sources: + - https://github.com/loft-sh/loft + type: application + urls: + - assets/loft/loft-3.2.2.tgz + version: 3.2.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Loft @@ -29129,6 +29573,50 @@ entries: - assets/elastic/logstash-7.17.3.tgz version: 7.17.3 mariadb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MariaDB + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mariadb + category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.0.2-debian-11-r15 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.0-debian-11-r14 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r34 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 11.0.2 + created: "2023-08-11T18:30:16.512502594Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MariaDB is an open source, community-developed SQL database server + that is widely in use around the world due to its enterprise features, flexibility, + and collaboration with leading tech firms. + digest: 03c108f1163ca6179d66b81324ba9d047a1a1af90fbf738c726cc472e8680ccc + home: https://bitnami.com + icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo-vert_black-transparent.png + keywords: + - mariadb + - mysql + - database + - sql + - prometheus + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mariadb + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mariadb + urls: + - assets/bitnami/mariadb-13.0.2.tgz + version: 13.0.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MariaDB @@ -35890,6 +36378,25 @@ entries: - assets/pixie/pixie-operator-chart-0.0.2501.tgz version: 0.0.2501 polaris: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris + apiVersion: v1 + appVersion: "8.4" + created: "2023-08-11T18:30:19.178980644Z" + description: Validation of best practices in your Kubernetes clusters + digest: aceef7a4aec52f7f4dbad18f220710fcc6c906042a4101bd7e2b6af42c5ced90 + icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: robertb@fairwinds.com + name: rbren + name: polaris + urls: + - assets/fairwinds/polaris-5.12.1.tgz + version: 5.12.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Fairwinds Polaris @@ -36337,6 +36844,51 @@ entries: - assets/portworx/portworx-essentials-2.9.100.tgz version: 2.9.100 postgresql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: PostgreSQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: postgresql + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r34 + - name: postgres-exporter + image: docker.io/bitnami/postgres-exporter:0.13.2-debian-11-r15 + - name: postgresql + image: docker.io/bitnami/postgresql:15.4.0-debian-11-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 15.4.0 + created: "2023-08-11T18:30:16.834872921Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: PostgreSQL (Postgres) is an open source object-relational database + known for reliability and data integrity. ACID-compliant, it supports foreign + keys, joins, views, triggers and stored procedures. + digest: a55fcc4cf712f0e199c9045c1623cf9d908994fee8020002223e99fac40f4cff + home: https://bitnami.com + icon: https://wiki.postgresql.org/images/a/a4/PostgreSQL_logo.3colors.svg + keywords: + - postgresql + - postgres + - database + - sql + - replication + - cluster + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: postgresql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/postgresql + urls: + - assets/bitnami/postgresql-12.8.2.tgz + version: 12.8.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: PostgreSQL @@ -38632,6 +39184,41 @@ entries: - assets/quobyte/quobyte-cluster-0.1.5.tgz version: 0.1.5 redis: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redis + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: redis + category: Database + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 7.0.12 + created: "2023-08-11T18:30:16.943610064Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Redis(R) is an open source, advanced key-value store. It is often + referred to as a data structure server since keys can contain strings, hashes, + lists, sets and sorted sets. + digest: 6adb1e50780f1de3a1b198116a99fc357951ee26b4d8dc49fb0bff28e7e55a6e + home: https://bitnami.com + icon: https://redis.com/wp-content/uploads/2021/08/redis-logo.png + keywords: + - redis + - keyvalue + - database + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: redis + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/redis + urls: + - assets/bitnami/redis-17.15.2.tgz + version: 17.15.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Redis @@ -40125,6 +40712,50 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v23.2.2 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v23.2.4 + created: "2023-08-11T18:30:34.562645703Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 8d459071341b952eae3dcfc573bcea292f72d6b5e7dbf9e52ce8e51e8a11b1ff + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.1.2.tgz + version: 5.1.2 - annotations: artifacthub.io/images: | - name: redpanda @@ -48558,6 +49189,48 @@ entries: - assets/bitnami/tomcat-10.4.9.tgz version: 10.4.9 traefik: + - annotations: + artifacthub.io/changes: "- \"chore(release): \U0001F680 publish v24.0.0\"\n- + \"fix: http3 support broken when advertisedPort set\"\n- \"fix: tracing.opentelemetry.tls + is optional for all values\"\n- \"chore(deps): update docker.io/helmunittest/helm-unittest + docker tag to v3.12.2\"\n- \"chore(tests): \U0001F527 fix typo on tracing + test\"\n- \"fix: \U0001F4A5 BREAKING CHANGE on healthchecks and traefik port\"\n- + \"feat: multi namespace RBAC manifests\"\n" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Traefik Proxy + catalog.cattle.io/kube-version: '>=1.16.0-0' + catalog.cattle.io/release-name: traefik + apiVersion: v2 + appVersion: v2.10.4 + created: "2023-08-11T18:30:35.052325832Z" + description: A Traefik based Kubernetes ingress controller + digest: d42bd45ee0a77e6bce2551f5434b7744c198f1fd5c3c1fcc763ebbe63b1d5b4a + home: https://traefik.io/ + icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png + keywords: + - traefik + - ingress + - networking + kubeVersion: '>=1.16.0-0' + maintainers: + - email: emile@vauge.com + name: emilevauge + - email: daniel.tomcej@gmail.com + name: dtomcej + - email: ldez@traefik.io + name: ldez + - email: michel.loiseleur@traefik.io + name: mloiseleur + - email: charlie.haley@traefik.io + name: charlie-haley + name: traefik + sources: + - https://github.com/traefik/traefik + - https://github.com/traefik/traefik-helm-chart + type: application + urls: + - assets/traefik/traefik-24.0.0.tgz + version: 24.0.0 - annotations: artifacthub.io/changes: "- \"release: :rocket: publish v23.2.0\"\n- \"feat: ✨ add support for traefik v3.0.0-beta3 and openTelemetry\"\n- \"feat: add