diff --git a/assets/argo/argo-cd-6.7.2.tgz b/assets/argo/argo-cd-6.7.2.tgz index 26c5959f08..9a5378ee4e 100644 Binary files a/assets/argo/argo-cd-6.7.2.tgz and b/assets/argo/argo-cd-6.7.2.tgz differ diff --git a/assets/argo/argo-cd-6.7.3.tgz b/assets/argo/argo-cd-6.7.3.tgz new file mode 100644 index 0000000000..80414f826b Binary files /dev/null and b/assets/argo/argo-cd-6.7.3.tgz differ diff --git a/assets/bitnami/airflow-18.0.0.tgz b/assets/bitnami/airflow-18.0.0.tgz new file mode 100644 index 0000000000..c8120d9016 Binary files /dev/null and b/assets/bitnami/airflow-18.0.0.tgz differ diff --git a/assets/bitnami/cassandra-11.0.0.tgz b/assets/bitnami/cassandra-11.0.0.tgz new file mode 100644 index 0000000000..9dc95a2b91 Binary files /dev/null and b/assets/bitnami/cassandra-11.0.0.tgz differ diff --git a/assets/bitnami/mariadb-17.0.1.tgz b/assets/bitnami/mariadb-17.0.1.tgz new file mode 100644 index 0000000000..7de211f8e9 Binary files /dev/null and b/assets/bitnami/mariadb-17.0.1.tgz differ diff --git a/assets/bitnami/mysql-10.1.0.tgz b/assets/bitnami/mysql-10.1.0.tgz new file mode 100644 index 0000000000..1ae5b70d5f Binary files /dev/null and b/assets/bitnami/mysql-10.1.0.tgz differ diff --git a/assets/bitnami/postgresql-15.1.4.tgz b/assets/bitnami/postgresql-15.1.4.tgz new file mode 100644 index 0000000000..5aa1c29a75 Binary files /dev/null and b/assets/bitnami/postgresql-15.1.4.tgz differ diff --git a/assets/bitnami/redis-19.0.1.tgz b/assets/bitnami/redis-19.0.1.tgz new file mode 100644 index 0000000000..5b48027ba0 Binary files /dev/null and b/assets/bitnami/redis-19.0.1.tgz differ diff --git a/assets/bitnami/spark-9.0.0.tgz b/assets/bitnami/spark-9.0.0.tgz new file mode 100644 index 0000000000..c01853a57e Binary files /dev/null and b/assets/bitnami/spark-9.0.0.tgz differ diff --git a/assets/bitnami/tomcat-10.17.1.tgz b/assets/bitnami/tomcat-10.17.1.tgz new file mode 100644 index 0000000000..fb2e9e80ad Binary files /dev/null and b/assets/bitnami/tomcat-10.17.1.tgz differ diff --git a/assets/bitnami/wordpress-21.0.6.tgz b/assets/bitnami/wordpress-21.0.6.tgz new file mode 100644 index 0000000000..2e731e9012 Binary files /dev/null and b/assets/bitnami/wordpress-21.0.6.tgz differ diff --git a/assets/bitnami/zookeeper-13.0.1.tgz b/assets/bitnami/zookeeper-13.0.1.tgz new file mode 100644 index 0000000000..f9aa47615f Binary files /dev/null and b/assets/bitnami/zookeeper-13.0.1.tgz differ diff --git a/assets/datadog/datadog-3.59.2.tgz b/assets/datadog/datadog-3.59.2.tgz new file mode 100644 index 0000000000..06161bac5b Binary files /dev/null and b/assets/datadog/datadog-3.59.2.tgz differ diff --git a/assets/datadog/datadog-operator-1.5.2.tgz b/assets/datadog/datadog-operator-1.5.2.tgz new file mode 100644 index 0000000000..8cfc50d893 Binary files /dev/null and b/assets/datadog/datadog-operator-1.5.2.tgz differ diff --git a/assets/dell/csi-isilon-2.10.0.tgz b/assets/dell/csi-isilon-2.10.0.tgz new file mode 100644 index 0000000000..43d644cd0e Binary files /dev/null and b/assets/dell/csi-isilon-2.10.0.tgz differ diff --git a/assets/dell/csi-powermax-2.10.0.tgz b/assets/dell/csi-powermax-2.10.0.tgz new file mode 100644 index 0000000000..1501bfdd3f Binary files /dev/null and b/assets/dell/csi-powermax-2.10.0.tgz differ diff --git a/assets/dell/csi-powerstore-2.10.0.tgz b/assets/dell/csi-powerstore-2.10.0.tgz new file mode 100644 index 0000000000..e262ba5553 Binary files /dev/null and b/assets/dell/csi-powerstore-2.10.0.tgz differ diff --git a/assets/dell/csi-unity-2.10.0.tgz b/assets/dell/csi-unity-2.10.0.tgz new file mode 100644 index 0000000000..3a1fb09021 Binary files /dev/null and b/assets/dell/csi-unity-2.10.0.tgz differ diff --git a/assets/dell/csi-vxflexos-2.10.0.tgz b/assets/dell/csi-vxflexos-2.10.0.tgz new file mode 100644 index 0000000000..95028820a6 Binary files /dev/null and b/assets/dell/csi-vxflexos-2.10.0.tgz differ diff --git a/assets/f5/f5-bigip-ctlr-0.0.2901.tgz b/assets/f5/f5-bigip-ctlr-0.0.2901.tgz new file mode 100644 index 0000000000..bf4956d033 Binary files /dev/null and b/assets/f5/f5-bigip-ctlr-0.0.2901.tgz differ diff --git a/assets/gluu/gluu-5.0.25.tgz b/assets/gluu/gluu-5.0.25.tgz index 06d9c89925..19ae5fc732 100644 Binary files a/assets/gluu/gluu-5.0.25.tgz and b/assets/gluu/gluu-5.0.25.tgz differ diff --git a/assets/gluu/gluu-5.1.0.tgz b/assets/gluu/gluu-5.1.0.tgz new file mode 100644 index 0000000000..33fd93a9b1 Binary files /dev/null and b/assets/gluu/gluu-5.1.0.tgz differ diff --git a/assets/haproxy/haproxy-1.38.5.tgz b/assets/haproxy/haproxy-1.38.5.tgz new file mode 100644 index 0000000000..7bf0720a75 Binary files /dev/null and b/assets/haproxy/haproxy-1.38.5.tgz differ diff --git a/assets/harbor/harbor-1.14.1.tgz b/assets/harbor/harbor-1.14.1.tgz new file mode 100644 index 0000000000..1309c27159 Binary files /dev/null and b/assets/harbor/harbor-1.14.1.tgz differ diff --git a/assets/jenkins/jenkins-5.1.4.tgz b/assets/jenkins/jenkins-5.1.4.tgz new file mode 100644 index 0000000000..02fb253afa Binary files /dev/null and b/assets/jenkins/jenkins-5.1.4.tgz differ diff --git a/assets/kasten/k10-6.5.901.tgz b/assets/kasten/k10-6.5.901.tgz new file mode 100644 index 0000000000..137033bedd Binary files /dev/null and b/assets/kasten/k10-6.5.901.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-2024.3.3.tgz b/assets/linkerd/linkerd-control-plane-2024.3.3.tgz index 44a2dac06f..f192728d64 100644 Binary files a/assets/linkerd/linkerd-control-plane-2024.3.3.tgz and b/assets/linkerd/linkerd-control-plane-2024.3.3.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-2024.3.4.tgz b/assets/linkerd/linkerd-control-plane-2024.3.4.tgz new file mode 100644 index 0000000000..b327dfe742 Binary files /dev/null and b/assets/linkerd/linkerd-control-plane-2024.3.4.tgz differ diff --git a/assets/linkerd/linkerd-crds-2024.3.4.tgz b/assets/linkerd/linkerd-crds-2024.3.4.tgz new file mode 100644 index 0000000000..4cb838c7de Binary files /dev/null and b/assets/linkerd/linkerd-crds-2024.3.4.tgz differ diff --git a/assets/loft/loft-3.4.2.tgz b/assets/loft/loft-3.4.2.tgz new file mode 100644 index 0000000000..19cb8aa6c1 Binary files /dev/null and b/assets/loft/loft-3.4.2.tgz differ diff --git a/assets/minio/minio-operator-5.0.14.tgz b/assets/minio/minio-operator-5.0.14.tgz new file mode 100644 index 0000000000..d0817df5db Binary files /dev/null and b/assets/minio/minio-operator-5.0.14.tgz differ diff --git a/assets/ngrok/kubernetes-ingress-controller-0.12.3.tgz b/assets/ngrok/kubernetes-ingress-controller-0.12.3.tgz new file mode 100644 index 0000000000..82cbe99b6a Binary files /dev/null and b/assets/ngrok/kubernetes-ingress-controller-0.12.3.tgz differ diff --git a/assets/percona/psmdb-operator-1.15.4.tgz b/assets/percona/psmdb-operator-1.15.4.tgz new file mode 100644 index 0000000000..c749cfe571 Binary files /dev/null and b/assets/percona/psmdb-operator-1.15.4.tgz differ diff --git a/assets/percona/pxc-db-1.14.1.tgz b/assets/percona/pxc-db-1.14.1.tgz new file mode 100644 index 0000000000..27f440dd52 Binary files /dev/null and b/assets/percona/pxc-db-1.14.1.tgz differ diff --git a/assets/redpanda/redpanda-5.7.35.tgz b/assets/redpanda/redpanda-5.7.35.tgz new file mode 100644 index 0000000000..d58bf22485 Binary files /dev/null and b/assets/redpanda/redpanda-5.7.35.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.1.12.tgz b/assets/speedscale/speedscale-operator-2.1.12.tgz new file mode 100644 index 0000000000..2fdf0451e9 Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.1.12.tgz differ diff --git a/charts/argo/argo-cd/Chart.yaml b/charts/argo/argo-cd/Chart.yaml index 26cc5356cb..ab7b239f22 100644 --- a/charts/argo/argo-cd/Chart.yaml +++ b/charts/argo/argo-cd/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/changes: | - kind: changed - description: Bump argo-cd to v2.10.3 + description: Bump argo-cd to v2.10.4 artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -11,7 +11,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 -appVersion: v2.10.3 +appVersion: v2.10.4 dependencies: - condition: redis-ha.enabled name: redis-ha @@ -33,4 +33,4 @@ name: argo-cd sources: - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-cd -version: 6.7.2 +version: 6.7.3 diff --git a/charts/bitnami/airflow/Chart.lock b/charts/bitnami/airflow/Chart.lock index 632aa3699b..ee9dc1ff9a 100644 --- a/charts/bitnami/airflow/Chart.lock +++ b/charts/bitnami/airflow/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.19.2 + version: 19.0.1 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 14.3.3 + version: 15.1.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.19.0 -digest: sha256:ef8c5318de55f20f28fd5f98a2201bf883baab63e2faf37ef4b4d05ec14a0635 -generated: "2024-03-13T11:46:34.191714+01:00" +digest: sha256:ceffc811afc3d5ac340c12d70dda145292a6aa7bb7dba0ab199b2ae0d3dc2b76 +generated: "2024-03-20T13:24:56.373795727+01:00" diff --git a/charts/bitnami/airflow/Chart.yaml b/charts/bitnami/airflow/Chart.yaml index b74e096f87..9d893cc4df 100644 --- a/charts/bitnami/airflow/Chart.yaml +++ b/charts/bitnami/airflow/Chart.yaml @@ -24,11 +24,11 @@ dependencies: - condition: redis.enabled name: redis repository: file://./charts/redis - version: 18.x.x + version: 19.x.x - condition: postgresql.enabled name: postgresql repository: file://./charts/postgresql - version: 14.x.x + version: 15.x.x - name: common repository: file://./charts/common tags: @@ -50,4 +50,4 @@ maintainers: name: airflow sources: - https://github.com/bitnami/charts/tree/main/bitnami/airflow -version: 17.2.4 +version: 18.0.0 diff --git a/charts/bitnami/airflow/README.md b/charts/bitnami/airflow/README.md index 38b2ac3016..7687b22cfd 100644 --- a/charts/bitnami/airflow/README.md +++ b/charts/bitnami/airflow/README.md @@ -27,40 +27,192 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment - Kubernetes 1.23+ - Helm 3.8.0+ -## Installing the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. -To install the chart with the release name `my-release`: +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Generate a Fernet key + +A Fernet key is required in order to encrypt password within connections. The Fernet key must be a base64-encoded 32-byte key. + +Learn how to generate one [here](https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/fernet.html#generating-fernet-key) + +### Generate a Secret key + +Secret key used to run your flask app. It should be as random as possible. However, when running more than 1 instances of webserver, make sure all of them use the same secret_key otherwise one of them will error with "CSRF session token is missing". + +### Load DAG files + +There are two different ways to load your custom DAG files into the Airflow chart. All of them are compatible so you can use more than one at the same time. + +#### Option 1: Specify an existing config map + +You can manually create a config map containing all your DAG files and then pass the name when deploying Airflow chart. For that, you can pass the option `dags.existingConfigmap`. + +#### Option 2: Get your DAG files from a git repository + +You can store all your DAG files on GitHub repositories and then clone to the Airflow pods with an initContainer. The repositories will be periodically updated using a sidecar container. In order to do that, you can deploy airflow with the following options: + +> NOTE: When enabling git synchronization, an init container and sidecar container will be added for all the pods running airflow, this will allow scheduler, worker and web component to reach dags if it was needed. ```console -helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/airflow +git.dags.enabled=true +git.dags.repositories[0].repository=https://github.com/USERNAME/REPOSITORY +git.dags.repositories[0].name=REPO-IDENTIFIER +git.dags.repositories[0].branch=master ``` -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +If you use a private repository from GitHub, a possible option to clone the files is using a [Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) and using it as part of the URL: `https://USERNAME:PERSONAL_ACCESS_TOKEN@github.com/USERNAME/REPOSITORY` + +### Loading Plugins -These commands deploy Airflow on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. +You can load plugins into the chart by specifying a git repository containing the plugin files. The repository will be periodically updated using a sidecar container. In order to do that, you can deploy airflow with the following options: -> **Tip**: List all releases using `helm list` +> NOTE: When enabling git synchronization, an init container and sidecar container will be added for all the pods running airflow, this will allow scheduler, worker and web component to reach plugins if it was needed. -## Uninstalling the Chart +```console +git.plugins.enabled=true +git.plugins.repositories[0].repository=https://github.com/teamclairvoyant/airflow-rest-api-plugin.git +git.plugins.repositories[0].branch=v1.0.9-branch +git.plugins.repositories[0].path=plugins +``` + +### Existing Secrets -To uninstall/delete the `my-release` deployment: +You can use an existing secret to configure your Airflow auth, external Postgres, and external Redis® passwords: ```console -helm delete my-release +postgresql.enabled=false +externalDatabase.host=my.external.postgres.host +externalDatabase.user=bn_airflow +externalDatabase.database=bitnami_airflow +externalDatabase.existingSecret=all-my-secrets +externalDatabase.existingSecretPasswordKey=postgresql-password + +redis.enabled=false +externalRedis.host=my.external.redis.host +externalRedis.existingSecret=all-my-secrets +externalRedis.existingSecretPasswordKey=redis-password + +auth.existingSecret=all-my-secrets ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +The expected secret resource looks as follows: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: all-my-secrets +type: Opaque +data: + airflow-password: "Smo1QTJLdGxXMg==" + airflow-fernet-key: "YVRZeVJVWnlXbU4wY1dOalVrdE1SV3cxWWtKeFIzWkVRVTVrVjNaTFR6WT0=" + airflow-secret-key: "a25mQ1FHTUh3MnFRSk5KMEIyVVU2YmN0VGRyYTVXY08=" + postgresql-password: "cG9zdGdyZXMK" + redis-password: "cmVkaXMK" +``` + +This is useful if you plan on using [Bitnami's sealed secrets](https://github.com/bitnami-labs/sealed-secrets) to manage your passwords. + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +### Install extra python packages + +This chart allows you to mount volumes using `extraVolumes` and `extraVolumeMounts` in all 3 airflow components (web, scheduler, worker). Mounting a requirements.txt using these options to `/bitnami/python/requirements.txt` will execute `pip install -r /bitnami/python/requirements.txt` on container start. + +### Enabling network policies + +This chart allows you to set network policies that will rectrict the access to the deployed pods in the cluster. Basically, no other pods apart from Scheduler's pods may access Worker's pods and no other pods apart from Web's pods may access Worker's ones. To do so, set `networkPolicies.enabled=true`. + +### Executors + +Airflow supports different executors runtimes and this chart provides support for the following ones. + +#### CeleryExecutor + +Celery executor is the default value for this chart with it you can scale out the number of workers. To point the `executor` parameter to `CeleryExecutor` you need to do something, you just install the chart with default parameters. + +#### KubernetesExecutor + +The kubernetes executor is introduced in Apache Airflow 1.10.0. The Kubernetes executor will create a new pod for every task instance using the `pod_template.yaml` that you can find [templates/config/configmap.yaml](https://github.com/bitnami/charts/blob/main/bitnami/airflow/templates/config/configmap.yaml), otherwise you can override this template using `worker.podTemplate`. To enable `KubernetesExecutor` set the following parameters. + +> NOTE: Redis® is not needed to be deployed when using KubernetesExecutor so you must disable it using `redis.enabled=false`. + +```console +executor=KubernetesExecutor +redis.enabled=false +rbac.create=true +serviceaccount.create=true +``` + +### CeleryKubernetesExecutor + +The CeleryKubernetesExecutor is introduced in Airflow 2.0 and is a combination of both the Celery and the Kubernetes executors. Tasks will be executed using Celery by default, but those tasks that require it can be executed in a Kubernetes pod using the 'kubernetes' queue. + +#### LocalExecutor + +Local executor runs tasks by spawning processes in the Scheduler pods. To enable `LocalExecutor` set the following parameters. + +```console +executor=LocalExecutor +redis.enabled=false +``` + +### LocalKubernetesExecutor + +The LocalKubernetesExecutor is introduced in Airflow 2.3 and is a combination of both the Local and the Kubernetes executors. Tasks will be executed in the scheduler by default, but those tasks that require it can be executed in a Kubernetes pod using the 'kubernetes' queue. + +#### SequentialExecutor + +This executor will only run one task instance at a time in the Scheduler pods. For production use case, please use other executors. To enable `SequentialExecutor` set the following parameters. + +```console +executor=SequentialExecutor +redis.enabled=false +``` + +### Scaling worker pods + +Sometime when using large workloads a fixed number of worker pods may make task to take a long time to be executed. This chart provide two ways for scaling worker pods. + +- If you are using `KubernetesExecutor` auto scaling pods would be done by the Scheduler without adding anything more. +- If you are using `SequentialExecutor` you would have to enable `worker.autoscaling` to do so, please, set the following parameters. It will use autoscaling by default configuration that you can change using `worker.autoscaling.replicas.*` and `worker.autoscaling.targets.*`. + +```console +worker.autoscaling.enabled=true +worker.resources.requests.cpu=200m +worker.resources.requests.memory=250Mi +``` + +## Persistence + +The Bitnami Airflow chart relies on the PostgreSQL chart persistence. This means that Airflow does not persist anything. ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -146,7 +298,7 @@ The command removes all the Kubernetes components associated with the chart and | `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `none` | +| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `medium` | | `web.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `web.podSecurityContext.enabled` | Enabled Airflow web pods' Security Context | `true` | | `web.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -154,13 +306,13 @@ The command removes all the Kubernetes components associated with the chart and | `web.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `web.podSecurityContext.fsGroup` | Set Airflow web pod's Security Context fsGroup | `1001` | | `web.containerSecurityContext.enabled` | Enabled Airflow web containers' Security Context | `true` | -| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `web.containerSecurityContext.runAsUser` | Set Airflow web containers' Security Context runAsUser | `1001` | -| `web.containerSecurityContext.runAsGroup` | Set Airflow web containers' Security Context runAsGroup | `0` | +| `web.containerSecurityContext.runAsGroup` | Set Airflow web containers' Security Context runAsGroup | `1001` | | `web.containerSecurityContext.runAsNonRoot` | Set Airflow web containers' Security Context runAsNonRoot | `true` | | `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` | | `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` | -| `web.containerSecurityContext.readOnlyRootFilesystem` | Set web container's Security Context readOnlyRootFilesystem | `false` | +| `web.containerSecurityContext.readOnlyRootFilesystem` | Set web container's Security Context readOnlyRootFilesystem | `true` | | `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `web.lifecycleHooks` | for the Airflow web container(s) to automate configuration before or after startup | `{}` | @@ -217,19 +369,19 @@ The command removes all the Kubernetes components associated with the chart and | `scheduler.livenessProbe.enabled` | Enable livenessProbe on Airflow scheduler containers | `true` | | `scheduler.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `180` | | `scheduler.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | -| `scheduler.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `scheduler.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `15` | | `scheduler.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | | `scheduler.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | | `scheduler.readinessProbe.enabled` | Enable readinessProbe on Airflow scheduler containers | `true` | | `scheduler.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `30` | | `scheduler.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `scheduler.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `scheduler.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `15` | | `scheduler.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | | `scheduler.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | | `scheduler.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `scheduler.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `scheduler.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `scheduler.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if scheduler.resources is set (scheduler.resources is recommended for production). | `none` | +| `scheduler.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if scheduler.resources is set (scheduler.resources is recommended for production). | `small` | | `scheduler.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `scheduler.podSecurityContext.enabled` | Enabled Airflow scheduler pods' Security Context | `true` | | `scheduler.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -237,13 +389,13 @@ The command removes all the Kubernetes components associated with the chart and | `scheduler.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `scheduler.podSecurityContext.fsGroup` | Set Airflow scheduler pod's Security Context fsGroup | `1001` | | `scheduler.containerSecurityContext.enabled` | Enabled Airflow scheduler containers' Security Context | `true` | -| `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `scheduler.containerSecurityContext.runAsUser` | Set Airflow scheduler containers' Security Context runAsUser | `1001` | -| `scheduler.containerSecurityContext.runAsGroup` | Set Airflow scheduler containers' Security Context runAsGroup | `0` | +| `scheduler.containerSecurityContext.runAsGroup` | Set Airflow scheduler containers' Security Context runAsGroup | `1001` | | `scheduler.containerSecurityContext.runAsNonRoot` | Set Airflow scheduler containers' Security Context runAsNonRoot | `true` | | `scheduler.containerSecurityContext.privileged` | Set scheduler container's Security Context privileged | `false` | | `scheduler.containerSecurityContext.allowPrivilegeEscalation` | Set scheduler container's Security Context allowPrivilegeEscalation | `false` | -| `scheduler.containerSecurityContext.readOnlyRootFilesystem` | Set scheduler container's Security Context readOnlyRootFilesystem | `false` | +| `scheduler.containerSecurityContext.readOnlyRootFilesystem` | Set scheduler container's Security Context readOnlyRootFilesystem | `true` | | `scheduler.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `scheduler.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `scheduler.lifecycleHooks` | for the Airflow scheduler container(s) to automate configuration before or after startup | `{}` | @@ -319,7 +471,7 @@ The command removes all the Kubernetes components associated with the chart and | `worker.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `worker.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `worker.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `none` | +| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `large` | | `worker.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `worker.podSecurityContext.enabled` | Enabled Airflow worker pods' Security Context | `true` | | `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -327,13 +479,13 @@ The command removes all the Kubernetes components associated with the chart and | `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `worker.podSecurityContext.fsGroup` | Set Airflow worker pod's Security Context fsGroup | `1001` | | `worker.containerSecurityContext.enabled` | Enabled Airflow worker containers' Security Context | `true` | -| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `worker.containerSecurityContext.runAsUser` | Set Airflow worker containers' Security Context runAsUser | `1001` | -| `worker.containerSecurityContext.runAsGroup` | Set Airflow worker containers' Security Context runAsGroup | `0` | +| `worker.containerSecurityContext.runAsGroup` | Set Airflow worker containers' Security Context runAsGroup | `1001` | | `worker.containerSecurityContext.runAsNonRoot` | Set Airflow worker containers' Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `false` | | `worker.containerSecurityContext.allowPrivilegeEscalation` | Set worker container's Security Context allowPrivilegeEscalation | `false` | -| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set worker container's Security Context readOnlyRootFilesystem | `false` | +| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set worker container's Security Context readOnlyRootFilesystem | `true` | | `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `worker.lifecycleHooks` | for the Airflow worker container(s) to automate configuration before or after startup | `{}` | @@ -397,7 +549,7 @@ The command removes all the Kubernetes components associated with the chart and | `git.clone.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | | `git.clone.extraEnvVarsSecret` | Secret with extra environment variables | `""` | | `git.clone.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `git.clone.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if git.clone.resources is set (git.clone.resources is recommended for production). | `none` | +| `git.clone.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if git.clone.resources is set (git.clone.resources is recommended for production). | `nano` | | `git.sync.interval` | Interval in seconds to pull the git repository containing the plugins and/or DAG files | `60` | | `git.sync.command` | Override cmd | `[]` | | `git.sync.args` | Override args | `[]` | @@ -405,7 +557,7 @@ The command removes all the Kubernetes components associated with the chart and | `git.sync.extraEnvVars` | Add extra environment variables | `[]` | | `git.sync.extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | | `git.sync.extraEnvVarsSecret` | Secret with extra environment variables | `""` | -| `git.sync.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if git.sync.resources is set (git.sync.resources is recommended for production). | `none` | +| `git.sync.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if git.sync.resources is set (git.sync.resources is recommended for production). | `nano` | | `git.sync.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Airflow ldap parameters @@ -483,7 +635,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraEnvVarsCM` | ConfigMap containing extra environment variables for Airflow exporter pods | `""` | | `metrics.extraEnvVarsSecret` | Secret containing extra environment variables (in case of sensitive data) for Airflow exporter pods | `""` | | `metrics.containerPorts.http` | Airflow exporter metrics container port | `9112` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.podSecurityContext.enabled` | Enable security context for the pods | `true` | | `metrics.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -491,13 +643,13 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `metrics.podSecurityContext.fsGroup` | Set Airflow exporter pod's Security Context fsGroup | `1001` | | `metrics.containerSecurityContext.enabled` | Enable Airflow exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set Airflow exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set Airflow exporter containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsGroup` | Set Airflow exporter containers' Security Context runAsGroup | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Airflow exporter containers' Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set metrics container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set metrics container's Security Context readOnlyRootFilesystem | `true` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `metrics.lifecycleHooks` | for the Airflow exporter container(s) to automate configuration before or after startup | `{}` | @@ -538,33 +690,37 @@ The command removes all the Kubernetes components associated with the chart and ### Airflow database parameters -| Name | Description | Value | -| -------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ----------------- | -| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | -| `postgresql.auth.username` | Name for a custom user to create | `bn_airflow` | -| `postgresql.auth.password` | Password for the custom user to create | `""` | -| `postgresql.auth.database` | Name for a custom database to create | `bitnami_airflow` | -| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | -| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | -| `externalDatabase.host` | Database host | `localhost` | -| `externalDatabase.port` | Database port number | `5432` | -| `externalDatabase.user` | Non-root username for Airflow | `bn_airflow` | -| `externalDatabase.password` | Password for the non-root username for Airflow | `""` | -| `externalDatabase.database` | Airflow database name | `bitnami_airflow` | -| `externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `""` | -| `externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `""` | -| `redis.enabled` | Switch to enable or disable the Redis® helm | `true` | -| `redis.auth.enabled` | Enable password authentication | `true` | -| `redis.auth.password` | Redis® password | `""` | -| `redis.auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | -| `redis.architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `standalone` | -| `externalRedis.host` | Redis® host | `localhost` | -| `externalRedis.port` | Redis® port number | `6379` | -| `externalRedis.username` | Redis® username | `""` | -| `externalRedis.password` | Redis® password | `""` | -| `externalRedis.existingSecret` | Name of an existing secret resource containing the Redis&trade credentials | `""` | -| `externalRedis.existingSecretPasswordKey` | Name of an existing secret key containing the Redis&trade credentials | `""` | +| Name | Description | Value | +| -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | +| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | +| `postgresql.auth.username` | Name for a custom user to create | `bn_airflow` | +| `postgresql.auth.password` | Password for the custom user to create | `""` | +| `postgresql.auth.database` | Name for a custom database to create | `bitnami_airflow` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` | +| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `postgresql.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` | +| `postgresql.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalDatabase.host` | Database host | `localhost` | +| `externalDatabase.port` | Database port number | `5432` | +| `externalDatabase.user` | Non-root username for Airflow | `bn_airflow` | +| `externalDatabase.password` | Password for the non-root username for Airflow | `""` | +| `externalDatabase.database` | Airflow database name | `bitnami_airflow` | +| `externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `""` | +| `externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `""` | +| `redis.enabled` | Switch to enable or disable the Redis® helm | `true` | +| `redis.auth.enabled` | Enable password authentication | `true` | +| `redis.auth.password` | Redis® password | `""` | +| `redis.auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | +| `redis.architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `standalone` | +| `redis.master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `nano` | +| `redis.master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalRedis.host` | Redis® host | `localhost` | +| `externalRedis.port` | Redis® port number | `6379` | +| `externalRedis.username` | Redis® username | `""` | +| `externalRedis.password` | Redis® password | `""` | +| `externalRedis.existingSecret` | Name of an existing secret resource containing the Redis&trade credentials | `""` | +| `externalRedis.existingSecretPasswordKey` | Name of an existing secret key containing the Redis&trade credentials | `""` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -592,187 +748,22 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/airfl > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/airflow/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Generate a Fernet key - -A Fernet key is required in order to encrypt password within connections. The Fernet key must be a base64-encoded 32-byte key. - -Learn how to generate one [here](https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/fernet.html#generating-fernet-key) - -### Generate a Secret key - -Secret key used to run your flask app. It should be as random as possible. However, when running more than 1 instances of webserver, make sure all of them use the same secret_key otherwise one of them will error with "CSRF session token is missing". - -### Load DAG files - -There are two different ways to load your custom DAG files into the Airflow chart. All of them are compatible so you can use more than one at the same time. - -#### Option 1: Specify an existing config map - -You can manually create a config map containing all your DAG files and then pass the name when deploying Airflow chart. For that, you can pass the option `dags.existingConfigmap`. - -#### Option 2: Get your DAG files from a git repository - -You can store all your DAG files on GitHub repositories and then clone to the Airflow pods with an initContainer. The repositories will be periodically updated using a sidecar container. In order to do that, you can deploy airflow with the following options: - -> NOTE: When enabling git synchronization, an init container and sidecar container will be added for all the pods running airflow, this will allow scheduler, worker and web component to reach dags if it was needed. - -```console -git.dags.enabled=true -git.dags.repositories[0].repository=https://github.com/USERNAME/REPOSITORY -git.dags.repositories[0].name=REPO-IDENTIFIER -git.dags.repositories[0].branch=master -``` - -If you use a private repository from GitHub, a possible option to clone the files is using a [Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) and using it as part of the URL: `https://USERNAME:PERSONAL_ACCESS_TOKEN@github.com/USERNAME/REPOSITORY` - -### Loading Plugins - -You can load plugins into the chart by specifying a git repository containing the plugin files. The repository will be periodically updated using a sidecar container. In order to do that, you can deploy airflow with the following options: - -> NOTE: When enabling git synchronization, an init container and sidecar container will be added for all the pods running airflow, this will allow scheduler, worker and web component to reach plugins if it was needed. - -```console -git.plugins.enabled=true -git.plugins.repositories[0].repository=https://github.com/teamclairvoyant/airflow-rest-api-plugin.git -git.plugins.repositories[0].branch=v1.0.9-branch -git.plugins.repositories[0].path=plugins -``` - -### Existing Secrets - -You can use an existing secret to configure your Airflow auth, external Postgres, and external Redis® passwords: - -```console -postgresql.enabled=false -externalDatabase.host=my.external.postgres.host -externalDatabase.user=bn_airflow -externalDatabase.database=bitnami_airflow -externalDatabase.existingSecret=all-my-secrets -externalDatabase.existingSecretPasswordKey=postgresql-password - -redis.enabled=false -externalRedis.host=my.external.redis.host -externalRedis.existingSecret=all-my-secrets -externalRedis.existingSecretPasswordKey=redis-password - -auth.existingSecret=all-my-secrets -``` - -The expected secret resource looks as follows: - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: all-my-secrets -type: Opaque -data: - airflow-password: "Smo1QTJLdGxXMg==" - airflow-fernet-key: "YVRZeVJVWnlXbU4wY1dOalVrdE1SV3cxWWtKeFIzWkVRVTVrVjNaTFR6WT0=" - airflow-secret-key: "a25mQ1FHTUh3MnFRSk5KMEIyVVU2YmN0VGRyYTVXY08=" - postgresql-password: "cG9zdGdyZXMK" - redis-password: "cmVkaXMK" -``` - -This is useful if you plan on using [Bitnami's sealed secrets](https://github.com/bitnami-labs/sealed-secrets) to manage your passwords. - -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - -### Install extra python packages - -This chart allows you to mount volumes using `extraVolumes` and `extraVolumeMounts` in all 3 airflow components (web, scheduler, worker). Mounting a requirements.txt using these options to `/bitnami/python/requirements.txt` will execute `pip install -r /bitnami/python/requirements.txt` on container start. - -### Enabling network policies - -This chart allows you to set network policies that will rectrict the access to the deployed pods in the cluster. Basically, no other pods apart from Scheduler's pods may access Worker's pods and no other pods apart from Web's pods may access Worker's ones. To do so, set `networkPolicies.enabled=true`. - -### Executors - -Airflow supports different executors runtimes and this chart provides support for the following ones. - -#### CeleryExecutor - -Celery executor is the default value for this chart with it you can scale out the number of workers. To point the `executor` parameter to `CeleryExecutor` you need to do something, you just install the chart with default parameters. - -#### KubernetesExecutor - -The kubernetes executor is introduced in Apache Airflow 1.10.0. The Kubernetes executor will create a new pod for every task instance using the `pod_template.yaml` that you can find [templates/config/configmap.yaml](https://github.com/bitnami/charts/blob/main/bitnami/airflow/templates/config/configmap.yaml), otherwise you can override this template using `worker.podTemplate`. To enable `KubernetesExecutor` set the following parameters. - -> NOTE: Redis® is not needed to be deployed when using KubernetesExecutor so you must disable it using `redis.enabled=false`. - -```console -executor=KubernetesExecutor -redis.enabled=false -rbac.create=true -serviceaccount.create=true -``` - -### CeleryKubernetesExecutor - -The CeleryKubernetesExecutor is introduced in Airflow 2.0 and is a combination of both the Celery and the Kubernetes executors. Tasks will be executed using Celery by default, but those tasks that require it can be executed in a Kubernetes pod using the 'kubernetes' queue. - -#### LocalExecutor - -Local executor runs tasks by spawning processes in the Scheduler pods. To enable `LocalExecutor` set the following parameters. - -```console -executor=LocalExecutor -redis.enabled=false -``` - -### LocalKubernetesExecutor - -The LocalKubernetesExecutor is introduced in Airflow 2.3 and is a combination of both the Local and the Kubernetes executors. Tasks will be executed in the scheduler by default, but those tasks that require it can be executed in a Kubernetes pod using the 'kubernetes' queue. - -#### SequentialExecutor - -This executor will only run one task instance at a time in the Scheduler pods. For production use case, please use other executors. To enable `SequentialExecutor` set the following parameters. - -```console -executor=SequentialExecutor -redis.enabled=false -``` - -### Scaling worker pods - -Sometime when using large workloads a fixed number of worker pods may make task to take a long time to be executed. This chart provide two ways for scaling worker pods. - -- If you are using `KubernetesExecutor` auto scaling pods would be done by the Scheduler without adding anything more. -- If you are using `SequentialExecutor` you would have to enable `worker.autoscaling` to do so, please, set the following parameters. It will use autoscaling by default configuration that you can change using `worker.autoscaling.replicas.*` and `worker.autoscaling.targets.*`. +## Troubleshooting -```console -worker.autoscaling.enabled=true -worker.resources.requests.cpu=200m -worker.resources.requests.memory=250Mi -``` +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -## Persistence +## Upgrading -The Bitnami Airflow chart relies on the PostgreSQL chart persistence. This means that Airflow does not persist anything. +### To 18.0.0 -## Troubleshooting +This major bump changes the following security defaults: -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. -## Upgrading +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. ### To 17.0.0 diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/Chart.yaml index d1c130aee7..f1ed83c6ce 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/Chart.yaml @@ -34,4 +34,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 14.3.3 +version: 15.1.0 diff --git a/charts/bitnami/airflow/charts/postgresql/README.md b/charts/bitnami/airflow/charts/postgresql/README.md index e05a3dfb7d..9f2469c555 100644 --- a/charts/bitnami/airflow/charts/postgresql/README.md +++ b/charts/bitnami/airflow/charts/postgresql/README.md @@ -44,43 +44,252 @@ The command deploys PostgreSQL on the Kubernetes cluster in the default configur > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Use a different PostgreSQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### LDAP + +LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. + +- **ldap.enabled**: Enable LDAP support. Defaults to `false`. +- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. +- **ldap.base**: LDAP base DN. No defaults. +- **ldap.binddn**: LDAP bind DN. No defaults. +- **ldap.bindpw**: LDAP bind password. No defaults. +- **ldap.bslookup**: LDAP base lookup. No defaults. +- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. +- **ldap.scope**: LDAP search scope. No defaults. +- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. + +For example: + +```text +ldap.enabled="true" +ldap.uri="ldap://my_ldap_server" +ldap.base="dc=example\,dc=org" +ldap.binddn="cn=admin\,dc=example\,dc=org" +ldap.bindpw="admin" +ldap.bslookup="ou=group-ok\,dc=example\,dc=org" +ldap.nss_initgroups_ignoreusers="root\,nslcd" +ldap.scope="sub" +ldap.tls_reqcert="demand" ``` -The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. +Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. + +> Note: Parameters including commas must be escaped as shown in the above example. + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. + +You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. + +In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +- First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +- Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. -To delete the PVC's associated with `my-release`: +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +```text + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +```text +postgresql.auth.username=testuser +subchart1.postgresql.auth.username=testuser +subchart2.postgresql.auth.username=testuser +postgresql.auth.password=testpass +subchart1.postgresql.auth.password=testpass +subchart2.postgresql.auth.password=testpass +postgresql.auth.database=testdb +subchart1.postgresql.auth.database=testdb +subchart2.postgresql.auth.database=testdb +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +```text +global.postgresql.auth.username=testuser +global.postgresql.auth.password=testpass +global.postgresql.auth.database=testdb +``` + +This way, the credentials will be available in all of the subcharts. + +### Backup and restore PostgreSQL deployments + +To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. + +These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://docs.bitnami.com/tutorials/migrate-data-bitnami-velero/) for more information. + +### NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: ```console -kubectl delete pvc -l release=my-release +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" ``` -> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false +- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. + podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. ## Parameters ### Global parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | -| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | -| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | -| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | -| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | -| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | +| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -205,7 +414,7 @@ kubectl delete pvc -l release=my-release | `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | -| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` | | `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `primary.podSecurityContext.enabled` | Enable security context | `true` | | `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -213,12 +422,12 @@ kubectl delete pvc -l release=my-release | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -317,7 +526,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | -| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `none` | +| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `nano` | | `readReplicas.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | | `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -325,12 +534,12 @@ kubectl delete pvc -l release=my-release | `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -414,12 +623,12 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -427,8 +636,9 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.labels` | Set the cronjob labels | `{}` | | `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | | `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | -| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `none` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `nano` | | `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | +| `backup.cronjob.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | | `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | | `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | @@ -449,9 +659,9 @@ kubectl delete pvc -l release=my-release | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | @@ -484,12 +694,12 @@ kubectl delete pvc -l release=my-release | `metrics.customMetrics` | Define additional custom metrics | `{}` | | `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -515,7 +725,7 @@ kubectl delete pvc -l release=my-release | `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | | `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | @@ -560,238 +770,22 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postg > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/postgresql/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Customizing primary and read replica services in a replicated configuration - -At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. - -### Use a different PostgreSQL version - -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. - -### LDAP - -LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. - -- **ldap.enabled**: Enable LDAP support. Defaults to `false`. -- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. -- **ldap.base**: LDAP base DN. No defaults. -- **ldap.binddn**: LDAP bind DN. No defaults. -- **ldap.bindpw**: LDAP bind password. No defaults. -- **ldap.bslookup**: LDAP base lookup. No defaults. -- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. -- **ldap.scope**: LDAP search scope. No defaults. -- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. - -For example: - -```text -ldap.enabled="true" -ldap.uri="ldap://my_ldap_server" -ldap.base="dc=example\,dc=org" -ldap.binddn="cn=admin\,dc=example\,dc=org" -ldap.bindpw="admin" -ldap.bslookup="ou=group-ok\,dc=example\,dc=org" -ldap.nss_initgroups_ignoreusers="root\,nslcd" -ldap.scope="sub" -ldap.tls_reqcert="demand" -``` - -Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. - -> Note: Parameters including commas must be escaped as shown in the above example. - -### postgresql.conf / pg_hba.conf files as configMap - -This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. - -You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. - -In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. - -### Initialize a fresh instance - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. - -In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -### Securing traffic using TLS - -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: - -- `tls.enabled`: Enable TLS support. Defaults to `false` -- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. -- `tls.certFilename`: Certificate filename. No defaults. -- `tls.certKeyFilename`: Certificate key filename. No defaults. - -For example: - -- First, create the secret with the cetificates files: - - ```console - kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt - ``` - -- Then, use the following parameters: - - ```console - volumePermissions.enabled=true - tls.enabled=true - tls.certificatesSecret="certificates-tls-secret" - tls.certFilename="cert.crt" - tls.certKeyFilename="cert.key" - ``` - - > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. - -### Sidecars - -If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. - -```yaml -# For the PostgreSQL primary -primary: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -# For the PostgreSQL replicas -readReplicas: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). - -The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. - -### Use of global variables - -In more complex scenarios, we may have the following tree of dependencies - -```text - +--------------+ - | | - +------------+ Chart 1 +-----------+ - | | | | - | --------+------+ | - | | | - | | | - | | | - | | | - v v v -+-------+------+ +--------+------+ +--------+------+ -| | | | | | -| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | -| | | | | | -+--------------+ +---------------+ +---------------+ -``` - -The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: - -```text -postgresql.auth.username=testuser -subchart1.postgresql.auth.username=testuser -subchart2.postgresql.auth.username=testuser -postgresql.auth.password=testpass -subchart1.postgresql.auth.password=testpass -subchart2.postgresql.auth.password=testpass -postgresql.auth.database=testdb -subchart1.postgresql.auth.database=testdb -subchart2.postgresql.auth.database=testdb -``` - -If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: - -```text -global.postgresql.auth.username=testuser -global.postgresql.auth.password=testpass -global.postgresql.auth.database=testdb -``` - -This way, the credentials will be available in all of the subcharts. - -### Persistence - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. - -### Backup and restore PostgreSQL deployments - -To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. - -These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: - -- Install Velero on the source and destination clusters. -- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. -- Use Velero to restore the backed-up PVs on the destination cluster. -- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. - -Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://docs.bitnami.com/tutorials/migrate-data-bitnami-velero/) for more information. - -### NetworkPolicy - -To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 5432. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. -This label will be displayed in the output of a successful install. - -### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - -- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. -- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. -- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false -- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. - podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false +## Troubleshooting -### Setting Pod's affinity +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). +## Upgrading -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. +### To 15.0.0 -## Troubleshooting +This major bump changes the following security defaults: -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. -## Upgrading +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. ### To 14.0.0 diff --git a/charts/bitnami/airflow/charts/postgresql/templates/backup/networkpolicy.yaml b/charts/bitnami/airflow/charts/postgresql/templates/backup/networkpolicy.yaml new file mode 100644 index 0000000000..77fff3c31b --- /dev/null +++ b/charts/bitnami/airflow/charts/postgresql/templates/backup/networkpolicy.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.backup.cronjob.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: pg_dumpall + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: pg_dumpall + policyTypes: + - Egress + egress: + - ports: + - port: 5432 + protocol: TCP +{{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/values.yaml b/charts/bitnami/airflow/charts/postgresql/values.yaml index c97426e5fc..cfdae44248 100644 --- a/charts/bitnami/airflow/charts/postgresql/values.yaml +++ b/charts/bitnami/airflow/charts/postgresql/values.yaml @@ -50,7 +50,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -448,7 +448,7 @@ primary: ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -489,12 +489,12 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -885,7 +885,7 @@ readReplicas: ## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -926,12 +926,12 @@ readReplicas: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1279,12 +1279,12 @@ backup: ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1308,7 +1308,7 @@ backup: ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory ## Example: resources: {} @@ -1319,6 +1319,10 @@ backup: ## limits: ## cpu: 2 ## memory: 1024Mi + networkPolicy: + ## @param backup.cronjob.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true storage: ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) ## If defined, PVC must be created manually before volume will be bound @@ -1395,7 +1399,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1417,7 +1421,7 @@ volumePermissions: ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 runAsGroup: 0 runAsNonRoot: false @@ -1542,12 +1546,12 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1615,7 +1619,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/airflow/charts/redis/Chart.yaml b/charts/bitnami/airflow/charts/redis/Chart.yaml index b72d1d5c4f..3ef4bbe1a4 100644 --- a/charts/bitnami/airflow/charts/redis/Chart.yaml +++ b/charts/bitnami/airflow/charts/redis/Chart.yaml @@ -35,4 +35,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.19.2 +version: 19.0.1 diff --git a/charts/bitnami/airflow/charts/redis/README.md b/charts/bitnami/airflow/charts/redis/README.md index 8cac98b7ed..b958bd87a6 100644 --- a/charts/bitnami/airflow/charts/redis/README.md +++ b/charts/bitnami/airflow/charts/redis/README.md @@ -1,8 +1,8 @@ -# Bitnami package for Redis(R) +# Bitnami package for Redis® -Redis(R) is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. +Redis® is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. [Overview of Redis®](http://redis.io) @@ -14,7 +14,7 @@ Disclaimer: Redis is a registered trademark of Redis Ltd. Any rights therein are helm install my-release oci://registry-1.docker.io/bitnamicharts/redis ``` -Looking to use Redisreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. +Looking to use Redis® in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. ## Introduction @@ -57,686 +57,87 @@ The command deploys Redis® on the Kubernetes cluster in the default configur > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use a different Redis® version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +replica: + externalMaster: + enabled: true + host: external-redis-0.internal +sentinel: + externalMaster: + enabled: true + host: external-redis-0.internal ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +:warning: This is currently limited to clusters in which Sentinel and Redis run on the same node! :warning: -## Parameters +Please also note that the external sentinel must be listening on port `26379`, and this is currently not configurable. -### Global parameters +Once the Kubernetes Redis Deployment is online and confirmed to be working with the existing cluster, the configuration can then be removed and the cluster will remain connected. -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +### External DNS -### Common parameters +This chart is equipped to allow leveraging the ExternalDNS project. Doing so will enable ExternalDNS to publish the FQDN for each instance, in the format of `..`. +Example, when using the following configuration: -| Name | Description | Value | -| ------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `nameOverride` | String to partially override common.names.fullname | `""` | -| `fullnameOverride` | String to fully override common.names.fullname | `""` | -| `namespaceOverride` | String to fully override common.names.namespace | `""` | -| `commonLabels` | Labels to add to all deployed objects | `{}` | -| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | -| `secretAnnotations` | Annotations to add to secret | `{}` | -| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | -| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | -| `useHostnames` | Use hostnames internally when announcing replication. If false, the hostname will be resolved to an IP address | `true` | -| `nameResolutionThreshold` | Failure threshold for internal hostnames resolution | `5` | -| `nameResolutionTimeout` | Timeout seconds between probes for internal hostnames resolution | `5` | -| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | -| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | -| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | +```yaml +useExternalDNS: + enabled: true + suffix: prod.example.org + additionalAnnotations: + ttl: 10 +``` -### Redis® Image parameters +On a cluster where the name of the Helm release is `a`, the hostname of a Pod is generated as: `a-redis-node-0.a-redis.prod.example.org`. The IP of that FQDN will match that of the associated Pod. This modifies the following parameters of the Redis/Sentinel configuration using this new FQDN: -| Name | Description | Value | -| ------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------- | -| `image.registry` | Redis® image registry | `REGISTRY_NAME` | -| `image.repository` | Redis® image repository | `REPOSITORY_NAME/redis` | -| `image.digest` | Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Redis® image pull secrets | `[]` | -| `image.debug` | Enable image debug mode | `false` | +- `replica-announce-ip` +- `known-sentinel` +- `known-replica` +- `announce-ip` -### Redis® common configuration parameters +:warning: This requires a working installation of `external-dns` to be fully functional. :warning: -| Name | Description | Value | -| -------------------------------- | ------------------------------------------------------------------------------------- | ------------- | -| `architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `replication` | -| `auth.enabled` | Enable password authentication | `true` | -| `auth.sentinel` | Enable password authentication on sentinels too | `true` | -| `auth.password` | Redis® password | `""` | -| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | -| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | -| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | -| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | -| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | -| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | +See the [official ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns) for additional configuration options. -### Redis® master configuration parameters +### Cluster topologies -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | -| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | -| `master.configuration` | Configuration for Redis® master nodes | `""` | -| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | -| `master.command` | Override default container command (useful when using custom images) | `[]` | -| `master.args` | Override default container args (useful when using custom images) | `[]` | -| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | -| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | -| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | -| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | -| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | -| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | -| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | -| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | -| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | -| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | -| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | -| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `none` | -| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | -| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | -| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | -| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | -| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | -| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | -| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | -| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | -| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | -| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | -| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | -| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | -| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | -| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `master.hostAliases` | Redis® master pods host aliases | `[]` | -| `master.podLabels` | Extra labels for Redis® master pods | `{}` | -| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | -| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | -| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | -| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | -| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | -| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | -| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | -| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | -| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | -| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | -| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | -| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | -| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | -| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | -| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | -| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | -| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | -| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.storageClass` | Persistent Volume storage class | `""` | -| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `master.persistence.size` | Persistent Volume size | `8Gi` | -| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `master.persistence.dataSource` | Custom PVC data source | `{}` | -| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `master.service.type` | Redis® master service type | `ClusterIP` | -| `master.service.ports.redis` | Redis® master service port | `6379` | -| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | -| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | -| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | -| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | -| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | -| `master.service.externalIPs` | Redis® master service External IPs | `[]` | -| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | -| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | -| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +#### Default: Master-Replicas -### Redis® replicas configuration parameters +When installing the chart with `architecture=replication`, it will deploy a Redis® master StatefulSet and a Redis® replicas StatefulSet. The replicas will be read-replicas of the master. Two services will be exposed: -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | -| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | -| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | -| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | -| `replica.command` | Override default container command (useful when using custom images) | `[]` | -| `replica.args` | Override default container args (useful when using custom images) | `[]` | -| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | -| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | -| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | -| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | -| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | -| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `replica.externalMaster.host` | External master host to bootstrap from | `""` | -| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | -| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | -| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | -| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `none` | -| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | -| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | -| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | -| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | -| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | -| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | -| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | -| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | -| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | -| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | -| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | -| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | -| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | -| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | -| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | -| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | -| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | -| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | -| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | -| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | -| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | -| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | -| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | -| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | -| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | -| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | -| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | -| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | -| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | -| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | -| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | -| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | -| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | -| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `replica.persistence.size` | Persistent Volume size | `8Gi` | -| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `replica.persistence.dataSource` | Custom PVC data source | `{}` | -| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `replica.service.type` | Redis® replicas service type | `ClusterIP` | -| `replica.service.ports.redis` | Redis® replicas service port | `6379` | -| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | -| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | -| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | -| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | -| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | -| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | -| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | -| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | -| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | -| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | -| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | -| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | -| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +- Redis® Master service: Points to the master, where read-write operations can be performed +- Redis® Replicas service: Points to the replicas, where only read operations are allowed by default. -### Redis® Sentinel configuration parameters +In case the master crashes, the replicas will wait until the master node is respawned again by the Kubernetes Controller Manager. -| Name | Description | Value | -| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | -| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | -| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | -| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | -| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | -| `sentinel.image.debug` | Enable image debug mode | `false` | -| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | -| `sentinel.masterSet` | Master set name | `mymaster` | -| `sentinel.quorum` | Sentinel Quorum | `2` | -| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | -| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | -| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | -| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | -| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | -| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | -| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | -| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | -| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | -| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | -| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | -| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | -| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | -| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | -| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | -| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | -| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | -| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | -| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | -| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `none` | -| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | -| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | -| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | -| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | -| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | -| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | -| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | -| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | -| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | -| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | -| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | -| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | -| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | -| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | -| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | -| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | -| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | -| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | -| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | -| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | -| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | -| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | -| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | +#### Standalone -### Other Parameters +When installing the chart with `architecture=standalone`, it will deploy a standalone Redis® StatefulSet. A single service will be exposed: -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | -| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.metrics.allowExternal` | Don't require client label for connections for metrics endpoint | `true` | -| `networkPolicy.metrics.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | -| `networkPolicy.metrics.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | -| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | -| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | -| `rbac.create` | Specifies whether RBAC resources should be created | `false` | -| `rbac.rules` | Custom RBAC rules to set | `[]` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | -| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | -| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | -| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | -| `tls.enabled` | Enable TLS traffic | `false` | -| `tls.authClients` | Require clients to authenticate | `true` | -| `tls.autoGenerated` | Enable autogenerated certificates | `false` | -| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | -| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | -| `tls.certFilename` | Certificate filename | `""` | -| `tls.certKeyFilename` | Certificate Key filename | `""` | -| `tls.certCAFilename` | CA Certificate filename | `""` | -| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | +- Redis® Master service: Points to the master, where read-write operations can be performed -### Metrics Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | -| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | -| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | -| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | -| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | -| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | -| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | -| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | -| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | -| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | -| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | -| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | -| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | -| `metrics.service.ports.http` | Redis® exporter service port | `9121` | -| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | -| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | -| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | -| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | -| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | -| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | -| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | -| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | -| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | -| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | - -### Init Container Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | -| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | -| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | -| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | -| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | -| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | -| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | -| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | -| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | -| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | -| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | -| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` | -| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | - -### useExternalDNS Parameters - -| Name | Description | Value | -| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | -| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | -| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations. | `external-dns.alpha.kubernetes.io/` | -| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -helm install my-release \ - --set auth.password=secretpassword \ - oci://REGISTRY_NAME/REPOSITORY_NAME/redis -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The above command sets the Redis® server password to `secretpassword`. - -> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) - -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Use a different Redis® version - -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. - -### Bootstrapping with an External Cluster - -This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: - -```yaml -replica: - externalMaster: - enabled: true - host: external-redis-0.internal -sentinel: - externalMaster: - enabled: true - host: external-redis-0.internal -``` - -:warning: This is currently limited to clusters in which Sentinel and Redis run on the same node! :warning: - -Please also note that the external sentinel must be listening on port `26379`, and this is currently not configurable. - -Once the Kubernetes Redis Deployment is online and confirmed to be working with the existing cluster, the configuration can then be removed and the cluster will remain connected. - -### External DNS - -This chart is equipped to allow leveraging the ExternalDNS project. Doing so will enable ExternalDNS to publish the FQDN for each instance, in the format of `..`. -Example, when using the following configuration: - -```yaml -useExternalDNS: - enabled: true - suffix: prod.example.org - additionalAnnotations: - ttl: 10 -``` - -On a cluster where the name of the Helm release is `a`, the hostname of a Pod is generated as: `a-redis-node-0.a-redis.prod.example.org`. The IP of that FQDN will match that of the associated Pod. This modifies the following parameters of the Redis/Sentinel configuration using this new FQDN: - -- `replica-announce-ip` -- `known-sentinel` -- `known-replica` -- `announce-ip` - -:warning: This requires a working installation of `external-dns` to be fully functional. :warning: - -See the [official ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns) for additional configuration options. - -### Cluster topologies - -#### Default: Master-Replicas - -When installing the chart with `architecture=replication`, it will deploy a Redis® master StatefulSet and a Redis® replicas StatefulSet. The replicas will be read-replicas of the master. Two services will be exposed: - -- Redis® Master service: Points to the master, where read-write operations can be performed -- Redis® Replicas service: Points to the replicas, where only read operations are allowed by default. - -In case the master crashes, the replicas will wait until the master node is respawned again by the Kubernetes Controller Manager. - -#### Standalone - -When installing the chart with `architecture=standalone`, it will deploy a standalone Redis® StatefulSet. A single service will be exposed: - -- Redis® Master service: Points to the master, where read-write operations can be performed - -#### Master-Replicas with Sentinel +#### Master-Replicas with Sentinel When installing the chart with `architecture=replication` and `sentinel.enabled=true`, it will deploy a Redis® master StatefulSet (only one master allowed) and a Redis® replicas StatefulSet. In this case, the pods will contain an extra container with Redis® Sentinel. This container will form a cluster of Redis® Sentinel nodes, which will promote a new master in case the actual one fails. @@ -883,150 +284,739 @@ sysctlImage: echo never > /host-sys/kernel/mm/transparent_hugepage/enabled ``` -Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure `sysctls` for master and slave pods. Example: +Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure `sysctls` for master and slave pods. Example: + +```yaml +securityContext: + sysctls: + - name: net.core.somaxconn + value: "10000" +``` + +Note that this will not disable transparent huge tables. + +### Backup and restore + +To backup and restore Redis deployments on Kubernetes, you will need to create a snapshot of the data in the source cluster, and later restore it in a new cluster with the new parameters. Follow the instructions below: + +#### Step 1: Backup the deployment + +- Connect to one of the nodes and start the Redis CLI tool. Then, run the commands below: + + ```text + $ kubectl exec -it my-release-master-0 bash + $ redis-cli + 127.0.0.1:6379> auth your_current_redis_password + OK + 127.0.0.1:6379> save + OK + ``` + +- Copy the dump file from the Redis node: + + ```console + kubectl cp my-release-master-0:/data/dump.rdb dump.rdb -c redis + ``` + +#### Step 2: Restore the data on the destination cluster + +To restore the data in a new cluster, you will need to create a PVC and then upload the *dump.rdb* file to the new volume. + +Follow the following steps: + +- In the [*values.yaml*](https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml) file set the *appendonly* parameter to *no*. You can skip this step if it is already configured as *no* + + ```yaml + commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly no + # Disable RDB persistence, AOF persistence already enabled. + save "" + ``` + + > *Note that the `Enable AOF` comment belongs to the original config file and what you're actually doing is disabling it. This change will only be neccessary for the temporal cluster you're creating to upload the dump.* + +- Start the new cluster to create the PVCs. Use the command below as an example: + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` + +- Now that the PVC were created, stop it and copy the *dump.rdp* file on the persisted data by using a helping pod. + + ```text + $ helm delete new-redis + + $ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "redisvolpod" + }, + "spec": { + "containers": [{ + "command": [ + "tail", + "-f", + "/dev/null" + ], + "image": "bitnami/minideb", + "name": "mycontainer", + "volumeMounts": [{ + "mountPath": "/mnt", + "name": "redisdata" + }] + }], + "restartPolicy": "Never", + "volumes": [{ + "name": "redisdata", + "persistentVolumeClaim": { + "claimName": "redis-data-new-redis-master-0" + } + }] + } + }' --image="bitnami/minideb" + + $ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb + $ kubectl delete pod volpod + ``` + +- Restart the cluster: + + > **INFO:** The *appendonly* parameter can be safely restored to your desired value. + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` + +### NetworkPolicy + +To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +With NetworkPolicy enabled, only pods with the generated client label will be able to connect to Redis. This label will be displayed in the output after a successful install. + +With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to Redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: + +```yaml +networkPolicy: + enabled: true + ingressNSMatchLabels: + redis: external + ingressNSPodMatchLabels: + redis-client: true +``` + +#### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. + +### Existing PersistentVolumeClaim + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```console +helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/redis +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `secretAnnotations` | Annotations to add to secret | `{}` | +| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `useHostnames` | Use hostnames internally when announcing replication. If false, the hostname will be resolved to an IP address | `true` | +| `nameResolutionThreshold` | Failure threshold for internal hostnames resolution | `5` | +| `nameResolutionTimeout` | Timeout seconds between probes for internal hostnames resolution | `5` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### Redis® Image parameters + +| Name | Description | Value | +| ------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------- | +| `image.registry` | Redis® image registry | `REGISTRY_NAME` | +| `image.repository` | Redis® image repository | `REPOSITORY_NAME/redis` | +| `image.digest` | Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Redis® image pull secrets | `[]` | +| `image.debug` | Enable image debug mode | `false` | + +### Redis® common configuration parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------- | ------------- | +| `architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `replication` | +| `auth.enabled` | Enable password authentication | `true` | +| `auth.sentinel` | Enable password authentication on sentinels too | `true` | +| `auth.password` | Redis® password | `""` | +| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | +| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | +| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | +| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | +| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | + +### Redis® master configuration parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | +| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | +| `master.configuration` | Configuration for Redis® master nodes | `""` | +| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | +| `master.command` | Override default container command (useful when using custom images) | `[]` | +| `master.args` | Override default container args (useful when using custom images) | `[]` | +| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | +| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | +| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | +| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | +| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | +| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | +| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | +| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | +| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | +| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | +| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `nano` | +| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | +| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | +| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `1001` | +| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | +| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | +| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | +| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | +| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | +| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | +| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | +| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | +| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `master.hostAliases` | Redis® master pods host aliases | `[]` | +| `master.podLabels` | Extra labels for Redis® master pods | `{}` | +| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | +| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | +| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | +| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | +| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | +| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | +| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | +| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | +| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | +| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | +| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | +| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | +| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | +| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | +| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | +| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | +| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | +| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.storageClass` | Persistent Volume storage class | `""` | +| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `master.persistence.size` | Persistent Volume size | `8Gi` | +| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `master.persistence.dataSource` | Custom PVC data source | `{}` | +| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `master.service.type` | Redis® master service type | `ClusterIP` | +| `master.service.ports.redis` | Redis® master service port | `6379` | +| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | +| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | +| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | +| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | +| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | +| `master.service.externalIPs` | Redis® master service External IPs | `[]` | +| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | +| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | +| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | + +### Redis® replicas configuration parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | +| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | +| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | +| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | +| `replica.command` | Override default container command (useful when using custom images) | `[]` | +| `replica.args` | Override default container args (useful when using custom images) | `[]` | +| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | +| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | +| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | +| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | +| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | +| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `replica.externalMaster.host` | External master host to bootstrap from | `""` | +| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | +| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | +| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | +| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `nano` | +| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | +| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | +| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `1001` | +| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | +| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | +| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | +| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | +| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | +| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | +| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | +| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | +| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | +| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | +| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | +| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | +| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | +| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | +| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | +| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | +| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | +| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | +| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | +| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | +| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | +| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | +| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | +| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | +| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | +| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | +| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | +| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `replica.persistence.size` | Persistent Volume size | `8Gi` | +| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `replica.persistence.dataSource` | Custom PVC data source | `{}` | +| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `replica.service.type` | Redis® replicas service type | `ClusterIP` | +| `replica.service.ports.redis` | Redis® replicas service port | `6379` | +| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | +| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | +| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | +| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | +| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | +| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | +| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | +| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | +| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | +| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | +| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | +| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | + +### Redis® Sentinel configuration parameters + +| Name | Description | Value | +| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | +| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | +| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | +| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | +| `sentinel.image.debug` | Enable image debug mode | `false` | +| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | +| `sentinel.masterSet` | Master set name | `mymaster` | +| `sentinel.quorum` | Sentinel Quorum | `2` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | +| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | +| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | +| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | +| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | +| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | +| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | +| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | +| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | +| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | +| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | +| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | +| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | +| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | +| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | +| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | +| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | +| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `nano` | +| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | +| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `1001` | +| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | +| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | +| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | +| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | +| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | +| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | +| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | +| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | +| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | +| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | +| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | +| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | +| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | +| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | +| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | +| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | +| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | +| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | +| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | + +### Other Parameters + +| Name | Description | Value | +| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.metrics.allowExternal` | Don't require client label for connections for metrics endpoint | `true` | +| `networkPolicy.metrics.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | +| `networkPolicy.metrics.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | +| `tls.enabled` | Enable TLS traffic | `false` | +| `tls.authClients` | Require clients to authenticate | `true` | +| `tls.autoGenerated` | Enable autogenerated certificates | `false` | +| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | +| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate Key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | + +### Metrics Parameters -```yaml -securityContext: - sysctls: - - name: net.core.somaxconn - value: "10000" -``` +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | +| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | +| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | +| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | +| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | +| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | +| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | +| `metrics.service.ports.http` | Redis® exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | +| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | +| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | +| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | +| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.podMonitor.relabelings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | -Note that this will not disable transparent huge tables. +### Init Container Parameters -## Persistence +| Name | Description | Value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | +| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | +| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | +| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | +| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | +| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | +| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `nano` | +| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. +### useExternalDNS Parameters -### Existing PersistentVolumeClaim +| Name | Description | Value | +| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | +| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | +| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations. | `external-dns.alpha.kubernetes.io/` | +| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | -1. Create the PersistentVolume -2. Create the PersistentVolumeClaim -3. Install the chart +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console -helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/redis +helm install my-release \ + --set auth.password=secretpassword \ + oci://REGISTRY_NAME/REPOSITORY_NAME/redis ``` > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -## Backup and restore - -To backup and restore Redis deployments on Kubernetes, you will need to create a snapshot of the data in the source cluster, and later restore it in a new cluster with the new parameters. Follow the instructions below: - -### Step 1: Backup the deployment - -- Connect to one of the nodes and start the Redis CLI tool. Then, run the commands below: - - ```text - $ kubectl exec -it my-release-master-0 bash - $ redis-cli - 127.0.0.1:6379> auth your_current_redis_password - OK - 127.0.0.1:6379> save - OK - ``` - -- Copy the dump file from the Redis node: - - ```console - kubectl cp my-release-master-0:/data/dump.rdb dump.rdb -c redis - ``` - -### Step 2: Restore the data on the destination cluster - -To restore the data in a new cluster, you will need to create a PVC and then upload the *dump.rdb* file to the new volume. - -Follow the following steps: - -- In the [*values.yaml*](https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml) file set the *appendonly* parameter to *no*. You can skip this step if it is already configured as *no* - - ```yaml - commonConfiguration: |- - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly no - # Disable RDB persistence, AOF persistence already enabled. - save "" - ``` - - > *Note that the `Enable AOF` comment belongs to the original config file and what you're actually doing is disabling it. This change will only be neccessary for the temporal cluster you're creating to upload the dump.* - -- Start the new cluster to create the PVCs. Use the command below as an example: - - ```console - helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 - ``` - -- Now that the PVC were created, stop it and copy the *dump.rdp* file on the persisted data by using a helping pod. - - ```text - $ helm delete new-redis - - $ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "redisvolpod" - }, - "spec": { - "containers": [{ - "command": [ - "tail", - "-f", - "/dev/null" - ], - "image": "bitnami/minideb", - "name": "mycontainer", - "volumeMounts": [{ - "mountPath": "/mnt", - "name": "redisdata" - }] - }], - "restartPolicy": "Never", - "volumes": [{ - "name": "redisdata", - "persistentVolumeClaim": { - "claimName": "redis-data-new-redis-master-0" - } - }] - } - }' --image="bitnami/minideb" - - $ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb - $ kubectl delete pod volpod - ``` - -- Restart the cluster: - - > **INFO:** The *appendonly* parameter can be safely restored to your desired value. - - ```console - helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 - ``` - -## NetworkPolicy - -To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. +The above command sets the Redis® server password to `secretpassword`. -With NetworkPolicy enabled, only pods with the generated client label will be able to connect to Redis. This label will be displayed in the output after a successful install. +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. -With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to Redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, -```yaml -networkPolicy: - enabled: true - ingressNSMatchLabels: - redis: external - ingressNSPodMatchLabels: - redis-client: true +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis ``` -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) ## Troubleshooting @@ -1048,6 +1038,17 @@ This issue can be mitigated by splitting the upgrade into two stages: one for al - Stage 2 (anything else that is not up to date, in this case only master): `helm upgrade oci://REGISTRY_NAME/REPOSITORY_NAME/redis` +### To 19.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 18.0.0 This major version updates the Redis® docker image version used from `7.0` to `7.2`, the new stable version. There are no major changes in the chart, but we recommend checking the [Redis® 7.2 release notes](https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES) before upgrading. @@ -1246,4 +1247,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml b/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml index e6521c60fb..0e50aab16a 100644 --- a/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml @@ -28,8 +28,8 @@ spec: {{- if .Values.metrics.podMonitor.honorLabels }} honorLabels: {{ .Values.metrics.podMonitor.honorLabels }} {{- end }} - {{- if .Values.metrics.podMonitor.relabellings }} - relabelings: {{- toYaml .Values.metrics.podMonitor.relabellings | nindent 6 }} + {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .Values.metrics.podMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} @@ -45,8 +45,8 @@ spec: {{- if .honorLabels }} honorLabels: {{ .honorLabels }} {{- end }} - {{- if .relabellings }} - relabelings: {{- toYaml .relabellings | nindent 6 }} + {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .metricRelabelings }} metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml b/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml index 2e53ad9329..0cda45d067 100644 --- a/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml @@ -28,8 +28,8 @@ spec: {{- if .Values.metrics.serviceMonitor.honorLabels }} honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} {{- end }} - {{- if .Values.metrics.serviceMonitor.relabellings }} - relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} + {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .Values.metrics.serviceMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} @@ -45,8 +45,8 @@ spec: {{- if .honorLabels }} honorLabels: {{ .honorLabels }} {{- end }} - {{- if .relabellings }} - relabelings: {{- toYaml .relabellings | nindent 6 }} + {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .metricRelabelings }} metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }} diff --git a/charts/bitnami/airflow/charts/redis/values.yaml b/charts/bitnami/airflow/charts/redis/values.yaml index a9517f0473..142da1fbf4 100644 --- a/charts/bitnami/airflow/charts/redis/values.yaml +++ b/charts/bitnami/airflow/charts/redis/values.yaml @@ -30,7 +30,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -275,7 +275,7 @@ master: ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -315,12 +315,12 @@ master: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -737,7 +737,7 @@ replica: ## @param replica.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param replica.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -777,12 +777,12 @@ replica: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1306,7 +1306,7 @@ sentinel: ## @param sentinel.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param sentinel.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1332,12 +1332,12 @@ sentinel: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1708,12 +1708,12 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1729,7 +1729,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1812,7 +1812,10 @@ metrics: ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended ## scrapeTimeout: "" - ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## @param metrics.serviceMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @skip metrics.serviceMonitor.relabellings DEPRECATED: Use `metrics.serviceMonitor.relabelings` instead. ## relabellings: [] ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. @@ -1866,7 +1869,10 @@ metrics: ## @param metrics.podMonitor.scrapeTimeout The timeout after which the scrape is ended ## scrapeTimeout: "" - ## @param metrics.podMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## @param metrics.podMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @skip metrics.podMonitor.relabellings DEPRECATED: Use `metrics.podMonitor.relabelings` instead. ## relabellings: [] ## @param metrics.podMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. @@ -1988,7 +1994,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -2009,7 +2015,7 @@ volumePermissions: ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## Kubectl InitContainer @@ -2096,7 +2102,7 @@ sysctl: ## @param sysctl.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param sysctl.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/airflow/values.yaml b/charts/bitnami/airflow/values.yaml index eb2743f775..0b527a3aa4 100644 --- a/charts/bitnami/airflow/values.yaml +++ b/charts/bitnami/airflow/values.yaml @@ -26,7 +26,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -300,7 +300,7 @@ web: ## @param web.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "medium" ## @param web.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -341,13 +341,13 @@ web: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -590,7 +590,7 @@ scheduler: enabled: true initialDelaySeconds: 180 periodSeconds: 20 - timeoutSeconds: 5 + timeoutSeconds: 15 failureThreshold: 6 successThreshold: 1 ## @param scheduler.readinessProbe.enabled Enable readinessProbe on Airflow scheduler containers @@ -604,7 +604,7 @@ scheduler: enabled: true initialDelaySeconds: 30 periodSeconds: 10 - timeoutSeconds: 5 + timeoutSeconds: 15 failureThreshold: 6 successThreshold: 1 ## @param scheduler.customLivenessProbe Custom livenessProbe that overrides the default one @@ -621,7 +621,7 @@ scheduler: ## @param scheduler.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if scheduler.resources is set (scheduler.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "small" ## @param scheduler.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -662,13 +662,13 @@ scheduler: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -960,7 +960,7 @@ worker: ## @param worker.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "large" ## @param worker.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1001,13 +1001,13 @@ worker: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -1309,7 +1309,7 @@ git: ## @param git.clone.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if git.clone.resources is set (git.clone.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## Properties for the Sync sidecar container ## @param git.sync.interval Interval in seconds to pull the git repository containing the plugins and/or DAG files ## @param git.sync.command Override cmd @@ -1330,7 +1330,7 @@ git: ## @param git.sync.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if git.sync.resources is set (git.sync.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param git.sync.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1629,7 +1629,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1672,17 +1672,17 @@ metrics: ## enabled: true ## capabilities: ## drop: ["NET_RAW"] - ## readOnlyRootFilesystem: false + ## readOnlyRootFilesystem: true ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -1882,6 +1882,24 @@ postgresql: database: bitnami_airflow existingSecret: "" architecture: standalone + primary: + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param postgresql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## External PostgreSQL configuration ## All of these values are only used when postgresql.enabled is set to false ## @param externalDatabase.host Database host @@ -1919,6 +1937,25 @@ redis: password: "" existingSecret: "" architecture: standalone + master: + ## Redis® master resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param redis.master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param redis.master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## External Redis® configuration ## All of these values are only used when redis.enabled is set to false ## @param externalRedis.host Redis® host diff --git a/charts/bitnami/cassandra/Chart.lock b/charts/bitnami/cassandra/Chart.lock index eaf627aca0..af599e1b62 100644 --- a/charts/bitnami/cassandra/Chart.lock +++ b/charts/bitnami/cassandra/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 -generated: "2024-03-05T13:26:26.829438105+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-08T11:22:27.097159506+01:00" diff --git a/charts/bitnami/cassandra/Chart.yaml b/charts/bitnami/cassandra/Chart.yaml index afa43d4792..be74e83822 100644 --- a/charts/bitnami/cassandra/Chart.yaml +++ b/charts/bitnami/cassandra/Chart.yaml @@ -35,4 +35,4 @@ maintainers: name: cassandra sources: - https://github.com/bitnami/charts/tree/main/bitnami/cassandra -version: 10.12.1 +version: 11.0.0 diff --git a/charts/bitnami/cassandra/README.md b/charts/bitnami/cassandra/README.md index d4e260654a..27c02af2cf 100644 --- a/charts/bitnami/cassandra/README.md +++ b/charts/bitnami/cassandra/README.md @@ -42,26 +42,110 @@ These commands deploy one node with Apache Cassandra on the Kubernetes cluster i > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Enable TLS + +This chart supports TLS between client and server and between nodes, as explained below: + +- For internode cluster encryption, set the `tls.internodeEncryption` chart parameter to a value different from `none`. Available values are `all`, `dc` or `rack`. +- For client-server encryption, set the `tls.clientEncryption` chart parameter to `true`. + +In both cases, it is also necessary to create a secret containing the keystore and truststore certificates and their corresponding protection passwords. This secret is to be passed to the chart via the `tls.existingSecret` parameter at deployment-time, as shown below: + +```text +tls.internodeEncryption=all +tls.clientEncryption=true +tls.existingSecret=my-exisiting-stores +tls.passwordsSecret=my-stores-password +``` -To uninstall/delete the `my-release` release: +> TIP: The secret may be created in the standard way with the `--from-file=./keystore`, `--from-file=./truststore`, `--from-literal=keystore-password=KEYSTORE_PASSWORD` and `--from-literal=truststore-password=TRUSTSTORE_PASSWORD` options. This assumes that the stores are in the current working directory and the KEYSTORE_PASSWORD and TRUSTSTORE_PASSWORD placeholders are replaced with the correct keystore and truststore passwords respectively. Example: ```console -helm delete my-release +kubectl create secret generic my-exisiting-stores --from-file=./keystore --from-file=./truststore +kubectl create secret generic my-stores-password --from-literal=keystore-password=KEYSTORE_PASSWORD --from-literal=truststore-password=TRUSTSTORE_PASSWORD +``` + +Keystore and Truststore files can be dinamycally created from the certificates files. In this case a secret with the tls.crt, tls.key and ca.crt in pem format is required. The following example shows how the secret can be created and assumes that all certificate files are in the working directory: + +```console +kubectl create secret tls my-certs --cert ./tls.crt --key ./tls.key +kubectl patch secret my-certs -p="{\"data\":{\"ca.crt\": \"$(cat ./ca.crt | base64 )\"}}" +``` + +To enable this feature `tls.autoGenerated` must be set and the new secret should be set in `tls.certificateSecret`: + +```text +tls.internodeEncryption=all +tls.clientEncryption=true +tls.autoGenerated=true +tls.certificatesSecret=my-certs +tls.passwordsSecret=my-stores-password ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +### Initialize the database + +The [Apache Cassandra](https://github.com/bitnami/containers/tree/main/bitnami/cassandra) image supports the use of custom scripts to initialize a fresh instance. This may be done by creating a Kubernetes ConfigMap that includes the necessary `.sh` or `.cql` scripts and passing this ConfigMap to the chart via the `initDBConfigMap` parameter. + +### Use a custom configuration file + +This chart also supports mounting custom configuration file(s) for Apache Cassandra. This is achieved by setting the `existingConfiguration` parameter with the name of a ConfigMap that includes the custom configuration file(s). Here is an example of deploying the chart with a custom configuration file stored in a ConfigMap named `cassandra-configuration`: + +```text +existingConfiguration=cassandra-configuration +``` + +> NOTE: This ConfigMap will override other Apache Cassandra configuration variables set in the chart. + +### Backup and restore + +Refer to our detailed tutorial on [backing up and restoring Bitnami Apache Cassandra deployments on Kubernetes](https://docs.bitnami.com/tutorials/backup-restore-data-cassandra-kubernetes/). + +### Set pod affinity + +This chart allows you to set custom pod affinity using the `XXX.affinity` parameter(s). Find more information about pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami Apache Cassandra](https://github.com/bitnami/containers/tree/main/bitnami/cassandra) image stores the Apache Cassandra data at the `/bitnami/cassandra` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Adjust permissions of persistent volume mountpoint + +As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. There are two approaches to achieve this: + +- Use Kubernetes SecurityContexts by setting the `podSecurityContext.enabled` and `containerSecurityContext.enabled` to `true`. This option is enabled by default in the chart. However, this feature does not work in all Kubernetes distributions. +- Use an init container to change the ownership of the volume before mounting it in the final destination. Enable this container by setting the `volumePermissions.enabled` parameter to `true`. ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -141,16 +225,16 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Cassandra pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled Cassandra containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set Cassandra containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsGroup` | Set Cassandra containers' Security Context runAsGroup | `0` | +| `containerSecurityContext.runAsGroup` | Set Cassandra containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.allowPrivilegeEscalation` | Set Cassandra containers' Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | Set Cassandra containers' Security Context capabilities to be dropped | `["ALL"]` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set Cassandra containers' Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set Cassandra containers' Security Context readOnlyRootFilesystem | `true` | | `containerSecurityContext.runAsNonRoot` | Set Cassandra containers' Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `large` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `livenessProbe.enabled` | Enable livenessProbe | `true` | | `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` | @@ -253,9 +337,9 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.digest` | Init container volume image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters @@ -268,7 +352,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.image.digest` | Cassandra exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `metrics.image.pullPolicy` | image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | | `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | @@ -304,7 +388,7 @@ The command removes all the Kubernetes components associated with the chart and | `tls.passwordsSecret` | Secret containing the Keystore and Truststore passwords if needed | `""` | | `tls.keystorePassword` | Password for the keystore, if needed. | `""` | | `tls.truststorePassword` | Password for the truststore, if needed. | `""` | -| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `none` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` | | `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `tls.certificatesSecret` | Secret with the TLS certificates. | `""` | | `tls.tlsEncryptionSecretName` | Secret with the encryption of the TLS certificates | `""` | @@ -330,100 +414,6 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/cassa > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/cassandra/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Enable TLS - -This chart supports TLS between client and server and between nodes, as explained below: - -- For internode cluster encryption, set the `tls.internodeEncryption` chart parameter to a value different from `none`. Available values are `all`, `dc` or `rack`. -- For client-server encryption, set the `tls.clientEncryption` chart parameter to `true`. - -In both cases, it is also necessary to create a secret containing the keystore and truststore certificates and their corresponding protection passwords. This secret is to be passed to the chart via the `tls.existingSecret` parameter at deployment-time, as shown below: - -```text -tls.internodeEncryption=all -tls.clientEncryption=true -tls.existingSecret=my-exisiting-stores -tls.passwordsSecret=my-stores-password -``` - -> TIP: The secret may be created in the standard way with the `--from-file=./keystore`, `--from-file=./truststore`, `--from-literal=keystore-password=KEYSTORE_PASSWORD` and `--from-literal=truststore-password=TRUSTSTORE_PASSWORD` options. This assumes that the stores are in the current working directory and the KEYSTORE_PASSWORD and TRUSTSTORE_PASSWORD placeholders are replaced with the correct keystore and truststore passwords respectively. Example: - -```console -kubectl create secret generic my-exisiting-stores --from-file=./keystore --from-file=./truststore -kubectl create secret generic my-stores-password --from-literal=keystore-password=KEYSTORE_PASSWORD --from-literal=truststore-password=TRUSTSTORE_PASSWORD -``` - -Keystore and Truststore files can be dinamycally created from the certificates files. In this case a secret with the tls.crt, tls.key and ca.crt in pem format is required. The following example shows how the secret can be created and assumes that all certificate files are in the working directory: - -```console -kubectl create secret tls my-certs --cert ./tls.crt --key ./tls.key -kubectl patch secret my-certs -p="{\"data\":{\"ca.crt\": \"$(cat ./ca.crt | base64 )\"}}" -``` - -To enable this feature `tls.autoGenerated` must be set and the new secret should be set in `tls.certificateSecret`: - -```text -tls.internodeEncryption=all -tls.clientEncryption=true -tls.autoGenerated=true -tls.certificatesSecret=my-certs -tls.passwordsSecret=my-stores-password -``` - -### Initialize the database - -The [Apache Cassandra](https://github.com/bitnami/containers/tree/main/bitnami/cassandra) image supports the use of custom scripts to initialize a fresh instance. This may be done by creating a Kubernetes ConfigMap that includes the necessary `.sh` or `.cql` scripts and passing this ConfigMap to the chart via the `initDBConfigMap` parameter. - -### Use a custom configuration file - -This chart also supports mounting custom configuration file(s) for Apache Cassandra. This is achieved by setting the `existingConfiguration` parameter with the name of a ConfigMap that includes the custom configuration file(s). Here is an example of deploying the chart with a custom configuration file stored in a ConfigMap named `cassandra-configuration`: - -```text -existingConfiguration=cassandra-configuration -``` - -> NOTE: This ConfigMap will override other Apache Cassandra configuration variables set in the chart. - -### Set pod affinity - -This chart allows you to set custom pod affinity using the `XXX.affinity` parameter(s). Find more information about pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. - -## Persistence - -The [Bitnami Apache Cassandra](https://github.com/bitnami/containers/tree/main/bitnami/cassandra) image stores the Apache Cassandra data at the `/bitnami/cassandra` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -### Adjust permissions of persistent volume mountpoint - -As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. There are two approaches to achieve this: - -- Use Kubernetes SecurityContexts by setting the `podSecurityContext.enabled` and `containerSecurityContext.enabled` to `true`. This option is enabled by default in the chart. However, this feature does not work in all Kubernetes distributions. -- Use an init container to change the ownership of the volume before mounting it in the final destination. Enable this container by setting the `volumePermissions.enabled` parameter to `true`. - -## Backup and restore - -Refer to our detailed tutorial on [backing up and restoring Bitnami Apache Cassandra deployments on Kubernetes](https://docs.bitnami.com/tutorials/backup-restore-data-cassandra-kubernetes/). - ## Troubleshooting Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). @@ -440,6 +430,17 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/cassandra --set dbUs | Note: you need to substitute the placeholder *[PASSWORD]* with the value obtained in the installation notes. +### To 10.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 9.0.0 This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. diff --git a/charts/bitnami/cassandra/charts/common/Chart.yaml b/charts/bitnami/cassandra/charts/common/Chart.yaml index 2acf0cd40a..f86ccd23a4 100644 --- a/charts/bitnami/cassandra/charts/common/Chart.yaml +++ b/charts/bitnami/cassandra/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.18.0 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.18.0 +version: 2.19.0 diff --git a/charts/bitnami/cassandra/charts/common/templates/_compatibility.tpl b/charts/bitnami/cassandra/charts/common/templates/_compatibility.tpl index c529f08725..17665d567f 100644 --- a/charts/bitnami/cassandra/charts/common/templates/_compatibility.tpl +++ b/charts/bitnami/cassandra/charts/common/templates/_compatibility.tpl @@ -28,6 +28,10 @@ Usage: {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/bitnami/cassandra/templates/statefulset.yaml b/charts/bitnami/cassandra/templates/statefulset.yaml index c8f1e204d2..49d811393d 100644 --- a/charts/bitnami/cassandra/templates/statefulset.yaml +++ b/charts/bitnami/cassandra/templates/statefulset.yaml @@ -446,6 +446,8 @@ spec: {{- end }} {{- if .Values.resources }} resources: {{ toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data diff --git a/charts/bitnami/cassandra/values.yaml b/charts/bitnami/cassandra/values.yaml index 82005df4d2..f9d102564e 100644 --- a/charts/bitnami/cassandra/values.yaml +++ b/charts/bitnami/cassandra/values.yaml @@ -27,7 +27,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -310,9 +310,9 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false @@ -320,7 +320,7 @@ containerSecurityContext: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true ## Cassandra pods' resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## Minimum memory for development is 4GB and 2 CPU cores @@ -334,7 +334,7 @@ containerSecurityContext: ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "large" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -698,7 +698,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -723,7 +723,7 @@ volumePermissions: ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false ## securityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## @section Metrics parameters ## @@ -766,7 +766,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -949,7 +949,7 @@ tls: truststorePassword: "" certificatesSecret: "" tlsEncryptionSecretName: "" - resourcesPreset: "none" + resourcesPreset: "nano" ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following diff --git a/charts/bitnami/mariadb/Chart.lock b/charts/bitnami/mariadb/Chart.lock index d63e6bfcf5..220f0e4b21 100644 --- a/charts/bitnami/mariadb/Chart.lock +++ b/charts/bitnami/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 -generated: "2024-03-05T14:35:54.482130622+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-08T11:25:32.224991562+01:00" diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index 3adf9251cc..7abe74bc9f 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -37,4 +37,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 16.5.0 +version: 17.0.1 diff --git a/charts/bitnami/mariadb/README.md b/charts/bitnami/mariadb/README.md index e8f307c604..35433a7631 100644 --- a/charts/bitnami/mariadb/README.md +++ b/charts/bitnami/mariadb/README.md @@ -44,26 +44,112 @@ The command deploys MariaDB on the Kubernetes cluster in the default configurati > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Change MariaDB version + +To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### Initialize a fresh instance + +The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. + +When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: + +```yaml +initdbScripts: + my_init_script.sh: | + #!/bin/sh + if [[ $(hostname) == *primary* ]]; then + echo "Primary node" + mysql -P 3306 -uroot -prandompassword -e "create database new_database"; + else + echo "No primary node" + fi +``` + +### Sidecars and Init Containers + +If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +## Persistence + +The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Adjust permissions of persistent volume mountpoint + +As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. + +By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. + +As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`. ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker Image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global storage class for dynamic provisioning | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker Image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -143,16 +229,16 @@ The command removes all the Kubernetes components associated with the chart and | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | -| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `0` | +| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | -| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` | | `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `primary.startupProbe.enabled` | Enable startupProbe | `false` | | `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | @@ -247,16 +333,16 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | -| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `0` | +| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | | `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | -| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `none` | +| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `micro` | | `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `secondary.startupProbe.enabled` | Enable startupProbe | `false` | | `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | @@ -333,7 +419,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Metrics parameters @@ -351,16 +437,16 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | | `metrics.containerPorts.http` | Container port for http | `9104` | | `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `0` | +| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | | `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | @@ -426,102 +512,6 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/maria > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mariadb/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Change MariaDB version - -To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. - -### Initialize a fresh instance - -The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. - -When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: - -```yaml -initdbScripts: - my_init_script.sh: | - #!/bin/sh - if [[ $(hostname) == *primary* ]]; then - echo "Primary node" - mysql -P 3306 -uroot -prandompassword -e "create database new_database"; - else - echo "No primary node" - fi -``` - -### Sidecars and Init Containers - -If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. - -```yaml -sidecars: -- name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: - -```yaml -service: - extraPorts: - - name: extraPort - port: 11311 - targetPort: 11311 -``` - -> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. - -If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: - -```yaml -initContainers: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). - -## Persistence - -The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container. - -The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -### Adjust permissions of persistent volume mountpoint - -As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. - -By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. - -As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`. - ## Troubleshooting Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). @@ -538,6 +528,17 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.r | Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. +### To 17.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 16.0.0 This section enables NetworkPolicies by default to increase security of the application. It also adapts the values in the `networkPolicy` section to the current Bitnami standards. The removed sections are `networkPolicy.metrics.*`, `networkPolicy.ingressRules.*` and `networkPolicy.egressRules.*`. Check the Parameters table for the new structure. diff --git a/charts/bitnami/mariadb/charts/common/Chart.yaml b/charts/bitnami/mariadb/charts/common/Chart.yaml index 2acf0cd40a..f86ccd23a4 100644 --- a/charts/bitnami/mariadb/charts/common/Chart.yaml +++ b/charts/bitnami/mariadb/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.18.0 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.18.0 +version: 2.19.0 diff --git a/charts/bitnami/mariadb/charts/common/templates/_compatibility.tpl b/charts/bitnami/mariadb/charts/common/templates/_compatibility.tpl index c529f08725..17665d567f 100644 --- a/charts/bitnami/mariadb/charts/common/templates/_compatibility.tpl +++ b/charts/bitnami/mariadb/charts/common/templates/_compatibility.tpl @@ -28,6 +28,10 @@ Usage: {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/bitnami/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/mariadb/templates/primary/statefulset.yaml index f7a79decbf..a208998a8c 100644 --- a/charts/bitnami/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/primary/statefulset.yaml @@ -251,6 +251,8 @@ spec: {{- end }} {{- if .Values.primary.resources }} resources: {{ toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data diff --git a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml index c9f330344a..9431ce5992 100644 --- a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml @@ -238,6 +238,8 @@ spec: {{- end }} {{- if .Values.secondary.resources }} resources: {{ toYaml .Values.secondary.resources | nindent 12 }} + {{- else if ne .Values.secondary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data diff --git a/charts/bitnami/mariadb/values.yaml b/charts/bitnami/mariadb/values.yaml index b8f6c04d61..64d1a00e00 100644 --- a/charts/bitnami/mariadb/values.yaml +++ b/charts/bitnami/mariadb/values.yaml @@ -27,7 +27,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -350,13 +350,13 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -370,7 +370,7 @@ primary: ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "micro" ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -769,13 +769,13 @@ secondary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -789,7 +789,7 @@ secondary: ## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "micro" ## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1066,7 +1066,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1185,10 +1185,10 @@ metrics: enabled: false privileged: false runAsNonRoot: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 - readOnlyRootFilesystem: false + runAsGroup: 1001 + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1203,7 +1203,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/mysql/Chart.lock b/charts/bitnami/mysql/Chart.lock index 96af43d17f..bf1b66b179 100644 --- a/charts/bitnami/mysql/Chart.lock +++ b/charts/bitnami/mysql/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 -generated: "2024-03-05T15:00:17.224052059+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-08T11:23:56.170052821+01:00" diff --git a/charts/bitnami/mysql/Chart.yaml b/charts/bitnami/mysql/Chart.yaml index ace0ef271c..fd0d9cbfd5 100644 --- a/charts/bitnami/mysql/Chart.yaml +++ b/charts/bitnami/mysql/Chart.yaml @@ -36,4 +36,4 @@ maintainers: name: mysql sources: - https://github.com/bitnami/charts/tree/main/bitnami/mysql -version: 9.23.0 +version: 10.1.0 diff --git a/charts/bitnami/mysql/README.md b/charts/bitnami/mysql/README.md index a02582d6da..3a5182594a 100644 --- a/charts/bitnami/mysql/README.md +++ b/charts/bitnami/mysql/README.md @@ -42,26 +42,111 @@ These commands deploy MySQL on the Kubernetes cluster in the default configurati > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use a different MySQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### Customize a new MySQL instance + +The [Bitnami MySQL](https://github.com/bitnami/containers/tree/main/bitnami/mysql) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `sql.gz` files. + +When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: + +```yaml +initdbScripts: + my_init_script.sh: | + #!/bin/sh + if [[ $(hostname) == *master* ]]; then + echo "Master node" + mysql -P 3306 -uroot -prandompassword -e "create database new_database"; + else + echo "No master node" + fi +``` + +### Sidecars and Init Containers + +If you have a need for additional containers to run within the same pod as MySQL, you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Similarly, you can add extra init containers using the `initContainers` parameter. -To uninstall/delete the `my-release` deployment: +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Network Policy config + +To enable network policy for MySQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: ```console -helm delete my-release +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +With NetworkPolicy enabled, traffic will be limited to just port 3306. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to MySQL. +This label will be displayed in the output of a successful install. + +### Pod affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami MySQL](https://github.com/bitnami/containers/tree/main/bitnami/mysql) image stores the MySQL data and configurations at the `/bitnami/mysql` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning by default. An existing PersistentVolumeClaim can also be defined for this purpose. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -142,15 +227,15 @@ The command removes all the Kubernetes components associated with the chart and | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MySQL primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | User ID for the MySQL primary container | `1001` | -| `primary.containerSecurityContext.runAsGroup` | Group ID for the MySQL primary container | `0` | +| `primary.containerSecurityContext.runAsGroup` | Group ID for the MySQL primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set MySQL primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | | `primary.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | | `primary.containerSecurityContext.seccompProfile.type` | Set Client container's Security Context seccomp profile | `RuntimeDefault` | -| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `small` | | `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `primary.livenessProbe.enabled` | Enable livenessProbe | `true` | | `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | @@ -247,15 +332,15 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MySQL secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MySQL secondary container | `1001` | -| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MySQL secondary container | `0` | +| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MySQL secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set MySQL secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | | `secondary.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | | `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `none` | +| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `small` | | `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `secondary.livenessProbe.enabled` | Enable livenessProbe | `true` | | `secondary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | @@ -349,7 +434,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Metrics parameters @@ -363,14 +448,14 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.containerSecurityContext.enabled` | MySQL metrics container securityContext | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MySQL metrics container | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MySQL metrics container | `0` | +| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MySQL metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set MySQL metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | | `metrics.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | | `metrics.containerPorts.http` | Container port for http | `9104` | | `metrics.service.type` | Kubernetes service type for MySQL Prometheus Exporter | `ClusterIP` | | `metrics.service.clusterIP` | Kubernetes service clusterIP for MySQL Prometheus Exporter | `""` | @@ -378,7 +463,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.service.annotations` | Prometheus exporter service annotations | `{}` | | `metrics.extraArgs.primary` | Extra args to be passed to mysqld_exporter on Primary pods | `[]` | | `metrics.extraArgs.secondary` | Extra args to be passed to mysqld_exporter on Secondary pods | `[]` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | | `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | @@ -433,101 +518,6 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mysql > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mysql/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Use a different MySQL version - -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. - -### Customize a new MySQL instance - -The [Bitnami MySQL](https://github.com/bitnami/containers/tree/main/bitnami/mysql) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `sql.gz` files. - -When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: - -```yaml -initdbScripts: - my_init_script.sh: | - #!/bin/sh - if [[ $(hostname) == *master* ]]; then - echo "Master node" - mysql -P 3306 -uroot -prandompassword -e "create database new_database"; - else - echo "No master node" - fi -``` - -### Sidecars and Init Containers - -If you have a need for additional containers to run within the same pod as MySQL, you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. - -```yaml -sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -Similarly, you can add extra init containers using the `initContainers` parameter. - -```yaml -initContainers: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -## Persistence - -The [Bitnami MySQL](https://github.com/bitnami/containers/tree/main/bitnami/mysql) image stores the MySQL data and configurations at the `/bitnami/mysql` path of the container. - -The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning by default. An existing PersistentVolumeClaim can also be defined for this purpose. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -## Network Policy config - -To enable network policy for MySQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 3306. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to MySQL. -This label will be displayed in the output of a successful install. - -## Pod affinity - -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. - ## Troubleshooting Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). @@ -544,6 +534,17 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mysql --set auth.roo | Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. +### To 10.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 9.0.0 This major release renames several values in this chart and adds missing features, in order to be aligned with the rest of the assets in the Bitnami charts repository. diff --git a/charts/bitnami/mysql/charts/common/Chart.yaml b/charts/bitnami/mysql/charts/common/Chart.yaml index 2acf0cd40a..f86ccd23a4 100644 --- a/charts/bitnami/mysql/charts/common/Chart.yaml +++ b/charts/bitnami/mysql/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.18.0 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.18.0 +version: 2.19.0 diff --git a/charts/bitnami/mysql/charts/common/templates/_compatibility.tpl b/charts/bitnami/mysql/charts/common/templates/_compatibility.tpl index c529f08725..17665d567f 100644 --- a/charts/bitnami/mysql/charts/common/templates/_compatibility.tpl +++ b/charts/bitnami/mysql/charts/common/templates/_compatibility.tpl @@ -28,6 +28,10 @@ Usage: {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/bitnami/mysql/templates/networkpolicy.yaml b/charts/bitnami/mysql/templates/networkpolicy.yaml index 22192a5120..e6c1853dfb 100644 --- a/charts/bitnami/mysql/templates/networkpolicy.yaml +++ b/charts/bitnami/mysql/templates/networkpolicy.yaml @@ -50,6 +50,26 @@ spec: {{- if .Values.metrics.enabled }} - port: {{ .Values.metrics.containerPorts.http }} {{- end }} + {{- if .Values.primary.extraPorts }} + {{- range $value := .Values.primary.extraPorts }} + - port: {{ $value.containerPort }} + {{- end }} + {{- end }} + {{- if .Values.primary.service.extraPorts }} + {{- range $value := .Values.primary.service.extraPorts }} + - port: {{ $value.port }} + {{- end }} + {{- end }} + {{- if .Values.secondary.extraPorts }} + {{- range $value := .Values.secondary.extraPorts }} + - port: {{ $value.containerPort }} + {{- end }} + {{- end }} + {{- if .Values.secondary.service.extraPorts }} + {{- range $value := .Values.secondary.service.extraPorts }} + - port: {{ $value.port }} + {{- end }} + {{- end }} {{- if not .Values.networkPolicy.allowExternal }} from: - podSelector: diff --git a/charts/bitnami/mysql/templates/primary/statefulset.yaml b/charts/bitnami/mysql/templates/primary/statefulset.yaml index cb70a3e8be..2e6297a76f 100644 --- a/charts/bitnami/mysql/templates/primary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/primary/statefulset.yaml @@ -78,6 +78,32 @@ spec: terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} {{- end }} initContainers: + - name: preserve-logs-symlinks + image: {{ include "mysql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.primary.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.primary.resources }} + resources: {{ toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/libfs.sh + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/mysql/logs; then + cp -r /opt/bitnami/mysql/logs /emptydir/app-logs-dir + fi + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if and .Values.primary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.primary.persistence.enabled }} - name: volume-permissions image: {{ include "mysql.volumePermissions.image" . }} diff --git a/charts/bitnami/mysql/templates/secondary/statefulset.yaml b/charts/bitnami/mysql/templates/secondary/statefulset.yaml index 00163520db..cad837f07d 100644 --- a/charts/bitnami/mysql/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/secondary/statefulset.yaml @@ -79,6 +79,32 @@ spec: terminationGracePeriodSeconds: {{ .Values.secondary.terminationGracePeriodSeconds }} {{- end }} initContainers: + - name: preserve-logs-symlinks + image: {{ include "mysql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.secondary.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.secondary.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.secondary.resources }} + resources: {{ toYaml .Values.secondary.resources | nindent 12 }} + {{- else if ne .Values.secondary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/libfs.sh + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/mysql/logs; then + cp -r /opt/bitnami/mysql/logs /emptydir/app-logs-dir + fi + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if and .Values.secondary.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.secondary.persistence.enabled }} - name: volume-permissions image: {{ include "mysql.volumePermissions.image" . }} diff --git a/charts/bitnami/mysql/values.yaml b/charts/bitnami/mysql/values.yaml index 3f88d1f1d4..db3cecfff5 100644 --- a/charts/bitnami/mysql/values.yaml +++ b/charts/bitnami/mysql/values.yaml @@ -27,7 +27,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -345,16 +345,16 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true ## MySQL primary container's resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -364,7 +364,7 @@ primary: ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "small" ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -762,16 +762,16 @@ secondary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true ## MySQL secondary container's resource requests and limits ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious @@ -781,7 +781,7 @@ secondary: ## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "small" ## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1143,7 +1143,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1199,16 +1199,16 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true ## @param metrics.containerPorts.http Container port for http ## containerPorts: @@ -1279,7 +1279,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index d5712df8ed..73bfc2d5f9 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r16 + image: docker.io/bitnami/os-shell:12-debian-12-r17 - name: postgres-exporter image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14 - name: postgresql - image: docker.io/bitnami/postgresql:16.2.0-debian-12-r8 + image: docker.io/bitnami/postgresql:16.2.0-debian-12-r10 licenses: Apache-2.0 apiVersion: v2 appVersion: 16.2.0 @@ -38,4 +38,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 14.3.3 +version: 15.1.4 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index e05a3dfb7d..1490b5e963 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -44,43 +44,252 @@ The command deploys PostgreSQL on the Kubernetes cluster in the default configur > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Use a different PostgreSQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### LDAP + +LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. + +- **ldap.enabled**: Enable LDAP support. Defaults to `false`. +- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. +- **ldap.base**: LDAP base DN. No defaults. +- **ldap.binddn**: LDAP bind DN. No defaults. +- **ldap.bindpw**: LDAP bind password. No defaults. +- **ldap.bslookup**: LDAP base lookup. No defaults. +- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. +- **ldap.scope**: LDAP search scope. No defaults. +- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. + +For example: + +```text +ldap.enabled="true" +ldap.uri="ldap://my_ldap_server" +ldap.base="dc=example\,dc=org" +ldap.binddn="cn=admin\,dc=example\,dc=org" +ldap.bindpw="admin" +ldap.bslookup="ou=group-ok\,dc=example\,dc=org" +ldap.nss_initgroups_ignoreusers="root\,nslcd" +ldap.scope="sub" +ldap.tls_reqcert="demand" ``` -The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. +Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. + +> Note: Parameters including commas must be escaped as shown in the above example. + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. + +You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. + +In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +- First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +- Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. -To delete the PVC's associated with `my-release`: +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +```text + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +```text +postgresql.auth.username=testuser +subchart1.postgresql.auth.username=testuser +subchart2.postgresql.auth.username=testuser +postgresql.auth.password=testpass +subchart1.postgresql.auth.password=testpass +subchart2.postgresql.auth.password=testpass +postgresql.auth.database=testdb +subchart1.postgresql.auth.database=testdb +subchart2.postgresql.auth.database=testdb +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +```text +global.postgresql.auth.username=testuser +global.postgresql.auth.password=testpass +global.postgresql.auth.database=testdb +``` + +This way, the credentials will be available in all of the subcharts. + +### Backup and restore PostgreSQL deployments + +To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. + +These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://docs.bitnami.com/tutorials/migrate-data-bitnami-velero/) for more information. + +### NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: ```console -kubectl delete pvc -l release=my-release +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" ``` -> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false +- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. + podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. ## Parameters ### Global parameters -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | -| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | -| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | -| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | -| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | -| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | +| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -205,7 +414,7 @@ kubectl delete pvc -l release=my-release | `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | -| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `nano` | | `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `primary.podSecurityContext.enabled` | Enable security context | `true` | | `primary.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -213,12 +422,12 @@ kubectl delete pvc -l release=my-release | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `primary.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -317,7 +526,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | -| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `none` | +| `readReplicas.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). | `nano` | | `readReplicas.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | | `readReplicas.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -325,12 +534,12 @@ kubectl delete pvc -l release=my-release | `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `readReplicas.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `readReplicas.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -414,12 +623,12 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -427,8 +636,10 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.labels` | Set the cronjob labels | `{}` | | `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | | `backup.cronjob.nodeSelector` | Node labels for PostgreSQL backup CronJob pod assignment | `{}` | -| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `none` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). | `nano` | | `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory | `{}` | +| `backup.cronjob.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `backup.cronjob.storage.enabled` | Enable using a `PersistentVolumeClaim` as backup data volume | `true` | | `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | | `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | | `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | @@ -438,6 +649,8 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | | `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | | `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `backup.cronjob.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the backup container | `[]` | +| `backup.cronjob.extraVolumes` | Optionally specify extra list of additional volumes for the backup container | `[]` | ### Volume Permissions parameters @@ -449,9 +662,9 @@ kubectl delete pvc -l release=my-release | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | @@ -484,12 +697,12 @@ kubectl delete pvc -l release=my-release | `metrics.customMetrics` | Define additional custom metrics | `{}` | | `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -515,7 +728,7 @@ kubectl delete pvc -l release=my-release | `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | | `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | @@ -560,238 +773,22 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/postg > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/postgresql/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Customizing primary and read replica services in a replicated configuration - -At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. - -### Use a different PostgreSQL version - -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. - -### LDAP - -LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. - -- **ldap.enabled**: Enable LDAP support. Defaults to `false`. -- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. -- **ldap.base**: LDAP base DN. No defaults. -- **ldap.binddn**: LDAP bind DN. No defaults. -- **ldap.bindpw**: LDAP bind password. No defaults. -- **ldap.bslookup**: LDAP base lookup. No defaults. -- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. -- **ldap.scope**: LDAP search scope. No defaults. -- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. - -For example: - -```text -ldap.enabled="true" -ldap.uri="ldap://my_ldap_server" -ldap.base="dc=example\,dc=org" -ldap.binddn="cn=admin\,dc=example\,dc=org" -ldap.bindpw="admin" -ldap.bslookup="ou=group-ok\,dc=example\,dc=org" -ldap.nss_initgroups_ignoreusers="root\,nslcd" -ldap.scope="sub" -ldap.tls_reqcert="demand" -``` - -Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. - -> Note: Parameters including commas must be escaped as shown in the above example. - -### postgresql.conf / pg_hba.conf files as configMap - -This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. - -You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. - -In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. - -### Initialize a fresh instance - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. - -In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -### Securing traffic using TLS - -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: - -- `tls.enabled`: Enable TLS support. Defaults to `false` -- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. -- `tls.certFilename`: Certificate filename. No defaults. -- `tls.certKeyFilename`: Certificate key filename. No defaults. - -For example: - -- First, create the secret with the cetificates files: - - ```console - kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt - ``` - -- Then, use the following parameters: - - ```console - volumePermissions.enabled=true - tls.enabled=true - tls.certificatesSecret="certificates-tls-secret" - tls.certFilename="cert.crt" - tls.certKeyFilename="cert.key" - ``` - - > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. - -### Sidecars - -If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. - -```yaml -# For the PostgreSQL primary -primary: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -# For the PostgreSQL replicas -readReplicas: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). - -The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. - -### Use of global variables - -In more complex scenarios, we may have the following tree of dependencies - -```text - +--------------+ - | | - +------------+ Chart 1 +-----------+ - | | | | - | --------+------+ | - | | | - | | | - | | | - | | | - v v v -+-------+------+ +--------+------+ +--------+------+ -| | | | | | -| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | -| | | | | | -+--------------+ +---------------+ +---------------+ -``` - -The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: - -```text -postgresql.auth.username=testuser -subchart1.postgresql.auth.username=testuser -subchart2.postgresql.auth.username=testuser -postgresql.auth.password=testpass -subchart1.postgresql.auth.password=testpass -subchart2.postgresql.auth.password=testpass -postgresql.auth.database=testdb -subchart1.postgresql.auth.database=testdb -subchart2.postgresql.auth.database=testdb -``` - -If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: - -```text -global.postgresql.auth.username=testuser -global.postgresql.auth.password=testpass -global.postgresql.auth.database=testdb -``` - -This way, the credentials will be available in all of the subcharts. - -### Persistence - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. - -### Backup and restore PostgreSQL deployments - -To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. - -These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: - -- Install Velero on the source and destination clusters. -- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. -- Use Velero to restore the backed-up PVs on the destination cluster. -- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. - -Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://docs.bitnami.com/tutorials/migrate-data-bitnami-velero/) for more information. - -### NetworkPolicy - -To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 5432. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. -This label will be displayed in the output of a successful install. - -### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - -- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. -- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. -- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false -- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. - podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false +## Troubleshooting -### Setting Pod's affinity +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). +## Upgrading -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. +### To 15.0.0 -## Troubleshooting +This major bump changes the following security defaults: -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. -## Upgrading +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. ### To 14.0.0 diff --git a/charts/bitnami/postgresql/templates/backup/cronjob.yaml b/charts/bitnami/postgresql/templates/backup/cronjob.yaml index f48f6c4876..0f79b7a5f7 100644 --- a/charts/bitnami/postgresql/templates/backup/cronjob.yaml +++ b/charts/bitnami/postgresql/templates/backup/cronjob.yaml @@ -83,15 +83,20 @@ spec: command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} volumeMounts: {{- if .Values.tls.enabled }} - - name: certs - mountPath: /certs + - name: raw-certificates + mountPath: /tmp/certs {{- end }} + {{- if .Values.backup.cronjob.storage.enabled }} - name: datadir mountPath: {{ .Values.backup.cronjob.storage.mountPath }} subPath: {{ .Values.backup.cronjob.storage.subPath }} + {{- end }} - name: empty-dir mountPath: /tmp subPath: tmp-dir + {{- if .Values.backup.cronjob.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.extraVolumeMounts "context" $) | nindent 14 }} + {{- end }} {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }} {{- end }} @@ -108,8 +113,10 @@ spec: volumes: {{- if .Values.tls.enabled }} - name: raw-certificates - emptyDir: /tmp/certs + secret: + secretName: {{ include "postgresql.v1.tlsSecretName" . }} {{- end }} + {{- if .Values.backup.cronjob.storage.enabled }} {{- if .Values.backup.cronjob.storage.existingClaim }} - name: datadir persistentVolumeClaim: @@ -119,6 +126,10 @@ spec: persistentVolumeClaim: claimName: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall {{- end }} + {{- end }} - name: empty-dir emptyDir: {} + {{- if .Values.backup.cronjob.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.extraVolumes "context" $ ) | nindent 12 }} + {{- end }} {{- end }} diff --git a/charts/bitnami/postgresql/templates/backup/networkpolicy.yaml b/charts/bitnami/postgresql/templates/backup/networkpolicy.yaml new file mode 100644 index 0000000000..8373ee5fb6 --- /dev/null +++ b/charts/bitnami/postgresql/templates/backup/networkpolicy.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled .Values.backup.cronjob.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "postgresql.v1.primary.fullname" . }}-pgdumpall + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: pg_dumpall + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.backup.cronjob.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: pg_dumpall + policyTypes: + - Egress + egress: + - ports: + - port: 5432 + protocol: TCP +{{- end }} diff --git a/charts/bitnami/postgresql/templates/backup/pvc.yaml b/charts/bitnami/postgresql/templates/backup/pvc.yaml index 6fe9cbf762..686e9ad382 100644 --- a/charts/bitnami/postgresql/templates/backup/pvc.yaml +++ b/charts/bitnami/postgresql/templates/backup/pvc.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} +{{- if and .Values.backup.enabled .Values.backup.cronjob.storage.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index c97426e5fc..917a32b233 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -50,7 +50,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -105,7 +105,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.2.0-debian-12-r8 + tag: 16.2.0-debian-12-r10 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -448,7 +448,7 @@ primary: ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -489,12 +489,12 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -885,7 +885,7 @@ readReplicas: ## @param readReplicas.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if readReplicas.resources is set (readReplicas.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param readReplicas.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -926,12 +926,12 @@ readReplicas: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1279,12 +1279,12 @@ backup: ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1308,7 +1308,7 @@ backup: ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backup.cronjob.resources is set (backup.cronjob.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory ## Example: resources: {} @@ -1319,7 +1319,14 @@ backup: ## limits: ## cpu: 2 ## memory: 1024Mi + networkPolicy: + ## @param backup.cronjob.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true storage: + ## @param backup.cronjob.storage.enabled Enable using a `PersistentVolumeClaim` as backup data volume + ## + enabled: true ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) ## If defined, PVC must be created manually before volume will be bound ## @@ -1359,6 +1366,12 @@ backup: ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details ## selector: {} + ## @param backup.cronjob.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the backup container + ## + extraVolumeMounts: [] + ## @param backup.cronjob.extraVolumes Optionally specify extra list of additional volumes for the backup container + ## + extraVolumes: [] ## @section Volume Permissions parameters ## @@ -1379,7 +1392,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r16 + tag: 12-debian-12-r17 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1395,7 +1408,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1417,7 +1430,7 @@ volumePermissions: ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 runAsGroup: 0 runAsNonRoot: false @@ -1542,12 +1555,12 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1615,7 +1628,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/redis/Chart.yaml b/charts/bitnami/redis/Chart.yaml index a1c438fefe..a61277d717 100644 --- a/charts/bitnami/redis/Chart.yaml +++ b/charts/bitnami/redis/Chart.yaml @@ -39,4 +39,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.19.2 +version: 19.0.1 diff --git a/charts/bitnami/redis/README.md b/charts/bitnami/redis/README.md index 8cac98b7ed..b958bd87a6 100644 --- a/charts/bitnami/redis/README.md +++ b/charts/bitnami/redis/README.md @@ -1,8 +1,8 @@ -# Bitnami package for Redis(R) +# Bitnami package for Redis® -Redis(R) is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. +Redis® is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. [Overview of Redis®](http://redis.io) @@ -14,7 +14,7 @@ Disclaimer: Redis is a registered trademark of Redis Ltd. Any rights therein are helm install my-release oci://registry-1.docker.io/bitnamicharts/redis ``` -Looking to use Redisreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. +Looking to use Redis® in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. ## Introduction @@ -57,686 +57,87 @@ The command deploys Redis® on the Kubernetes cluster in the default configur > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use a different Redis® version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +replica: + externalMaster: + enabled: true + host: external-redis-0.internal +sentinel: + externalMaster: + enabled: true + host: external-redis-0.internal ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +:warning: This is currently limited to clusters in which Sentinel and Redis run on the same node! :warning: -## Parameters +Please also note that the external sentinel must be listening on port `26379`, and this is currently not configurable. -### Global parameters +Once the Kubernetes Redis Deployment is online and confirmed to be working with the existing cluster, the configuration can then be removed and the cluster will remain connected. -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +### External DNS -### Common parameters +This chart is equipped to allow leveraging the ExternalDNS project. Doing so will enable ExternalDNS to publish the FQDN for each instance, in the format of `..`. +Example, when using the following configuration: -| Name | Description | Value | -| ------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `nameOverride` | String to partially override common.names.fullname | `""` | -| `fullnameOverride` | String to fully override common.names.fullname | `""` | -| `namespaceOverride` | String to fully override common.names.namespace | `""` | -| `commonLabels` | Labels to add to all deployed objects | `{}` | -| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | -| `secretAnnotations` | Annotations to add to secret | `{}` | -| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | -| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | -| `useHostnames` | Use hostnames internally when announcing replication. If false, the hostname will be resolved to an IP address | `true` | -| `nameResolutionThreshold` | Failure threshold for internal hostnames resolution | `5` | -| `nameResolutionTimeout` | Timeout seconds between probes for internal hostnames resolution | `5` | -| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | -| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | -| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | +```yaml +useExternalDNS: + enabled: true + suffix: prod.example.org + additionalAnnotations: + ttl: 10 +``` -### Redis® Image parameters +On a cluster where the name of the Helm release is `a`, the hostname of a Pod is generated as: `a-redis-node-0.a-redis.prod.example.org`. The IP of that FQDN will match that of the associated Pod. This modifies the following parameters of the Redis/Sentinel configuration using this new FQDN: -| Name | Description | Value | -| ------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------- | -| `image.registry` | Redis® image registry | `REGISTRY_NAME` | -| `image.repository` | Redis® image repository | `REPOSITORY_NAME/redis` | -| `image.digest` | Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Redis® image pull secrets | `[]` | -| `image.debug` | Enable image debug mode | `false` | +- `replica-announce-ip` +- `known-sentinel` +- `known-replica` +- `announce-ip` -### Redis® common configuration parameters +:warning: This requires a working installation of `external-dns` to be fully functional. :warning: -| Name | Description | Value | -| -------------------------------- | ------------------------------------------------------------------------------------- | ------------- | -| `architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `replication` | -| `auth.enabled` | Enable password authentication | `true` | -| `auth.sentinel` | Enable password authentication on sentinels too | `true` | -| `auth.password` | Redis® password | `""` | -| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | -| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | -| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | -| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | -| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | -| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | +See the [official ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns) for additional configuration options. -### Redis® master configuration parameters +### Cluster topologies -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | -| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | -| `master.configuration` | Configuration for Redis® master nodes | `""` | -| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | -| `master.command` | Override default container command (useful when using custom images) | `[]` | -| `master.args` | Override default container args (useful when using custom images) | `[]` | -| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | -| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | -| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | -| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | -| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | -| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | -| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | -| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | -| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | -| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | -| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | -| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `none` | -| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | -| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | -| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | -| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | -| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | -| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | -| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | -| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | -| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | -| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | -| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | -| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | -| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | -| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `master.hostAliases` | Redis® master pods host aliases | `[]` | -| `master.podLabels` | Extra labels for Redis® master pods | `{}` | -| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | -| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | -| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | -| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | -| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | -| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | -| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | -| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | -| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | -| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | -| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | -| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | -| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | -| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | -| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | -| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | -| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | -| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | -| `master.persistence.storageClass` | Persistent Volume storage class | `""` | -| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `master.persistence.size` | Persistent Volume size | `8Gi` | -| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `master.persistence.dataSource` | Custom PVC data source | `{}` | -| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `master.service.type` | Redis® master service type | `ClusterIP` | -| `master.service.ports.redis` | Redis® master service port | `6379` | -| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | -| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | -| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | -| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | -| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | -| `master.service.externalIPs` | Redis® master service External IPs | `[]` | -| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | -| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | -| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +#### Default: Master-Replicas -### Redis® replicas configuration parameters +When installing the chart with `architecture=replication`, it will deploy a Redis® master StatefulSet and a Redis® replicas StatefulSet. The replicas will be read-replicas of the master. Two services will be exposed: -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | -| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | -| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | -| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | -| `replica.command` | Override default container command (useful when using custom images) | `[]` | -| `replica.args` | Override default container args (useful when using custom images) | `[]` | -| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | -| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | -| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | -| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | -| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | -| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `replica.externalMaster.host` | External master host to bootstrap from | `""` | -| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | -| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | -| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | -| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | -| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | -| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `none` | -| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | -| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | -| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | -| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | -| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | -| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | -| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | -| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | -| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | -| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | -| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | -| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | -| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | -| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | -| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | -| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | -| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | -| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | -| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | -| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | -| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | -| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | -| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | -| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | -| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | -| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | -| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | -| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | -| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | -| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | -| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | -| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | -| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | -| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | -| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | -| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | -| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | -| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | -| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | -| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `replica.persistence.size` | Persistent Volume size | `8Gi` | -| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `replica.persistence.dataSource` | Custom PVC data source | `{}` | -| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | -| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `replica.service.type` | Redis® replicas service type | `ClusterIP` | -| `replica.service.ports.redis` | Redis® replicas service port | `6379` | -| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | -| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | -| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | -| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | -| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | -| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | -| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | -| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | -| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | -| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | -| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | -| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | -| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | -| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +- Redis® Master service: Points to the master, where read-write operations can be performed +- Redis® Replicas service: Points to the replicas, where only read operations are allowed by default. -### Redis® Sentinel configuration parameters +In case the master crashes, the replicas will wait until the master node is respawned again by the Kubernetes Controller Manager. -| Name | Description | Value | -| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | -| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | -| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | -| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | -| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | -| `sentinel.image.debug` | Enable image debug mode | `false` | -| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | -| `sentinel.masterSet` | Master set name | `mymaster` | -| `sentinel.quorum` | Sentinel Quorum | `2` | -| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | -| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | -| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | -| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | -| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | -| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | -| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | -| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | -| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | -| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | -| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | -| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | -| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | -| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | -| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | -| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | -| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | -| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | -| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | -| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | -| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | -| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | -| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | -| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | -| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | -| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | -| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | -| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | -| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | -| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | -| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | -| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | -| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | -| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | -| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | -| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `none` | -| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | -| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | -| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | -| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | -| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | -| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | -| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | -| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | -| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | -| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | -| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | -| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | -| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | -| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | -| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | -| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | -| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | -| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | -| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | -| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | -| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | -| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | -| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | +#### Standalone -### Other Parameters +When installing the chart with `architecture=standalone`, it will deploy a standalone Redis® StatefulSet. A single service will be exposed: -| Name | Description | Value | -| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | -| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | -| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | -| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | -| `networkPolicy.metrics.allowExternal` | Don't require client label for connections for metrics endpoint | `true` | -| `networkPolicy.metrics.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | -| `networkPolicy.metrics.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | -| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | -| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | -| `rbac.create` | Specifies whether RBAC resources should be created | `false` | -| `rbac.rules` | Custom RBAC rules to set | `[]` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | -| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | -| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | -| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | -| `tls.enabled` | Enable TLS traffic | `false` | -| `tls.authClients` | Require clients to authenticate | `true` | -| `tls.autoGenerated` | Enable autogenerated certificates | `false` | -| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | -| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | -| `tls.certFilename` | Certificate filename | `""` | -| `tls.certKeyFilename` | Certificate Key filename | `""` | -| `tls.certCAFilename` | CA Certificate filename | `""` | -| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | +- Redis® Master service: Points to the master, where read-write operations can be performed -### Metrics Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | -| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | -| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | -| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | -| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | -| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | -| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `false` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | -| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | -| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | -| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | -| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | -| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | -| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | -| `metrics.service.ports.http` | Redis® exporter service port | `9121` | -| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | -| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | -| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | -| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | -| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | -| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | -| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | -| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | -| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | -| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | -| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | - -### Init Container Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | -| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | -| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | -| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | -| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | -| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | -| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | -| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | -| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | -| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | -| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | -| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | -| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | -| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `none` | -| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | - -### useExternalDNS Parameters - -| Name | Description | Value | -| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | -| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | -| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations. | `external-dns.alpha.kubernetes.io/` | -| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -helm install my-release \ - --set auth.password=secretpassword \ - oci://REGISTRY_NAME/REPOSITORY_NAME/redis -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. - -The above command sets the Redis® server password to `secretpassword`. - -> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis -``` - -> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) - -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Use a different Redis® version - -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. - -### Bootstrapping with an External Cluster - -This chart is equipped with the ability to bring online a set of Pods that connect to an existing Redis deployment that lies outside of Kubernetes. This effectively creates a hybrid Redis Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single Redis Deployment. This is helpful in situations where one may be migrating Redis from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: - -```yaml -replica: - externalMaster: - enabled: true - host: external-redis-0.internal -sentinel: - externalMaster: - enabled: true - host: external-redis-0.internal -``` - -:warning: This is currently limited to clusters in which Sentinel and Redis run on the same node! :warning: - -Please also note that the external sentinel must be listening on port `26379`, and this is currently not configurable. - -Once the Kubernetes Redis Deployment is online and confirmed to be working with the existing cluster, the configuration can then be removed and the cluster will remain connected. - -### External DNS - -This chart is equipped to allow leveraging the ExternalDNS project. Doing so will enable ExternalDNS to publish the FQDN for each instance, in the format of `..`. -Example, when using the following configuration: - -```yaml -useExternalDNS: - enabled: true - suffix: prod.example.org - additionalAnnotations: - ttl: 10 -``` - -On a cluster where the name of the Helm release is `a`, the hostname of a Pod is generated as: `a-redis-node-0.a-redis.prod.example.org`. The IP of that FQDN will match that of the associated Pod. This modifies the following parameters of the Redis/Sentinel configuration using this new FQDN: - -- `replica-announce-ip` -- `known-sentinel` -- `known-replica` -- `announce-ip` - -:warning: This requires a working installation of `external-dns` to be fully functional. :warning: - -See the [official ExternalDNS documentation](https://github.com/kubernetes-sigs/external-dns) for additional configuration options. - -### Cluster topologies - -#### Default: Master-Replicas - -When installing the chart with `architecture=replication`, it will deploy a Redis® master StatefulSet and a Redis® replicas StatefulSet. The replicas will be read-replicas of the master. Two services will be exposed: - -- Redis® Master service: Points to the master, where read-write operations can be performed -- Redis® Replicas service: Points to the replicas, where only read operations are allowed by default. - -In case the master crashes, the replicas will wait until the master node is respawned again by the Kubernetes Controller Manager. - -#### Standalone - -When installing the chart with `architecture=standalone`, it will deploy a standalone Redis® StatefulSet. A single service will be exposed: - -- Redis® Master service: Points to the master, where read-write operations can be performed - -#### Master-Replicas with Sentinel +#### Master-Replicas with Sentinel When installing the chart with `architecture=replication` and `sentinel.enabled=true`, it will deploy a Redis® master StatefulSet (only one master allowed) and a Redis® replicas StatefulSet. In this case, the pods will contain an extra container with Redis® Sentinel. This container will form a cluster of Redis® Sentinel nodes, which will promote a new master in case the actual one fails. @@ -883,150 +284,739 @@ sysctlImage: echo never > /host-sys/kernel/mm/transparent_hugepage/enabled ``` -Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure `sysctls` for master and slave pods. Example: +Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure `sysctls` for master and slave pods. Example: + +```yaml +securityContext: + sysctls: + - name: net.core.somaxconn + value: "10000" +``` + +Note that this will not disable transparent huge tables. + +### Backup and restore + +To backup and restore Redis deployments on Kubernetes, you will need to create a snapshot of the data in the source cluster, and later restore it in a new cluster with the new parameters. Follow the instructions below: + +#### Step 1: Backup the deployment + +- Connect to one of the nodes and start the Redis CLI tool. Then, run the commands below: + + ```text + $ kubectl exec -it my-release-master-0 bash + $ redis-cli + 127.0.0.1:6379> auth your_current_redis_password + OK + 127.0.0.1:6379> save + OK + ``` + +- Copy the dump file from the Redis node: + + ```console + kubectl cp my-release-master-0:/data/dump.rdb dump.rdb -c redis + ``` + +#### Step 2: Restore the data on the destination cluster + +To restore the data in a new cluster, you will need to create a PVC and then upload the *dump.rdb* file to the new volume. + +Follow the following steps: + +- In the [*values.yaml*](https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml) file set the *appendonly* parameter to *no*. You can skip this step if it is already configured as *no* + + ```yaml + commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly no + # Disable RDB persistence, AOF persistence already enabled. + save "" + ``` + + > *Note that the `Enable AOF` comment belongs to the original config file and what you're actually doing is disabling it. This change will only be neccessary for the temporal cluster you're creating to upload the dump.* + +- Start the new cluster to create the PVCs. Use the command below as an example: + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` + +- Now that the PVC were created, stop it and copy the *dump.rdp* file on the persisted data by using a helping pod. + + ```text + $ helm delete new-redis + + $ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "redisvolpod" + }, + "spec": { + "containers": [{ + "command": [ + "tail", + "-f", + "/dev/null" + ], + "image": "bitnami/minideb", + "name": "mycontainer", + "volumeMounts": [{ + "mountPath": "/mnt", + "name": "redisdata" + }] + }], + "restartPolicy": "Never", + "volumes": [{ + "name": "redisdata", + "persistentVolumeClaim": { + "claimName": "redis-data-new-redis-master-0" + } + }] + } + }' --image="bitnami/minideb" + + $ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb + $ kubectl delete pod volpod + ``` + +- Restart the cluster: + + > **INFO:** The *appendonly* parameter can be safely restored to your desired value. + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` + +### NetworkPolicy + +To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +With NetworkPolicy enabled, only pods with the generated client label will be able to connect to Redis. This label will be displayed in the output after a successful install. + +With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to Redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: + +```yaml +networkPolicy: + enabled: true + ingressNSMatchLabels: + redis: external + ingressNSPodMatchLabels: + redis-client: true +``` + +#### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. + +### Existing PersistentVolumeClaim + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```console +helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/redis +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.redis.password` | Global Redis® password (overrides `auth.password`) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname | `""` | +| `fullnameOverride` | String to fully override common.names.fullname | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `secretAnnotations` | Annotations to add to secret | `{}` | +| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `useHostnames` | Use hostnames internally when announcing replication. If false, the hostname will be resolved to an IP address | `true` | +| `nameResolutionThreshold` | Failure threshold for internal hostnames resolution | `5` | +| `nameResolutionTimeout` | Timeout seconds between probes for internal hostnames resolution | `5` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### Redis® Image parameters + +| Name | Description | Value | +| ------------------- | ---------------------------------------------------------------------------------------------------------- | ----------------------- | +| `image.registry` | Redis® image registry | `REGISTRY_NAME` | +| `image.repository` | Redis® image repository | `REPOSITORY_NAME/redis` | +| `image.digest` | Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | Redis® image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Redis® image pull secrets | `[]` | +| `image.debug` | Enable image debug mode | `false` | + +### Redis® common configuration parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------- | ------------- | +| `architecture` | Redis® architecture. Allowed values: `standalone` or `replication` | `replication` | +| `auth.enabled` | Enable password authentication | `true` | +| `auth.sentinel` | Enable password authentication on sentinels too | `true` | +| `auth.password` | Redis® password | `""` | +| `auth.existingSecret` | The name of an existing secret with Redis® credentials | `""` | +| `auth.existingSecretPasswordKey` | Password key to be retrieved from existing secret | `""` | +| `auth.usePasswordFiles` | Mount credentials as files instead of using an environment variable | `false` | +| `auth.usePasswordFileFromSecret` | Mount password file from secret | `true` | +| `commonConfiguration` | Common configuration to be added into the ConfigMap | `""` | +| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for Redis® nodes | `""` | + +### Redis® master configuration parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------ | +| `master.count` | Number of Redis® master instances to deploy (experimental, requires additional configuration) | `1` | +| `master.configuration` | Configuration for Redis® master nodes | `""` | +| `master.disableCommands` | Array with Redis® commands to disable on master nodes | `["FLUSHDB","FLUSHALL"]` | +| `master.command` | Override default container command (useful when using custom images) | `[]` | +| `master.args` | Override default container args (useful when using custom images) | `[]` | +| `master.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `master.preExecCmds` | Additional commands to run prior to starting Redis® master | `[]` | +| `master.extraFlags` | Array with additional command line flags for Redis® master | `[]` | +| `master.extraEnvVars` | Array with extra environment variables to add to Redis® master nodes | `[]` | +| `master.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® master nodes | `""` | +| `master.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® master nodes | `""` | +| `master.containerPorts.redis` | Container port to open on Redis® master nodes | `6379` | +| `master.startupProbe.enabled` | Enable startupProbe on Redis® master nodes | `false` | +| `master.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `20` | +| `master.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` | +| `master.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `master.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `master.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `master.livenessProbe.enabled` | Enable livenessProbe on Redis® master nodes | `true` | +| `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `master.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `master.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `master.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `master.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `master.readinessProbe.enabled` | Enable readinessProbe on Redis® master nodes | `true` | +| `master.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `master.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `master.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `master.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `master.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `nano` | +| `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `master.podSecurityContext.enabled` | Enabled Redis® master pods' Security Context | `true` | +| `master.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `master.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | +| `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | +| `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `1001` | +| `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | +| `master.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate Redis® pod(s) privileges | `false` | +| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `master.containerSecurityContext.seccompProfile.type` | Set Redis® master containers' Security Context seccompProfile | `RuntimeDefault` | +| `master.containerSecurityContext.capabilities.drop` | Set Redis® master containers' Security Context capabilities to drop | `["ALL"]` | +| `master.kind` | Use either Deployment, StatefulSet (default) or DaemonSet | `StatefulSet` | +| `master.schedulerName` | Alternate scheduler for Redis® master pods | `""` | +| `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | +| `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | +| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `master.hostAliases` | Redis® master pods host aliases | `[]` | +| `master.podLabels` | Extra labels for Redis® master pods | `{}` | +| `master.podAnnotations` | Annotations for Redis® master pods | `{}` | +| `master.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® master pods | `false` | +| `master.podAffinityPreset` | Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `master.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `master.nodeAffinityPreset.key` | Node label key to match. Ignored if `master.affinity` is set | `""` | +| `master.nodeAffinityPreset.values` | Node label values to match. Ignored if `master.affinity` is set | `[]` | +| `master.affinity` | Affinity for Redis® master pods assignment | `{}` | +| `master.nodeSelector` | Node labels for Redis® master pods assignment | `{}` | +| `master.tolerations` | Tolerations for Redis® master pods assignment | `[]` | +| `master.topologySpreadConstraints` | Spread Constraints for Redis® master pod assignment | `[]` | +| `master.dnsPolicy` | DNS Policy for Redis® master pod | `""` | +| `master.dnsConfig` | DNS Configuration for Redis® master pod | `{}` | +| `master.lifecycleHooks` | for the Redis® master container(s) to automate configuration before or after startup | `{}` | +| `master.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® master pod(s) | `[]` | +| `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® master container(s) | `[]` | +| `master.sidecars` | Add additional sidecar containers to the Redis® master pod(s) | `[]` | +| `master.initContainers` | Add additional init containers to the Redis® master pod(s) | `[]` | +| `master.persistence.enabled` | Enable persistence on Redis® master nodes using Persistent Volume Claims | `true` | +| `master.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `master.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `master.persistence.path` | The path the volume will be mounted at on Redis® master containers | `/data` | +| `master.persistence.subPath` | The subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® master containers | `""` | +| `master.persistence.storageClass` | Persistent Volume storage class | `""` | +| `master.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `master.persistence.size` | Persistent Volume size | `8Gi` | +| `master.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `master.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `master.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `master.persistence.dataSource` | Custom PVC data source | `{}` | +| `master.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `master.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `master.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `master.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `master.service.type` | Redis® master service type | `ClusterIP` | +| `master.service.ports.redis` | Redis® master service port | `6379` | +| `master.service.nodePorts.redis` | Node port for Redis® master | `""` | +| `master.service.externalTrafficPolicy` | Redis® master service external traffic policy | `Cluster` | +| `master.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `master.service.internalTrafficPolicy` | Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `master.service.clusterIP` | Redis® master service Cluster IP | `""` | +| `master.service.loadBalancerIP` | Redis® master service Load Balancer IP | `""` | +| `master.service.loadBalancerClass` | master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `master.service.loadBalancerSourceRanges` | Redis® master service Load Balancer sources | `[]` | +| `master.service.externalIPs` | Redis® master service External IPs | `[]` | +| `master.service.annotations` | Additional custom annotations for Redis® master service | `{}` | +| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` | +| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | + +### Redis® replicas configuration parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `replica.kind` | Use either DaemonSet or StatefulSet (default) | `StatefulSet` | +| `replica.replicaCount` | Number of Redis® replicas to deploy | `3` | +| `replica.configuration` | Configuration for Redis® replicas nodes | `""` | +| `replica.disableCommands` | Array with Redis® commands to disable on replicas nodes | `["FLUSHDB","FLUSHALL"]` | +| `replica.command` | Override default container command (useful when using custom images) | `[]` | +| `replica.args` | Override default container args (useful when using custom images) | `[]` | +| `replica.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `replica.preExecCmds` | Additional commands to run prior to starting Redis® replicas | `[]` | +| `replica.extraFlags` | Array with additional command line flags for Redis® replicas | `[]` | +| `replica.extraEnvVars` | Array with extra environment variables to add to Redis® replicas nodes | `[]` | +| `replica.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® replicas nodes | `""` | +| `replica.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® replicas nodes | `""` | +| `replica.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `replica.externalMaster.host` | External master host to bootstrap from | `""` | +| `replica.externalMaster.port` | Port for Redis service external master host | `6379` | +| `replica.containerPorts.redis` | Container port to open on Redis® replicas nodes | `6379` | +| `replica.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `true` | +| `replica.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `replica.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `replica.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `replica.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `replica.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `replica.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `replica.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `replica.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `replica.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `replica.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `replica.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `replica.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `replica.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `replica.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `replica.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `replica.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `replica.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `replica.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `replica.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `replica.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `replica.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). | `nano` | +| `replica.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `replica.podSecurityContext.enabled` | Enabled Redis® replicas pods' Security Context | `true` | +| `replica.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `replica.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | +| `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | +| `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `1001` | +| `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | +| `replica.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® replicas pod's Security Context allowPrivilegeEscalation | `false` | +| `replica.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `replica.containerSecurityContext.seccompProfile.type` | Set Redis® replicas containers' Security Context seccompProfile | `RuntimeDefault` | +| `replica.containerSecurityContext.capabilities.drop` | Set Redis® replicas containers' Security Context capabilities to drop | `["ALL"]` | +| `replica.schedulerName` | Alternate scheduler for Redis® replicas pods | `""` | +| `replica.updateStrategy.type` | Redis® replicas statefulset strategy type | `RollingUpdate` | +| `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | +| `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | +| `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | +| `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | +| `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | +| `replica.shareProcessNamespace` | Share a single process namespace between all of the containers in Redis® replicas pods | `false` | +| `replica.podAffinityPreset` | Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `replica.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `replica.nodeAffinityPreset.key` | Node label key to match. Ignored if `replica.affinity` is set | `""` | +| `replica.nodeAffinityPreset.values` | Node label values to match. Ignored if `replica.affinity` is set | `[]` | +| `replica.affinity` | Affinity for Redis® replicas pods assignment | `{}` | +| `replica.nodeSelector` | Node labels for Redis® replicas pods assignment | `{}` | +| `replica.tolerations` | Tolerations for Redis® replicas pods assignment | `[]` | +| `replica.topologySpreadConstraints` | Spread Constraints for Redis® replicas pod assignment | `[]` | +| `replica.dnsPolicy` | DNS Policy for Redis® replica pods | `""` | +| `replica.dnsConfig` | DNS Configuration for Redis® replica pods | `{}` | +| `replica.lifecycleHooks` | for the Redis® replica container(s) to automate configuration before or after startup | `{}` | +| `replica.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® replicas pod(s) | `[]` | +| `replica.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) | `[]` | +| `replica.sidecars` | Add additional sidecar containers to the Redis® replicas pod(s) | `[]` | +| `replica.initContainers` | Add additional init containers to the Redis® replicas pod(s) | `[]` | +| `replica.persistence.enabled` | Enable persistence on Redis® replicas nodes using Persistent Volume Claims | `true` | +| `replica.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `replica.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `replica.persistence.path` | The path the volume will be mounted at on Redis® replicas containers | `/data` | +| `replica.persistence.subPath` | The subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.subPathExpr` | Used to construct the subPath subdirectory of the volume to mount on Redis® replicas containers | `""` | +| `replica.persistence.storageClass` | Persistent Volume storage class | `""` | +| `replica.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `replica.persistence.size` | Persistent Volume size | `8Gi` | +| `replica.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `replica.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `replica.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `replica.persistence.dataSource` | Custom PVC data source | `{}` | +| `replica.persistence.existingClaim` | Use a existing PVC which must be created manually before bound | `""` | +| `replica.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `replica.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `replica.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `replica.service.type` | Redis® replicas service type | `ClusterIP` | +| `replica.service.ports.redis` | Redis® replicas service port | `6379` | +| `replica.service.nodePorts.redis` | Node port for Redis® replicas | `""` | +| `replica.service.externalTrafficPolicy` | Redis® replicas service external traffic policy | `Cluster` | +| `replica.service.internalTrafficPolicy` | Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) | `Cluster` | +| `replica.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `replica.service.clusterIP` | Redis® replicas service Cluster IP | `""` | +| `replica.service.loadBalancerIP` | Redis® replicas service Load Balancer IP | `""` | +| `replica.service.loadBalancerClass` | replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `replica.service.loadBalancerSourceRanges` | Redis® replicas service Load Balancer sources | `[]` | +| `replica.service.annotations` | Additional custom annotations for Redis® replicas service | `{}` | +| `replica.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `replica.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `replica.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-replicas pods | `30` | +| `replica.autoscaling.enabled` | Enable replica autoscaling settings | `false` | +| `replica.autoscaling.minReplicas` | Minimum replicas for the pod autoscaling | `1` | +| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` | +| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` | +| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` | +| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | + +### Redis® Sentinel configuration parameters + +| Name | Description | Value | +| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `sentinel.enabled` | Use Redis® Sentinel on Redis® pods. | `false` | +| `sentinel.image.registry` | Redis® Sentinel image registry | `REGISTRY_NAME` | +| `sentinel.image.repository` | Redis® Sentinel image repository | `REPOSITORY_NAME/redis-sentinel` | +| `sentinel.image.digest` | Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sentinel.image.pullPolicy` | Redis® Sentinel image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Redis® Sentinel image pull secrets | `[]` | +| `sentinel.image.debug` | Enable image debug mode | `false` | +| `sentinel.annotations` | Additional custom annotations for Redis® Sentinel resource | `{}` | +| `sentinel.masterSet` | Master set name | `mymaster` | +| `sentinel.quorum` | Sentinel Quorum | `2` | +| `sentinel.getMasterTimeout` | Amount of time to allow before get_sentinel_master_info() times out. | `90` | +| `sentinel.automateClusterRecovery` | Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. | `false` | +| `sentinel.redisShutdownWaitFailover` | Whether the Redis® master container waits for the failover at shutdown (in addition to the Redis® Sentinel container). | `true` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis® node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `180000` | +| `sentinel.parallelSyncs` | Number of replicas that can be reconfigured in parallel to use the new master after a failover | `1` | +| `sentinel.configuration` | Configuration for Redis® Sentinel nodes | `""` | +| `sentinel.command` | Override default container command (useful when using custom images) | `[]` | +| `sentinel.args` | Override default container args (useful when using custom images) | `[]` | +| `sentinel.enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `sentinel.preExecCmds` | Additional commands to run prior to starting Redis® Sentinel | `[]` | +| `sentinel.extraEnvVars` | Array with extra environment variables to add to Redis® Sentinel nodes | `[]` | +| `sentinel.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Redis® Sentinel nodes | `""` | +| `sentinel.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `sentinel.externalMaster.host` | External master host to bootstrap from | `""` | +| `sentinel.externalMaster.port` | Port for Redis service external master host | `6379` | +| `sentinel.containerPorts.sentinel` | Container port to open on Redis® Sentinel nodes | `26379` | +| `sentinel.startupProbe.enabled` | Enable startupProbe on Redis® Sentinel nodes | `true` | +| `sentinel.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `sentinel.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `sentinel.startupProbe.failureThreshold` | Failure threshold for startupProbe | `22` | +| `sentinel.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `sentinel.livenessProbe.enabled` | Enable livenessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `20` | +| `sentinel.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `sentinel.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `sentinel.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `sentinel.readinessProbe.enabled` | Enable readinessProbe on Redis® Sentinel nodes | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `20` | +| `sentinel.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `sentinel.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `sentinel.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `sentinel.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `sentinel.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `sentinel.persistence.enabled` | Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) | `false` | +| `sentinel.persistence.storageClass` | Persistent Volume storage class | `""` | +| `sentinel.persistence.accessModes` | Persistent Volume access modes | `["ReadWriteOnce"]` | +| `sentinel.persistence.size` | Persistent Volume size | `100Mi` | +| `sentinel.persistence.annotations` | Additional custom annotations for the PVC | `{}` | +| `sentinel.persistence.labels` | Additional custom labels for the PVC | `{}` | +| `sentinel.persistence.selector` | Additional labels to match for the PVC | `{}` | +| `sentinel.persistence.dataSource` | Custom PVC data source | `{}` | +| `sentinel.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `sentinel.persistence.sizeLimit` | Set this to enable a size limit for `emptyDir` volumes. | `""` | +| `sentinel.persistentVolumeClaimRetentionPolicy.enabled` | Controls if and how PVCs are deleted during the lifecycle of a StatefulSet | `false` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | +| `sentinel.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). | `nano` | +| `sentinel.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | +| `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `1001` | +| `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | +| `sentinel.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `sentinel.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® Sentinel containers' Security Context allowPrivilegeEscalation | `false` | +| `sentinel.containerSecurityContext.seccompProfile.type` | Set Redis® Sentinel containers' Security Context seccompProfile | `RuntimeDefault` | +| `sentinel.containerSecurityContext.capabilities.drop` | Set Redis® Sentinel containers' Security Context capabilities to drop | `["ALL"]` | +| `sentinel.lifecycleHooks` | for the Redis® sentinel container(s) to automate configuration before or after startup | `{}` | +| `sentinel.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® Sentinel | `[]` | +| `sentinel.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) | `[]` | +| `sentinel.service.type` | Redis® Sentinel service type | `ClusterIP` | +| `sentinel.service.ports.redis` | Redis® service port for Redis® | `6379` | +| `sentinel.service.ports.sentinel` | Redis® service port for Redis® Sentinel | `26379` | +| `sentinel.service.nodePorts.redis` | Node port for Redis® | `""` | +| `sentinel.service.nodePorts.sentinel` | Node port for Sentinel | `""` | +| `sentinel.service.externalTrafficPolicy` | Redis® Sentinel service external traffic policy | `Cluster` | +| `sentinel.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `sentinel.service.clusterIP` | Redis® Sentinel service Cluster IP | `""` | +| `sentinel.service.createMaster` | Enable master service pointing to the current master (experimental) | `false` | +| `sentinel.service.loadBalancerIP` | Redis® Sentinel service Load Balancer IP | `""` | +| `sentinel.service.loadBalancerClass` | sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `sentinel.service.loadBalancerSourceRanges` | Redis® Sentinel service Load Balancer sources | `[]` | +| `sentinel.service.annotations` | Additional custom annotations for Redis® Sentinel service | `{}` | +| `sentinel.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `sentinel.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `sentinel.service.headless.annotations` | Annotations for the headless service. | `{}` | +| `sentinel.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-node pods | `30` | + +### Other Parameters + +| Name | Description | Value | +| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.metrics.allowExternal` | Don't require client label for connections for metrics endpoint | `true` | +| `networkPolicy.metrics.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | +| `networkPolicy.metrics.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces to metrics endpoint | `{}` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.enabled` | Enable PodSecurityPolicy's RBAC rules | `false` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction | `""` | +| `tls.enabled` | Enable TLS traffic | `false` | +| `tls.authClients` | Require clients to authenticate | `true` | +| `tls.autoGenerated` | Enable autogenerated certificates | `false` | +| `tls.existingSecret` | The name of the existing secret that contains the TLS certificates | `""` | +| `tls.certificatesSecret` | DEPRECATED. Use existingSecret instead. | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate Key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.dhParamsFilename` | File containing DH params (in order to support DH based ciphers) | `""` | + +### Metrics Parameters -```yaml -securityContext: - sysctls: - - name: net.core.somaxconn - value: "10000" -``` +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | +| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | +| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | +| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context read-only root filesystem | `true` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | +| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | +| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | +| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | +| `metrics.service.ports.http` | Redis® exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | +| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | +| `metrics.serviceMonitor.port` | the service port to scrape metrics from | `http-metrics` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.podMonitor.port` | the pod port to scrape metrics from | `metrics` | +| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | +| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.podMonitor.relabelings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | -Note that this will not disable transparent huge tables. +### Init Container Parameters -## Persistence +| Name | Description | Value | +| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| `kubectl.image.registry` | Kubectl image registry | `REGISTRY_NAME` | +| `kubectl.image.repository` | Kubectl image repository | `REPOSITORY_NAME/kubectl` | +| `kubectl.image.digest` | Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `kubectl.image.pullPolicy` | Kubectl image pull policy | `IfNotPresent` | +| `kubectl.image.pullSecrets` | Kubectl pull secrets | `[]` | +| `kubectl.command` | kubectl command to execute | `["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]` | +| `kubectl.resources.limits` | The resources limits for the kubectl containers | `{}` | +| `kubectl.resources.requests` | The requested resources for the kubectl containers | `{}` | +| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | +| `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `sysctl.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `sysctl.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `sysctl.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `sysctl.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `sysctl.command` | Override default init-sysctl container command (useful when using custom images) | `[]` | +| `sysctl.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). | `nano` | +| `sysctl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -By default, the chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. +### useExternalDNS Parameters -### Existing PersistentVolumeClaim +| Name | Description | Value | +| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `useExternalDNS.enabled` | Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. | `false` | +| `useExternalDNS.additionalAnnotations` | Extra annotations to be utilized when `external-dns` is enabled. | `{}` | +| `useExternalDNS.annotationKey` | The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations. | `external-dns.alpha.kubernetes.io/` | +| `useExternalDNS.suffix` | The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. | `""` | -1. Create the PersistentVolume -2. Create the PersistentVolumeClaim -3. Install the chart +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, ```console -helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://REGISTRY_NAME/REPOSITORY_NAME/redis +helm install my-release \ + --set auth.password=secretpassword \ + oci://REGISTRY_NAME/REPOSITORY_NAME/redis ``` > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. -## Backup and restore - -To backup and restore Redis deployments on Kubernetes, you will need to create a snapshot of the data in the source cluster, and later restore it in a new cluster with the new parameters. Follow the instructions below: - -### Step 1: Backup the deployment - -- Connect to one of the nodes and start the Redis CLI tool. Then, run the commands below: - - ```text - $ kubectl exec -it my-release-master-0 bash - $ redis-cli - 127.0.0.1:6379> auth your_current_redis_password - OK - 127.0.0.1:6379> save - OK - ``` - -- Copy the dump file from the Redis node: - - ```console - kubectl cp my-release-master-0:/data/dump.rdb dump.rdb -c redis - ``` - -### Step 2: Restore the data on the destination cluster - -To restore the data in a new cluster, you will need to create a PVC and then upload the *dump.rdb* file to the new volume. - -Follow the following steps: - -- In the [*values.yaml*](https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml) file set the *appendonly* parameter to *no*. You can skip this step if it is already configured as *no* - - ```yaml - commonConfiguration: |- - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly no - # Disable RDB persistence, AOF persistence already enabled. - save "" - ``` - - > *Note that the `Enable AOF` comment belongs to the original config file and what you're actually doing is disabling it. This change will only be neccessary for the temporal cluster you're creating to upload the dump.* - -- Start the new cluster to create the PVCs. Use the command below as an example: - - ```console - helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 - ``` - -- Now that the PVC were created, stop it and copy the *dump.rdp* file on the persisted data by using a helping pod. - - ```text - $ helm delete new-redis - - $ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' - { - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "redisvolpod" - }, - "spec": { - "containers": [{ - "command": [ - "tail", - "-f", - "/dev/null" - ], - "image": "bitnami/minideb", - "name": "mycontainer", - "volumeMounts": [{ - "mountPath": "/mnt", - "name": "redisdata" - }] - }], - "restartPolicy": "Never", - "volumes": [{ - "name": "redisdata", - "persistentVolumeClaim": { - "claimName": "redis-data-new-redis-master-0" - } - }] - } - }' --image="bitnami/minideb" - - $ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb - $ kubectl delete pod volpod - ``` - -- Restart the cluster: - - > **INFO:** The *appendonly* parameter can be safely restored to your desired value. - - ```console - helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 - ``` - -## NetworkPolicy - -To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. +The above command sets the Redis® server password to `secretpassword`. -With NetworkPolicy enabled, only pods with the generated client label will be able to connect to Redis. This label will be displayed in the output after a successful install. +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. -With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to Redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, -```yaml -networkPolicy: - enabled: true - ingressNSMatchLabels: - redis: external - ingressNSPodMatchLabels: - redis-client: true +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/redis ``` -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/redis/values.yaml) ## Troubleshooting @@ -1048,6 +1038,17 @@ This issue can be mitigated by splitting the upgrade into two stages: one for al - Stage 2 (anything else that is not up to date, in this case only master): `helm upgrade oci://REGISTRY_NAME/REPOSITORY_NAME/redis` +### To 19.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 18.0.0 This major version updates the Redis® docker image version used from `7.0` to `7.2`, the new stable version. There are no major changes in the chart, but we recommend checking the [Redis® 7.2 release notes](https://raw.githubusercontent.com/redis/redis/7.2/00-RELEASENOTES) before upgrading. @@ -1246,4 +1247,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/charts/bitnami/redis/templates/podmonitor.yaml b/charts/bitnami/redis/templates/podmonitor.yaml index e6521c60fb..0e50aab16a 100644 --- a/charts/bitnami/redis/templates/podmonitor.yaml +++ b/charts/bitnami/redis/templates/podmonitor.yaml @@ -28,8 +28,8 @@ spec: {{- if .Values.metrics.podMonitor.honorLabels }} honorLabels: {{ .Values.metrics.podMonitor.honorLabels }} {{- end }} - {{- if .Values.metrics.podMonitor.relabellings }} - relabelings: {{- toYaml .Values.metrics.podMonitor.relabellings | nindent 6 }} + {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .Values.metrics.podMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} @@ -45,8 +45,8 @@ spec: {{- if .honorLabels }} honorLabels: {{ .honorLabels }} {{- end }} - {{- if .relabellings }} - relabelings: {{- toYaml .relabellings | nindent 6 }} + {{- with concat .Values.metrics.podMonitor.relabelings .Values.metrics.podMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .metricRelabelings }} metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }} diff --git a/charts/bitnami/redis/templates/servicemonitor.yaml b/charts/bitnami/redis/templates/servicemonitor.yaml index 2e53ad9329..0cda45d067 100644 --- a/charts/bitnami/redis/templates/servicemonitor.yaml +++ b/charts/bitnami/redis/templates/servicemonitor.yaml @@ -28,8 +28,8 @@ spec: {{- if .Values.metrics.serviceMonitor.honorLabels }} honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} {{- end }} - {{- if .Values.metrics.serviceMonitor.relabellings }} - relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} + {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .Values.metrics.serviceMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} @@ -45,8 +45,8 @@ spec: {{- if .honorLabels }} honorLabels: {{ .honorLabels }} {{- end }} - {{- if .relabellings }} - relabelings: {{- toYaml .relabellings | nindent 6 }} + {{- with concat .Values.metrics.serviceMonitor.relabelings .Values.metrics.serviceMonitor.relabellings }} + relabelings: {{- toYaml . | nindent 6 }} {{- end }} {{- if .metricRelabelings }} metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }} diff --git a/charts/bitnami/redis/values.yaml b/charts/bitnami/redis/values.yaml index a9517f0473..142da1fbf4 100644 --- a/charts/bitnami/redis/values.yaml +++ b/charts/bitnami/redis/values.yaml @@ -30,7 +30,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -275,7 +275,7 @@ master: ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -315,12 +315,12 @@ master: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -737,7 +737,7 @@ replica: ## @param replica.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param replica.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -777,12 +777,12 @@ replica: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1306,7 +1306,7 @@ sentinel: ## @param sentinel.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param sentinel.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1332,12 +1332,12 @@ sentinel: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1708,12 +1708,12 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: @@ -1729,7 +1729,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1812,7 +1812,10 @@ metrics: ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended ## scrapeTimeout: "" - ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## @param metrics.serviceMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @skip metrics.serviceMonitor.relabellings DEPRECATED: Use `metrics.serviceMonitor.relabelings` instead. ## relabellings: [] ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. @@ -1866,7 +1869,10 @@ metrics: ## @param metrics.podMonitor.scrapeTimeout The timeout after which the scrape is ended ## scrapeTimeout: "" - ## @param metrics.podMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## @param metrics.podMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @skip metrics.podMonitor.relabellings DEPRECATED: Use `metrics.podMonitor.relabelings` instead. ## relabellings: [] ## @param metrics.podMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. @@ -1988,7 +1994,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -2009,7 +2015,7 @@ volumePermissions: ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## Kubectl InitContainer @@ -2096,7 +2102,7 @@ sysctl: ## @param sysctl.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param sysctl.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/spark/Chart.yaml b/charts/bitnami/spark/Chart.yaml index 7dab086f79..bfa4b53d2d 100644 --- a/charts/bitnami/spark/Chart.yaml +++ b/charts/bitnami/spark/Chart.yaml @@ -30,4 +30,4 @@ maintainers: name: spark sources: - https://github.com/bitnami/charts/tree/main/bitnami/spark -version: 8.9.1 +version: 9.0.0 diff --git a/charts/bitnami/spark/README.md b/charts/bitnami/spark/README.md index cb16a2a0d8..f3b708822e 100644 --- a/charts/bitnami/spark/README.md +++ b/charts/bitnami/spark/README.md @@ -57,12 +57,12 @@ The command removes all the Kubernetes components associated with the chart and ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -119,10 +119,10 @@ The command removes all the Kubernetes components associated with the chart and | `master.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `master.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `master.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `master.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `master.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `master.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `master.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `master.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `master.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `master.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -147,7 +147,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.extraVolumes` | Optionally specify extra list of additional volumes for the master pod(s) | `[]` | | `master.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the master container(s) | `[]` | | `master.extraVolumeClaimTemplates` | Optionally specify extra list of volumesClaimTemplates for the master statefulset | `[]` | -| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `none` | +| `master.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). | `small` | | `master.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `master.livenessProbe.enabled` | Enable livenessProbe | `true` | | `master.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `180` | @@ -210,10 +210,10 @@ The command removes all the Kubernetes components associated with the chart and | `worker.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `worker.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `worker.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `worker.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `worker.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `worker.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -239,7 +239,7 @@ The command removes all the Kubernetes components associated with the chart and | `worker.extraVolumes` | Optionally specify extra list of additional volumes for the worker pod(s) | `[]` | | `worker.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the master container(s) | `[]` | | `worker.extraVolumeClaimTemplates` | Optionally specify extra list of volumesClaimTemplates for the worker statefulset | `[]` | -| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `none` | +| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `small` | | `worker.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `worker.livenessProbe.enabled` | Enable livenessProbe | `true` | | `worker.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `180` | @@ -293,7 +293,7 @@ The command removes all the Kubernetes components associated with the chart and | `security.ssl.autoGenerated` | Create self-signed TLS certificates. Currently only supports PEM certificates | `false` | | `security.ssl.keystorePassword` | Set the password of the JKS Keystore | `""` | | `security.ssl.truststorePassword` | Truststore password. | `""` | -| `security.ssl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if security.ssl.resources is set (security.ssl.resources is recommended for production). | `none` | +| `security.ssl.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if security.ssl.resources is set (security.ssl.resources is recommended for production). | `small` | | `security.ssl.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Traffic Exposure parameters @@ -492,6 +492,17 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 9.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 6.0.0 This chart major version standarizes the chart templates and values, modifying some existing parameters names and adding several more. These parameter modifications can be sumarised in the following: @@ -536,4 +547,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/charts/bitnami/spark/values.yaml b/charts/bitnami/spark/values.yaml index c20db0a3f6..7f6bc5cfdd 100644 --- a/charts/bitnami/spark/values.yaml +++ b/charts/bitnami/spark/values.yaml @@ -27,7 +27,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -207,10 +207,10 @@ master: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -315,7 +315,7 @@ master: ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "small" ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -559,10 +559,10 @@ worker: enabled: true seLinuxOptions: null runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -671,7 +671,7 @@ worker: ## @param worker.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "small" ## @param worker.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -889,7 +889,7 @@ security: ## @param security.ssl.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if security.ssl.resources is set (security.ssl.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "small" ## @param security.ssl.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/tomcat/Chart.lock b/charts/bitnami/tomcat/Chart.lock index 537558ab47..eaff6d58f3 100644 --- a/charts/bitnami/tomcat/Chart.lock +++ b/charts/bitnami/tomcat/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 -generated: "2024-03-05T15:53:43.135308944+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-15T01:41:57.021991384Z" diff --git a/charts/bitnami/tomcat/Chart.yaml b/charts/bitnami/tomcat/Chart.yaml index 570b56112c..1e2b8b471c 100644 --- a/charts/bitnami/tomcat/Chart.yaml +++ b/charts/bitnami/tomcat/Chart.yaml @@ -10,7 +10,7 @@ annotations: - name: os-shell image: docker.io/bitnami/os-shell:12-debian-12-r16 - name: tomcat - image: docker.io/bitnami/tomcat:10.1.19-debian-12-r0 + image: docker.io/bitnami/tomcat:10.1.19-debian-12-r2 licenses: Apache-2.0 apiVersion: v2 appVersion: 10.1.19 @@ -38,4 +38,4 @@ maintainers: name: tomcat sources: - https://github.com/bitnami/charts/tree/main/bitnami/tomcat -version: 10.17.0 +version: 10.17.1 diff --git a/charts/bitnami/tomcat/charts/common/Chart.yaml b/charts/bitnami/tomcat/charts/common/Chart.yaml index 2acf0cd40a..f86ccd23a4 100644 --- a/charts/bitnami/tomcat/charts/common/Chart.yaml +++ b/charts/bitnami/tomcat/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.18.0 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.18.0 +version: 2.19.0 diff --git a/charts/bitnami/tomcat/charts/common/templates/_compatibility.tpl b/charts/bitnami/tomcat/charts/common/templates/_compatibility.tpl index c529f08725..17665d567f 100644 --- a/charts/bitnami/tomcat/charts/common/templates/_compatibility.tpl +++ b/charts/bitnami/tomcat/charts/common/templates/_compatibility.tpl @@ -28,6 +28,10 @@ Usage: {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/bitnami/tomcat/values.yaml b/charts/bitnami/tomcat/values.yaml index 5b5ea0b075..86ef4d0b55 100644 --- a/charts/bitnami/tomcat/values.yaml +++ b/charts/bitnami/tomcat/values.yaml @@ -68,7 +68,7 @@ extraDeploy: [] image: registry: docker.io repository: bitnami/tomcat - tag: 10.1.19-debian-12-r0 + tag: 10.1.19-debian-12-r2 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' diff --git a/charts/bitnami/wordpress/Chart.lock b/charts/bitnami/wordpress/Chart.lock index 1c327cdecb..84ceca8fdf 100644 --- a/charts/bitnami/wordpress/Chart.lock +++ b/charts/bitnami/wordpress/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: memcached repository: oci://registry-1.docker.io/bitnamicharts - version: 6.14.0 + version: 7.0.2 - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 16.5.0 + version: 17.0.1 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.19.0 -digest: sha256:f14e7183217316a026257bb89543ec1055b763c37dd4bfba26c2c725ac0e7571 -generated: "2024-03-08T16:54:42.092136196Z" +digest: sha256:3b4e997af36fdaa0116bd43fdbe2bb7575f280e86a1ede66430a47115b7f89ba +generated: "2024-03-20T16:16:30.974197+01:00" diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index 7e4f9c5eb1..0ea7ca4599 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: CMS images: | - name: apache-exporter - image: docker.io/bitnami/apache-exporter:1.0.6-debian-12-r8 + image: docker.io/bitnami/apache-exporter:1.0.7-debian-12-r0 - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r16 + image: docker.io/bitnami/os-shell:12-debian-12-r17 - name: wordpress - image: docker.io/bitnami/wordpress:6.4.3-debian-12-r20 + image: docker.io/bitnami/wordpress:6.4.3-debian-12-r28 licenses: Apache-2.0 apiVersion: v2 appVersion: 6.4.3 @@ -18,11 +18,11 @@ dependencies: - condition: memcached.enabled name: memcached repository: file://./charts/memcached - version: 6.x.x + version: 7.x.x - condition: mariadb.enabled name: mariadb repository: file://./charts/mariadb - version: 16.x.x + version: 17.x.x - name: common repository: file://./charts/common tags: @@ -47,4 +47,4 @@ maintainers: name: wordpress sources: - https://github.com/bitnami/charts/tree/main/bitnami/wordpress -version: 20.1.2 +version: 21.0.6 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index 006c3d053f..57663b0437 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -43,26 +43,211 @@ The command deploys WordPress on the Kubernetes cluster in the default configura > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Known limitations + +When performing admin operations that require activating the maintenance mode (such as updating a plugin or theme), it's activated in only one replica (see: [bug report](https://core.trac.wordpress.org/ticket/50797)). This implies that WP could be attending requests on other replicas while performing admin operations, with unpredictable consequences. + +To avoid that, you can manually activate/deactivate the maintenance mode on every replica using the WP CLI. For instance, if you installed WP with three replicas, you can run the commands below to activate the maintenance mode in all of them (assuming that the release name is `wordpress`): + +```console +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[0].metadata.name}') -c wordpress -- wp maintenance-mode activate +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[1].metadata.name}') -c wordpress -- wp maintenance-mode activate +kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[2].metadata.name}') -c wordpress -- wp maintenance-mode activate +``` -To uninstall/delete the `my-release` deployment: +### External database support + +You may want to have WordPress connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalDatabase` parameter](#database-parameters). You should also disable the MariaDB installation with the `mariadb.enabled` option. Here is an example: + +```console +mariadb.enabled=false +externalDatabase.host=myexternalhost +externalDatabase.user=myuser +externalDatabase.password=mypassword +externalDatabase.database=mydatabase +externalDatabase.port=3306 +``` + +If the database already contains data from a previous WordPress installation, set the `wordpressSkipInstall` parameter to `true`. This parameter forces the container to skip the WordPress installation wizard. Otherwise, the container will assume it is a fresh installation and execute the installation wizard, potentially modifying or resetting the data in the existing database. + +[Refer to the container documentation for more information](https://github.com/bitnami/containers/tree/main/bitnami/wordpress#connect-wordpress-container-to-an-existing-database). + +### Memcached + +This chart provides support for using Memcached to cache database queries and objects improving the website performance. To enable this feature, set `wordpressConfigureCache` and `memcached.enabled` parameters to `true`. + +When this feature is enabled, a Memcached server will be deployed in your K8s cluster using the Bitnami Memcached chart and the [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/) plugin will be activated and configured to use the Memcached server for database caching. + +It is also possible to use an external cache server rather than installing one inside your cluster. To achieve this, the chart allows you to specify credentials for an external cache server with the [`externalCache` parameter](#database-parameters). You should also disable the Memcached installation with the `memcached.enabled` option. Here is an example: ```console -helm delete my-release +wordpressConfigureCache=true +memcached.enabled=false +externalCache.host=myexternalcachehost +externalCache.port=11211 +``` + +### Ingress + +This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `ingress.enabled` to `true`. + +The most common scenario is to have one host name mapped to the deployment. In this case, the `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. + +However, it is also possible to have more than one host. To facilitate this, the `ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts. + +> NOTE: For each host specified in the `ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers. + +Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists. + +[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). + +### TLS secrets + +This chart facilitates the creation of TLS secrets for use with the Ingress controller (although this is not mandatory). There are several common use cases: + +- Generate certificate secrets based on chart parameters. +- Enable externally generated certificates. +- Manage application certificates via an external service (like [cert-manager](https://github.com/jetstack/cert-manager/)). +- Create self-signed certificates within the chart (if supported). + +In the first two cases, a certificate and a key are needed. Files are expected in `.pem` format. + +Here is an example of a certificate file: + +> NOTE: There may be more than one certificate if there is a certificate chain. + +```text +-----BEGIN CERTIFICATE----- +MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +... +jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7 +-----END CERTIFICATE----- +``` + +Here is an example of a certificate key: + +```text +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4 +... +wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= +-----END RSA PRIVATE KEY----- ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +- If using Helm to manage the certificates based on the parameters, copy these values into the `certificate` and `key` values for a given `*.ingress.secrets` entry. +- If managing TLS secrets separately, it is necessary to create a TLS secret with name `INGRESS_HOSTNAME-tls` (where INGRESS_HOSTNAME is a placeholder to be replaced with the hostname you set using the `*.ingress.hostname` parameter). +- If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, add to `*.ingress.annotations` the [corresponding ones](https://cert-manager.io/docs/usage/ingress/#supported-annotations) for cert-manager. +- If using self-signed certificates created by Helm, set both `*.ingress.tls` and `*.ingress.selfSigned` to `true`. + +### `.htaccess` files + +For performance and security reasons, it is a good practice to configure Apache with the `AllowOverride None` directive. Instead of using `.htaccess` files, Apache will load the same directives at boot time. These directives are located in `/opt/bitnami/wordpress/wordpress-htaccess.conf`. + +By default, the container image includes all the default `.htaccess` files in WordPress (together with the default plugins). To enable this feature, install the chart with the value `allowOverrideNone=yes`. + +However, some plugins may include `.htaccess` directives that will not be loaded when `AllowOverride` is set to `None`. To make them work, create a custom `wordpress-htaccess.conf` file with all the required directives. After creating it, create a Kubernetes ConfigMap with it (for example, named `custom-htaccess`) and install the chart with the correct parameters as shown below: + +```text + allowOverrideNone=true + customHTAccessCM=custom-htaccess +``` + +Some plugins permit editing the `.htaccess` file and it may be necessary to persist it in order to keep those edits. To make these plugins work, set the `htaccessPersistenceEnabled` parameter as shown below: + +```text + allowOverrideNone=false + htaccessPersistenceEnabled=true +``` + +## Persistence + +The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image stores the WordPress data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Additional environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +wordpress: + extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Sidecars + +If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Learn more about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -164,7 +349,7 @@ The command removes all the Kubernetes components associated with the chart and | `affinity` | Affinity for pod assignment | `{}` | | `nodeSelector` | Node labels for pod assignment | `{}` | | `tolerations` | Tolerations for pod assignment | `[]` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `containerPorts.http` | WordPress HTTP container port | `8080` | | `containerPorts.https` | WordPress HTTPS container port | `8443` | @@ -175,11 +360,12 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set WordPress pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -259,9 +445,9 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Other Parameters @@ -313,10 +499,10 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -339,52 +525,48 @@ The command removes all the Kubernetes components associated with the chart and ### NetworkPolicy parameters -| Name | Description | Value | -| ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingress.enabled` | Enable network policy for Ingress Proxies | `false` | -| `networkPolicy.ingress.namespaceSelector` | Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. | `{}` | -| `networkPolicy.ingress.podSelector` | Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. | `{}` | -| `networkPolicy.ingressRules.backendOnlyAccessibleByFrontend` | Enable ingress rule that makes the backend (mariadb) only accessible by testlink's pods. | `false` | -| `networkPolicy.ingressRules.customBackendSelector` | Backend selector labels. These labels will be used to identify the backend pods. | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.enabled` | Enable ingress rule that makes testlink only accessible from a particular origin | `false` | -| `networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access testlink. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.accessOnlyFrom.podSelector` | Pods selector label that is allowed to access testlink. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.customRules` | Custom network policy ingress rule | `{}` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Database Parameters -| Name | Description | Value | -| ------------------------------------------ | ---------------------------------------------------------------------------------------------- | ------------------- | -| `mariadb.enabled` | Deploy a MariaDB server to satisfy the applications database requirements | `true` | -| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | -| `mariadb.auth.rootPassword` | MariaDB root password | `""` | -| `mariadb.auth.database` | MariaDB custom database | `bitnami_wordpress` | -| `mariadb.auth.username` | MariaDB custom user name | `bn_wordpress` | -| `mariadb.auth.password` | MariaDB custom user password | `""` | -| `mariadb.primary.persistence.enabled` | Enable persistence on MariaDB using PVC(s) | `true` | -| `mariadb.primary.persistence.storageClass` | Persistent Volume storage class | `""` | -| `mariadb.primary.persistence.accessModes` | Persistent Volume access modes | `[]` | -| `mariadb.primary.persistence.size` | Persistent Volume size | `8Gi` | -| `externalDatabase.host` | External Database server host | `localhost` | -| `externalDatabase.port` | External Database server port | `3306` | -| `externalDatabase.user` | External Database username | `bn_wordpress` | -| `externalDatabase.password` | External Database user password | `""` | -| `externalDatabase.database` | External Database database name | `bitnami_wordpress` | -| `externalDatabase.existingSecret` | The name of an existing secret with database credentials. Evaluated as a template | `""` | -| `memcached.enabled` | Deploy a Memcached server for caching database queries | `false` | -| `memcached.auth.enabled` | Enable Memcached authentication | `false` | -| `memcached.auth.username` | Memcached admin user | `""` | -| `memcached.auth.password` | Memcached admin password | `""` | -| `memcached.auth.existingPasswordSecret` | Existing secret with Memcached credentials (must contain a value for `memcached-password` key) | `""` | -| `memcached.service.port` | Memcached service port | `11211` | -| `externalCache.host` | External cache server host | `localhost` | -| `externalCache.port` | External cache server port | `11211` | +| Name | Description | Value | +| ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `mariadb.enabled` | Deploy a MariaDB server to satisfy the applications database requirements | `true` | +| `mariadb.architecture` | MariaDB architecture. Allowed values: `standalone` or `replication` | `standalone` | +| `mariadb.auth.rootPassword` | MariaDB root password | `""` | +| `mariadb.auth.database` | MariaDB custom database | `bitnami_wordpress` | +| `mariadb.auth.username` | MariaDB custom user name | `bn_wordpress` | +| `mariadb.auth.password` | MariaDB custom user password | `""` | +| `mariadb.primary.persistence.enabled` | Enable persistence on MariaDB using PVC(s) | `true` | +| `mariadb.primary.persistence.storageClass` | Persistent Volume storage class | `""` | +| `mariadb.primary.persistence.accessModes` | Persistent Volume access modes | `[]` | +| `mariadb.primary.persistence.size` | Persistent Volume size | `8Gi` | +| `mariadb.primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` | +| `mariadb.primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalDatabase.host` | External Database server host | `localhost` | +| `externalDatabase.port` | External Database server port | `3306` | +| `externalDatabase.user` | External Database username | `bn_wordpress` | +| `externalDatabase.password` | External Database user password | `""` | +| `externalDatabase.database` | External Database database name | `bitnami_wordpress` | +| `externalDatabase.existingSecret` | The name of an existing secret with database credentials. Evaluated as a template | `""` | +| `memcached.enabled` | Deploy a Memcached server for caching database queries | `false` | +| `memcached.auth.enabled` | Enable Memcached authentication | `false` | +| `memcached.auth.username` | Memcached admin user | `""` | +| `memcached.auth.password` | Memcached admin password | `""` | +| `memcached.auth.existingPasswordSecret` | Existing secret with Memcached credentials (must contain a value for `memcached-password` key) | `""` | +| `memcached.service.port` | Memcached service port | `11211` | +| `memcached.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `memcached.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalCache.host` | External cache server host | `localhost` | +| `externalCache.port` | External cache server port | `11211` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -411,201 +593,6 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/wordp > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/wordpress/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Known limitations - -When performing admin operations that require activating the maintenance mode (such as updating a plugin or theme), it's activated in only one replica (see: [bug report](https://core.trac.wordpress.org/ticket/50797)). This implies that WP could be attending requests on other replicas while performing admin operations, with unpredictable consequences. - -To avoid that, you can manually activate/deactivate the maintenance mode on every replica using the WP CLI. For instance, if you installed WP with three replicas, you can run the commands below to activate the maintenance mode in all of them (assuming that the release name is `wordpress`): - -```console -kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[0].metadata.name}') -c wordpress -- wp maintenance-mode activate -kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[1].metadata.name}') -c wordpress -- wp maintenance-mode activate -kubectl exec $(kubectl get pods -l app.kubernetes.io/name=wordpress -o jsonpath='{.items[2].metadata.name}') -c wordpress -- wp maintenance-mode activate -``` - -### External database support - -You may want to have WordPress connect to an external database rather than installing one inside your cluster. Typical reasons for this are to use a managed database service, or to share a common database server for all your applications. To achieve this, the chart allows you to specify credentials for an external database with the [`externalDatabase` parameter](#database-parameters). You should also disable the MariaDB installation with the `mariadb.enabled` option. Here is an example: - -```console -mariadb.enabled=false -externalDatabase.host=myexternalhost -externalDatabase.user=myuser -externalDatabase.password=mypassword -externalDatabase.database=mydatabase -externalDatabase.port=3306 -``` - -If the database already contains data from a previous WordPress installation, set the `wordpressSkipInstall` parameter to `true`. This parameter forces the container to skip the WordPress installation wizard. Otherwise, the container will assume it is a fresh installation and execute the installation wizard, potentially modifying or resetting the data in the existing database. - -[Refer to the container documentation for more information](https://github.com/bitnami/containers/tree/main/bitnami/wordpress#connect-wordpress-container-to-an-existing-database). - -### Memcached - -This chart provides support for using Memcached to cache database queries and objects improving the website performance. To enable this feature, set `wordpressConfigureCache` and `memcached.enabled` parameters to `true`. - -When this feature is enabled, a Memcached server will be deployed in your K8s cluster using the Bitnami Memcached chart and the [W3 Total Cache](https://wordpress.org/plugins/w3-total-cache/) plugin will be activated and configured to use the Memcached server for database caching. - -It is also possible to use an external cache server rather than installing one inside your cluster. To achieve this, the chart allows you to specify credentials for an external cache server with the [`externalCache` parameter](#database-parameters). You should also disable the Memcached installation with the `memcached.enabled` option. Here is an example: - -```console -wordpressConfigureCache=true -memcached.enabled=false -externalCache.host=myexternalcachehost -externalCache.port=11211 -``` - -### Ingress - -This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `ingress.enabled` to `true`. - -The most common scenario is to have one host name mapped to the deployment. In this case, the `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. - -However, it is also possible to have more than one host. To facilitate this, the `ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts. - -> NOTE: For each host specified in the `ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers. - -Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists. - -[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). - -### TLS secrets - -This chart facilitates the creation of TLS secrets for use with the Ingress controller (although this is not mandatory). There are several common use cases: - -- Generate certificate secrets based on chart parameters. -- Enable externally generated certificates. -- Manage application certificates via an external service (like [cert-manager](https://github.com/jetstack/cert-manager/)). -- Create self-signed certificates within the chart (if supported). - -In the first two cases, a certificate and a key are needed. Files are expected in `.pem` format. - -Here is an example of a certificate file: - -> NOTE: There may be more than one certificate if there is a certificate chain. - -```text ------BEGIN CERTIFICATE----- -MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV -... -jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7 ------END CERTIFICATE----- -``` - -Here is an example of a certificate key: - -```text ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4 -... -wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= ------END RSA PRIVATE KEY----- -``` - -- If using Helm to manage the certificates based on the parameters, copy these values into the `certificate` and `key` values for a given `*.ingress.secrets` entry. -- If managing TLS secrets separately, it is necessary to create a TLS secret with name `INGRESS_HOSTNAME-tls` (where INGRESS_HOSTNAME is a placeholder to be replaced with the hostname you set using the `*.ingress.hostname` parameter). -- If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, add to `*.ingress.annotations` the [corresponding ones](https://cert-manager.io/docs/usage/ingress/#supported-annotations) for cert-manager. -- If using self-signed certificates created by Helm, set both `*.ingress.tls` and `*.ingress.selfSigned` to `true`. - -### `.htaccess` files - -For performance and security reasons, it is a good practice to configure Apache with the `AllowOverride None` directive. Instead of using `.htaccess` files, Apache will load the same directives at boot time. These directives are located in `/opt/bitnami/wordpress/wordpress-htaccess.conf`. - -By default, the container image includes all the default `.htaccess` files in WordPress (together with the default plugins). To enable this feature, install the chart with the value `allowOverrideNone=yes`. - -However, some plugins may include `.htaccess` directives that will not be loaded when `AllowOverride` is set to `None`. To make them work, create a custom `wordpress-htaccess.conf` file with all the required directives. After creating it, create a Kubernetes ConfigMap with it (for example, named `custom-htaccess`) and install the chart with the correct parameters as shown below: - -```text - allowOverrideNone=true - customHTAccessCM=custom-htaccess -``` - -Some plugins permit editing the `.htaccess` file and it may be necessary to persist it in order to keep those edits. To make these plugins work, set the `htaccessPersistenceEnabled` parameter as shown below: - -```text - allowOverrideNone=false - htaccessPersistenceEnabled=true -``` - -## Persistence - -The [Bitnami WordPress](https://github.com/bitnami/containers/tree/main/bitnami/wordpress) image stores the WordPress data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -### Additional environment variables - -In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. - -```yaml -wordpress: - extraEnvVars: - - name: LOG_LEVEL - value: error -``` - -Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. - -### Sidecars - -If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. - -```yaml -sidecars: -- name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: - -```yaml -service: - extraPorts: - - name: extraPort - port: 11311 - targetPort: 11311 -``` - -> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. - -If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: - -```yaml -initContainers: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). - -### Pod affinity - -This chart allows you to set your custom affinity using the `affinity` parameter. Learn more about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - ## Troubleshooting Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). @@ -630,6 +617,18 @@ To enable the new features, it is not possible to do it by upgrading an existing ## Upgrading +### To 21.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. +- The `networkPolicy` section has been normalized amongst all Bitnami charts. Compared to the previous approach, the values section has been simplified (check the Parameters section) and now it set to `enabled=true` by default. Egress traffic is allowed by default and ingress traffic is allowed by all pods but only to the ports set in `containerPorts` and `extraContainerPorts`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 20.0.0 This major release bumps the and MariaDB chart version to [16.x.x](https://github.com/bitnami/charts/pull/23054); no major issues are expected during the upgrade. diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.lock b/charts/bitnami/wordpress/charts/mariadb/Chart.lock index d63e6bfcf5..220f0e4b21 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.lock +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 -generated: "2024-03-05T14:35:54.482130622+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-08T11:25:32.224991562+01:00" diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml index fb54b676c2..5d5ddf9b5f 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml @@ -33,4 +33,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 16.5.0 +version: 17.0.1 diff --git a/charts/bitnami/wordpress/charts/mariadb/README.md b/charts/bitnami/wordpress/charts/mariadb/README.md index e8f307c604..35433a7631 100644 --- a/charts/bitnami/wordpress/charts/mariadb/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/README.md @@ -44,26 +44,112 @@ The command deploys MariaDB on the Kubernetes cluster in the default configurati > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Change MariaDB version + +To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### Initialize a fresh instance + +The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. + +When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: + +```yaml +initdbScripts: + my_init_script.sh: | + #!/bin/sh + if [[ $(hostname) == *primary* ]]; then + echo "Primary node" + mysql -P 3306 -uroot -prandompassword -e "create database new_database"; + else + echo "No primary node" + fi +``` + +### Sidecars and Init Containers + +If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +## Persistence + +The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Adjust permissions of persistent volume mountpoint + +As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. + +By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. + +As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`. ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker Image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global storage class for dynamic provisioning | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker Image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global storage class for dynamic provisioning | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -143,16 +229,16 @@ The command removes all the Kubernetes components associated with the chart and | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | -| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `0` | +| `primary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set primary container's Security Context allowPrivilegeEscalation | `false` | -| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `primary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `none` | +| `primary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). | `micro` | | `primary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `primary.startupProbe.enabled` | Enable startupProbe | `false` | | `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | @@ -247,16 +333,16 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | -| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `0` | +| `secondary.containerSecurityContext.runAsGroup` | Group ID for the MariaDB secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | | `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set secondary container's Security Context allowPrivilegeEscalation | `false` | -| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `secondary.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `secondary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `secondary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `none` | +| `secondary.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). | `micro` | | `secondary.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `secondary.startupProbe.enabled` | Enable startupProbe | `false` | | `secondary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `120` | @@ -333,7 +419,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | ### Metrics parameters @@ -351,16 +437,16 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | | `metrics.containerPorts.http` | Container port for http | `9104` | | `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `0` | +| `metrics.containerSecurityContext.runAsGroup` | Group ID for the MariaDB metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | | `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set metrics container's Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `metrics.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `metrics.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `metrics.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | | `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `120` | @@ -426,102 +512,6 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/maria > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mariadb/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Change MariaDB version - -To modify the MariaDB version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/mariadb/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. - -### Initialize a fresh instance - -The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image allows you to use your custom scripts to initialize a fresh instance. Custom scripts may be specified using the `initdbScripts` parameter. Alternatively, an external ConfigMap may be created with all the initialization scripts and the ConfigMap passed to the chart via the `initdbScriptsConfigMap` parameter. Note that this will override the `initdbScripts` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. - -When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: - -```yaml -initdbScripts: - my_init_script.sh: | - #!/bin/sh - if [[ $(hostname) == *primary* ]]; then - echo "Primary node" - mysql -P 3306 -uroot -prandompassword -e "create database new_database"; - else - echo "No primary node" - fi -``` - -### Sidecars and Init Containers - -If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. - -```yaml -sidecars: -- name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: - -```yaml -service: - extraPorts: - - name: extraPort - port: 11311 - targetPort: 11311 -``` - -> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. - -If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: - -```yaml -initContainers: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). - -## Persistence - -The [Bitnami MariaDB](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image stores the MariaDB data and configurations at the `/bitnami/mariadb` path of the container. - -The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) volume at this location. The volume is created using dynamic volume provisioning, by default. An existing PersistentVolumeClaim can also be defined. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -### Adjust permissions of persistent volume mountpoint - -As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. - -By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. - -As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. You can enable this initContainer by setting `volumePermissions.enabled` to `true`. - ## Troubleshooting Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). @@ -538,6 +528,17 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.r | Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. +### To 17.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 16.0.0 This section enables NetworkPolicies by default to increase security of the application. It also adapts the values in the `networkPolicy` section to the current Bitnami standards. The removed sections are `networkPolicy.metrics.*`, `networkPolicy.ingressRules.*` and `networkPolicy.egressRules.*`. Check the Parameters table for the new structure. diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml index 2acf0cd40a..f86ccd23a4 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.18.0 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.18.0 +version: 2.19.0 diff --git a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl index c529f08725..17665d567f 100644 --- a/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl +++ b/charts/bitnami/wordpress/charts/mariadb/charts/common/templates/_compatibility.tpl @@ -28,6 +28,10 @@ Usage: {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml index f7a79decbf..a208998a8c 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/primary/statefulset.yaml @@ -251,6 +251,8 @@ spec: {{- end }} {{- if .Values.primary.resources }} resources: {{ toYaml .Values.primary.resources | nindent 12 }} + {{- else if ne .Values.primary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.primary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data diff --git a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml index c9f330344a..9431ce5992 100644 --- a/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/templates/secondary/statefulset.yaml @@ -238,6 +238,8 @@ spec: {{- end }} {{- if .Values.secondary.resources }} resources: {{ toYaml .Values.secondary.resources | nindent 12 }} + {{- else if ne .Values.secondary.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.secondary.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: - name: data diff --git a/charts/bitnami/wordpress/charts/mariadb/values.yaml b/charts/bitnami/wordpress/charts/mariadb/values.yaml index b8f6c04d61..64d1a00e00 100644 --- a/charts/bitnami/wordpress/charts/mariadb/values.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/values.yaml @@ -27,7 +27,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -350,13 +350,13 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -370,7 +370,7 @@ primary: ## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "micro" ## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -769,13 +769,13 @@ secondary: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false allowPrivilegeEscalation: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] seccompProfile: @@ -789,7 +789,7 @@ secondary: ## @param secondary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if secondary.resources is set (secondary.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "micro" ## @param secondary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1066,7 +1066,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -1185,10 +1185,10 @@ metrics: enabled: false privileged: false runAsNonRoot: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 - readOnlyRootFilesystem: false + runAsGroup: 1001 + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -1203,7 +1203,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.lock b/charts/bitnami/wordpress/charts/memcached/Chart.lock index 80a5f1280e..447926af8a 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.lock +++ b/charts/bitnami/wordpress/charts/memcached/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:f489ae7394a4eceb24fb702901483c67a5b4fff605f19d5e2545e3a6778e1280 -generated: "2024-03-05T14:45:44.308851503+01:00" + version: 2.19.0 +digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc +generated: "2024-03-11T17:28:48.470772529+01:00" diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/Chart.yaml index 68722611b9..e5ccc747de 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/Chart.yaml @@ -2,14 +2,14 @@ annotations: category: Infrastructure images: | - name: memcached - image: docker.io/bitnami/memcached:1.6.24-debian-12-r0 + image: docker.io/bitnami/memcached:1.6.25-debian-12-r0 - name: memcached-exporter - image: docker.io/bitnami/memcached-exporter:0.14.2-debian-12-r10 + image: docker.io/bitnami/memcached-exporter:0.14.2-debian-12-r11 - name: os-shell image: docker.io/bitnami/os-shell:12-debian-12-r16 licenses: Apache-2.0 apiVersion: v2 -appVersion: 1.6.24 +appVersion: 1.6.25 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts @@ -30,4 +30,4 @@ maintainers: name: memcached sources: - https://github.com/bitnami/charts/tree/main/bitnami/memcached -version: 6.14.0 +version: 7.0.2 diff --git a/charts/bitnami/wordpress/charts/memcached/README.md b/charts/bitnami/wordpress/charts/memcached/README.md index a8ed875814..cce9edd458 100644 --- a/charts/bitnami/wordpress/charts/memcached/README.md +++ b/charts/bitnami/wordpress/charts/memcached/README.md @@ -41,26 +41,86 @@ These commands deploy Memcached on the Kubernetes cluster in the default configu > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details -To uninstall/delete the `my-release` deployment: +### Resource requests and limits -```console -helm delete my-release +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +## Persistence + +When using `architecture: "high-availability"` the [Bitnami Memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) image stores the cache-state at the `/cache-state` path of the container if enabled. + +Persistent Volume Claims (PVCs) are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. + +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -126,7 +186,7 @@ The command removes all the Kubernetes components associated with the chart and | `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `lifecycleHooks` | for the Memcached container(s) to automate configuration before or after startup | `{}` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `podSecurityContext.enabled` | Enabled Memcached pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -134,12 +194,12 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -229,9 +289,9 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `metrics.enabled` | Start a side-car prometheus exporter | `false` | | `metrics.image.registry` | Memcached exporter image registry | `REGISTRY_NAME` | @@ -240,10 +300,10 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.containerPorts.metrics` | Memcached Prometheus Exporter container port | `9150` | -| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `none` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | @@ -312,81 +372,22 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/memca > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/memcached/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Use Sidecars and Init Containers - -If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. - -```yaml -sidecars: -- name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: - -```yaml -service: - extraPorts: - - name: extraPort - port: 11311 - targetPort: 11311 -``` - -> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. - -If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: - -```yaml -initContainers: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). - -### Set Pod affinity - -This chart allows you to set your custom affinity using the `affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. - -## Persistence - -When using `architecture: "high-availability"` the [Bitnami Memcached](https://github.com/bitnami/containers/tree/main/bitnami/memcached) image stores the cache-state at the `/cache-state` path of the container if enabled. +## Troubleshooting -Persistent Volume Claims (PVCs) are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. +## Upgrading -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). +### To 7.0.0 -## Troubleshooting +This major bump changes the following security defaults: -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. -## Upgrading +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. ### To 6.0.0 diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml index 2acf0cd40a..f86ccd23a4 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.18.0 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.18.0 +version: 2.19.0 diff --git a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl index c529f08725..17665d567f 100644 --- a/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl +++ b/charts/bitnami/wordpress/charts/memcached/charts/common/templates/_compatibility.tpl @@ -28,6 +28,10 @@ Usage: {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/bitnami/wordpress/charts/memcached/values.yaml b/charts/bitnami/wordpress/charts/memcached/values.yaml index c61da0ebfc..904dc7728e 100644 --- a/charts/bitnami/wordpress/charts/memcached/values.yaml +++ b/charts/bitnami/wordpress/charts/memcached/values.yaml @@ -26,7 +26,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Override Kubernetes version @@ -79,7 +79,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/memcached - tag: 1.6.24-debian-12-r0 + tag: 1.6.25-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -211,7 +211,7 @@ lifecycleHooks: {} ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "nano" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -252,12 +252,12 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -616,7 +616,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -635,7 +635,7 @@ volumePermissions: ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## Prometheus Exporter / Metrics ## @@ -655,7 +655,7 @@ metrics: image: registry: docker.io repository: bitnami/memcached-exporter - tag: 0.14.2-debian-12-r10 + tag: 0.14.2-debian-12-r11 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -675,7 +675,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -702,7 +702,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 runAsGroup: 1001 runAsNonRoot: true diff --git a/charts/bitnami/wordpress/templates/deployment.yaml b/charts/bitnami/wordpress/templates/deployment.yaml index 720d8fa6a5..ccbd12a8fb 100644 --- a/charts/bitnami/wordpress/templates/deployment.yaml +++ b/charts/bitnami/wordpress/templates/deployment.yaml @@ -75,7 +75,6 @@ spec: {{- if .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} {{- end }} - {{- if or (and .Values.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.persistence.enabled) (.Values.initContainers) }} initContainers: {{- if and .Values.podSecurityContext.enabled .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions @@ -107,10 +106,43 @@ spec: name: wordpress-data subPath: wordpress {{- end }} + - name: prepare-base-dir + image: {{ include "wordpress.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/liblog.sh + + info "Copying base dir to empty dir" + # In order to not break the application functionality (such as upgrades or plugins) we need + # to make the base directory writable, so we need to copy it to an empty dir volume + cp -r --preserve=mode /opt/bitnami/wordpress /emptydir/app-base-dir + + info "Copying symlinks to stdout/stderr" + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/apache/logs; then + cp -r /opt/bitnami/apache/logs /emptydir/apache-logs-dir + fi + info "Copy operation completed" + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if .Values.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} - {{- end }} containers: - name: wordpress image: {{ include "wordpress.image" . }} @@ -271,6 +303,30 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/apache/conf + subPath: apache-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/apache/logs + subPath: apache-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/apache/var/run + subPath: apcahe-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/php/etc + subPath: php-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/php/tmp + subPath: php-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/php/var + subPath: php-var-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/wordpress + subPath: app-base-dir - mountPath: /bitnami/wordpress name: wordpress-data subPath: wordpress @@ -351,6 +407,8 @@ spec: {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.wordpressConfiguration .Values.existingWordPressConfigurationSecret }} - name: wordpress-config secret: diff --git a/charts/bitnami/wordpress/templates/networkpolicy-backend-ingress.yaml b/charts/bitnami/wordpress/templates/networkpolicy-backend-ingress.yaml deleted file mode 100644 index 71332563d3..0000000000 --- a/charts/bitnami/wordpress/templates/networkpolicy-backend-ingress.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.ingressRules.backendOnlyAccessibleByFrontend }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-backend" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- if .Values.networkPolicy.ingressRules.customBackendSelector }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customBackendSelector "context" $) | nindent 6 }} - {{- else }} - app.kubernetes.io/name: mariadb - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - ingress: - - from: - - podSelector: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} -{{- end }} diff --git a/charts/bitnami/wordpress/templates/networkpolicy-egress.yaml b/charts/bitnami/wordpress/templates/networkpolicy-egress.yaml deleted file mode 100644 index 9c8a44225a..0000000000 --- a/charts/bitnami/wordpress/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/instance: {{ .Release.Name }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/wordpress/templates/networkpolicy-ingress.yaml b/charts/bitnami/wordpress/templates/networkpolicy-ingress.yaml deleted file mode 100644 index c05c1e6e9a..0000000000 --- a/charts/bitnami/wordpress/templates/networkpolicy-ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.ingress.enabled .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - ingress: - {{- if and .Values.ingress.enabled .Values.networkPolicy.ingress.enabled (or .Values.networkPolicy.ingress.namespaceSelector .Values.networkPolicy.ingress.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingress.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingress.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingress.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.accessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.accessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/wordpress/templates/networkpolicy.yaml b/charts/bitnami/wordpress/templates/networkpolicy.yaml new file mode 100644 index 0000000000..8af11912fa --- /dev/null +++ b/charts/bitnami/wordpress/templates/networkpolicy.yaml @@ -0,0 +1,92 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to MariaDB + - ports: + - port: {{ include "wordpress.databasePort" . }} + {{- if .Values.mariadb.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: mariadb + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- if .Values.wordpressConfigureCache }} + # Allow outbound connections to Memcached + - ports: + - port: {{ include "wordpress.cachePort" . }} + {{- if .Values.memcached.enabled }} + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: memcached + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + - port: {{ .Values.containerPorts.https }} + {{- range .Values.extraContainerPorts }} + - port: {{ . }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index c71781261c..ce6b06159f 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -27,7 +27,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -82,7 +82,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.4.3-debian-12-r20 + tag: 6.4.3-debian-12-r28 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -384,7 +384,7 @@ tolerations: [] ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "micro" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -429,6 +429,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -438,11 +439,12 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -785,7 +787,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 12-debian-12-r16 + tag: 12-debian-12-r17 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -801,7 +803,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -820,7 +822,7 @@ volumePermissions: ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## @section Other Parameters ## @@ -888,7 +890,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 1.0.6-debian-12-r8 + tag: 1.0.7-debian-12-r0 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -961,7 +963,7 @@ metrics: ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -987,7 +989,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1048,103 +1050,62 @@ metrics: ## @section NetworkPolicy parameters ## -## Add networkpolicies +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## If ingress.enabled or metrics.enabled are true, configure networkPolicy.ingress and networkPolicy.metrics selectors respectively to allow communication + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies - ## @param networkPolicy.ingress.namespaceSelector [object] Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. - ## @param networkPolicy.ingress.podSelector [object] Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - ingress: - enabled: false - ## e.g: - ## podSelector: - ## label: ingress - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backend (mariadb) only accessible by testlink's pods. - ## @param networkPolicy.ingressRules.customBackendSelector [object] Backend selector labels. These labels will be used to identify the backend pods. - ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes testlink only accessible from a particular origin - ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access testlink. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector [object] Pods selector label that is allowed to access testlink. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.customRules [object] Custom network policy ingress rule - ## - ingressRules: - ## mariadb backend only can be accessed from testlink - ## - backendOnlyAccessibleByFrontend: false - ## Additional custom backend selector - ## e.g: - ## customBackendSelector: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customBackendSelector: {} - ## Allow only from the indicated: - ## - accessOnlyFrom: - enabled: false - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: access - ## - namespaceSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section Database Parameters ## @@ -1189,6 +1150,27 @@ mariadb: accessModes: - ReadWriteOnce size: 8Gi + ## MariaDB primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param mariadb.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param mariadb.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## External Database Configuration ## All of these values are only used if `mariadb.enabled=false` ## @@ -1242,6 +1224,24 @@ memcached: ## @param memcached.service.port Memcached service port ## port: 11211 + ## Memcached resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param memcached.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param memcached.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## External Memcached Configuration ## All of these values are only used if `memcached.enabled=false` ## diff --git a/charts/bitnami/zookeeper/Chart.yaml b/charts/bitnami/zookeeper/Chart.yaml index 744ed230aa..6bfe8d7da1 100644 --- a/charts/bitnami/zookeeper/Chart.yaml +++ b/charts/bitnami/zookeeper/Chart.yaml @@ -30,4 +30,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.12.1 +version: 13.0.1 diff --git a/charts/bitnami/zookeeper/README.md b/charts/bitnami/zookeeper/README.md index 8d65721f6b..289c5383ce 100644 --- a/charts/bitnami/zookeeper/README.md +++ b/charts/bitnami/zookeeper/README.md @@ -42,26 +42,105 @@ These commands deploy ZooKeeper on the Kubernetes cluster in the default configu > **Tip**: List all releases using `helm list` -## Uninstalling the Chart +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. -To uninstall/delete the `my-release` deployment: +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Configure log level + +You can configure the ZooKeeper log level using the `ZOO_LOG_LEVEL` environment variable or the parameter `logLevel`. By default, it is set to `ERROR` because each use of the liveness probe and the readiness probe produces an `INFO` message on connection and a `WARN` message on disconnection, generating a high volume of noise in your logs. + +In order to remove that log noise so levels can be set to 'INFO', two changes must be made. + +First, ensure that you are not getting metrics via the deprecated pattern of polling 'mntr' on the ZooKeeper client port. The preferred method of polling for Apache ZooKeeper metrics is the ZooKeeper metrics server. This is supported in this chart when setting `metrics.enabled` to `true`. + +Second, to avoid the connection/disconnection messages from the probes, you can set custom values for these checks which direct them to the ZooKeeper Admin Server instead of the client port. By default, an Admin Server will be started that listens on `localhost` at port `8080`. The following is an example of this use of the Admin Server for probes: + +```yaml +livenessProbe: + enabled: false +readinessProbe: + enabled: false +customLivenessProbe: + exec: + command: ['/bin/bash', '-c', 'curl -s -m 2 http://localhost:8080/commands/ruok | grep ruok'] + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 +customReadinessProbe: + exec: + command: ['/bin/bash', '-c', 'curl -s -m 2 http://localhost:8080/commands/ruok | grep error | grep null'] + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 +``` + +You can also set the log4j logging level and what log appenders are turned on, by using `ZOO_LOG4J_PROP` set inside of conf/log4j.properties as zookeeper.root.logger by default to ```console -helm delete my-release +zookeeper.root.logger=INFO, CONSOLE ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +the available appender is + +- CONSOLE +- ROLLINGFILE +- RFAAUDIT +- TRACEFILE + +## Persistence + +The [Bitnami ZooKeeper](https://github.com/bitnami/containers/tree/main/bitnami/zookeeper) image stores the ZooKeeper data and configurations at the `/bitnami/zookeeper` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +### Adjust permissions of persistent volume mountpoint + +As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. + +By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. +As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. + +You can enable this initContainer by setting `volumePermissions.enabled` to `true`. + +### Configure the data log directory + +You can use a dedicated device for logs (instead of using the data directory) to help avoiding competition between logging and snaphots. To do so, set the `dataLogDir` parameter with the path to be used for writing transaction logs. Alternatively, set this parameter with an empty string and it will result in the log being written to the data directory (Zookeeper's default behavior). + +When using a dedicated device for logs, you can use a PVC to persist the logs. To do so, set `persistence.enabled` to `true`. See the [Persistence Parameters](#persistence-parameters) section for more information. + +### Set pod affinity + +This chart allows you to set custom pod affinity using the `affinity` parameter. Find more information about pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use any of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. ## Parameters ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -158,7 +237,7 @@ The command removes all the Kubernetes components associated with the chart and | `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `lifecycleHooks` | for the ZooKeeper container(s) to automate configuration before or after startup | `{}` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `micro` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `podSecurityContext.enabled` | Enabled ZooKeeper pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -166,12 +245,12 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set ZooKeeper pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | -| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `0` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -270,10 +349,10 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters @@ -330,7 +409,7 @@ The command removes all the Kubernetes components associated with the chart and | `tls.quorum.passwordsSecretTruststoreKey` | The secret key from the tls.quorum.passwordsSecretName containing the password for the Truststore. | `""` | | `tls.quorum.keystorePassword` | Password to access KeyStore if needed | `""` | | `tls.quorum.truststorePassword` | Password to access TrustStore if needed | `""` | -| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `none` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` | | `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, @@ -356,100 +435,22 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/zooke > Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. > **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/zookeeper/values.yaml) -## Configuration and installation details - -### Resource requests and limits - -Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. - -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). - -### [Rolling vs Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Configure log level - -You can configure the ZooKeeper log level using the `ZOO_LOG_LEVEL` environment variable or the parameter `logLevel`. By default, it is set to `ERROR` because each use of the liveness probe and the readiness probe produces an `INFO` message on connection and a `WARN` message on disconnection, generating a high volume of noise in your logs. - -In order to remove that log noise so levels can be set to 'INFO', two changes must be made. - -First, ensure that you are not getting metrics via the deprecated pattern of polling 'mntr' on the ZooKeeper client port. The preferred method of polling for Apache ZooKeeper metrics is the ZooKeeper metrics server. This is supported in this chart when setting `metrics.enabled` to `true`. - -Second, to avoid the connection/disconnection messages from the probes, you can set custom values for these checks which direct them to the ZooKeeper Admin Server instead of the client port. By default, an Admin Server will be started that listens on `localhost` at port `8080`. The following is an example of this use of the Admin Server for probes: - -```yaml -livenessProbe: - enabled: false -readinessProbe: - enabled: false -customLivenessProbe: - exec: - command: ['/bin/bash', '-c', 'curl -s -m 2 http://localhost:8080/commands/ruok | grep ruok'] - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 -customReadinessProbe: - exec: - command: ['/bin/bash', '-c', 'curl -s -m 2 http://localhost:8080/commands/ruok | grep error | grep null'] - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 -``` - -You can also set the log4j logging level and what log appenders are turned on, by using `ZOO_LOG4J_PROP` set inside of conf/log4j.properties as zookeeper.root.logger by default to - -```console -zookeeper.root.logger=INFO, CONSOLE -``` - -the available appender is - -- CONSOLE -- ROLLINGFILE -- RFAAUDIT -- TRACEFILE - -## Persistence - -The [Bitnami ZooKeeper](https://github.com/bitnami/containers/tree/main/bitnami/zookeeper) image stores the ZooKeeper data and configurations at the `/bitnami/zookeeper` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). - -### Adjust permissions of persistent volume mountpoint - -As the image run as non-root by default, it is necessary to adjust the ownership of the persistent volume so that the container can write data into it. - -By default, the chart is configured to use Kubernetes Security Context to automatically change the ownership of the volume. However, this feature does not work in all Kubernetes distributions. -As an alternative, this chart supports using an initContainer to change the ownership of the volume before mounting it in the final destination. - -You can enable this initContainer by setting `volumePermissions.enabled` to `true`. - -### Configure the data log directory - -You can use a dedicated device for logs (instead of using the data directory) to help avoiding competition between logging and snaphots. To do so, set the `dataLogDir` parameter with the path to be used for writing transaction logs. Alternatively, set this parameter with an empty string and it will result in the log being written to the data directory (Zookeeper's default behavior). - -When using a dedicated device for logs, you can use a PVC to persist the logs. To do so, set `persistence.enabled` to `true`. See the [Persistence Parameters](#persistence-parameters) section for more information. +## Troubleshooting -### Set pod affinity +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). -This chart allows you to set custom pod affinity using the `affinity` parameter. Find more information about pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). +## Upgrading -As an alternative, you can use any of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. +### To 13.0.0 -## Troubleshooting +This major bump changes the following security defaults: -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. -## Upgrading +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. ### To 12.0.0 @@ -551,4 +552,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/charts/bitnami/zookeeper/values.yaml b/charts/bitnami/zookeeper/values.yaml index 99a66e4bfb..17870cf514 100644 --- a/charts/bitnami/zookeeper/values.yaml +++ b/charts/bitnami/zookeeper/values.yaml @@ -27,7 +27,7 @@ global: openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## - adaptSecurityContext: disabled + adaptSecurityContext: auto ## @section Common parameters ## @@ -321,7 +321,7 @@ lifecycleHooks: {} ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "micro" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -362,12 +362,12 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 - runAsGroup: 0 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -776,7 +776,7 @@ volumePermissions: ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -797,7 +797,7 @@ volumePermissions: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## @section Metrics parameters ## @@ -983,7 +983,7 @@ tls: ## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resourcesPreset: "none" + resourcesPreset: "nano" ## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: diff --git a/charts/datadog/datadog-operator/CHANGELOG.md b/charts/datadog/datadog-operator/CHANGELOG.md index 32d28b7aa4..eb566f6582 100644 --- a/charts/datadog/datadog-operator/CHANGELOG.md +++ b/charts/datadog/datadog-operator/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 1.5.2 + +* Add deprecation warning for `DatadogAgent` `v1alpha1` CRD version. + ## 1.5.1 * Add configuration for Operator flag `introspectionEnabled`: this parameter is used to enable the Introspection. It is disabled by default. diff --git a/charts/datadog/datadog-operator/Chart.yaml b/charts/datadog/datadog-operator/Chart.yaml index 1abf005085..1dcbc7bcb0 100644 --- a/charts/datadog/datadog-operator/Chart.yaml +++ b/charts/datadog/datadog-operator/Chart.yaml @@ -26,4 +26,4 @@ name: datadog-operator sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 1.5.1 +version: 1.5.2 diff --git a/charts/datadog/datadog-operator/README.md b/charts/datadog/datadog-operator/README.md index 75e029d942..6343ff3e07 100644 --- a/charts/datadog/datadog-operator/README.md +++ b/charts/datadog/datadog-operator/README.md @@ -1,6 +1,6 @@ # Datadog Operator -![Version: 1.5.1](https://img.shields.io/badge/Version-1.5.1-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) +![Version: 1.5.2](https://img.shields.io/badge/Version-1.5.2-informational?style=flat-square) ![AppVersion: 1.4.0](https://img.shields.io/badge/AppVersion-1.4.0-informational?style=flat-square) ## Values diff --git a/charts/datadog/datadog-operator/templates/NOTES.txt b/charts/datadog/datadog-operator/templates/NOTES.txt index 85723cecbb..a6fea9c5d6 100644 --- a/charts/datadog/datadog-operator/templates/NOTES.txt +++ b/charts/datadog/datadog-operator/templates/NOTES.txt @@ -40,6 +40,22 @@ The maximumGoroutines parameter isn't supported by the Operator 1.0.0-rc.12 and Setting a value will not change the default defined in the Operator. {{- end }} {{- end }} + +{{- if (semverCompare ">=1.0.0" .Values.image.tag) }} + {{- if .Values.datadogCRDs.migration.datadogAgents.conversionWebhook.enabled }} +############################################################################## +#### WARNING: v1alpha1 and conversion webhook deprecation. #### +############################################################################## + +DatadogAgent v1alpha1 reconciliation in the Operator is deprecated since v1.2.0+ and will be removed in v1.7.0. +Once removed, the Datadog Operator cannot be configured to reconcile the v1alpha1 DatadogAgent CRD. +However, you will still be able to apply a v1alpha1 manifest with the conversion webhook enabled (using `datadogCRDs.migration.datadogAgents.conversionWebhook.enabled`). +DatadogAgent v1alpha1 and the conversion webhook will be removed in v1.8.0. +See the migration page for instructions on migrating to v2alpha1: https://docs.datadoghq.com/containers/guide/datadogoperator_migration/ + {{- end }} +{{- end }} + + {{- if not (and (semverCompare ">=1.0.0-0" .Values.image.tag) (eq .Values.datadogCRDs.migration.datadogAgents.version "v2alpha1")) }} {{- fail "The Datadog Operator `1.0.0` reconciles `DatadogAgent` versions `v2alpha1`. Using an old version of the Datadog Operator (< 1.0.0) with the new version of the DatadogAgent Customer Resource, or the Datadog Operator `1.X` with the `v1alpha1` as stored version of the DatadogAgent is not supported. If you are using a DatadogAgent `v1alpha1`, refer to the Migration Steps: https://github.com/DataDog/helm-charts/blob/main/charts/datadog-operator/README.md#migrating-to-the-version-10-of-the-datadog-operator."}} {{- end }} diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index 28cc6e271b..b0010380dd 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,5 +1,29 @@ # Datadog changelog +## 3.59.2 + +* Disable language detection reporting by default in Cluster Agent with Agent 7.52+. + +## 3.59.1 + +* Add support for configuring Agent sidecar injection using Admission Controller. + +## 3.59.0 + +* Set default `Agent` and `Cluster-Agent` version to `7.52.0`. + +## 3.58.1 + +* Fix typo in PodSecurityPolicy warning note. + +## 3.58.0 + +* Change configuration options for APM Instrumentation. Starting from Agent and Cluster-Agent version `7.51.0` APM Instrumentation needs to be configured using the following configuration options: +* `datadog.apm.instrumentation.enabled` - set to `true` to enable automatic instrumentation. +* `datadog.apm.instrumentation.enabledNamespaces` - optional; list of namespaces to enable automatic instrumentation in. If not provided, every namespace in the cluster will be instrumented. +* `datadog.apm.instrumentation.disabledNamespaces` - optional; list of namespaces to disable automatic instrumentation in. + + ## 3.57.3 * Exclude agent, cluster agent and agent clusterchecks pods from injection from the admission controller. diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index 9e661fdcf1..8b3133ae88 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.57.3 +version: 3.59.2 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index 8a283120a1..a2f793ceae 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.57.3](https://img.shields.io/badge/Version-3.57.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.59.2](https://img.shields.io/badge/Version-3.59.2-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -262,7 +262,7 @@ datadog: # (...) apm: instrumentation: - enabled: false + enabled: true enabledNamespaces: - namespaceC ``` @@ -274,7 +274,7 @@ datadog: # (...) apm: instrumentation: - enabled: false + enabled: true libVersions: java: v1.18.0 python: v1.20.0 @@ -508,7 +508,7 @@ helm install \ | agents.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy | | agents.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) | | agents.image.repository | string | `nil` | Override default registry + image.name for Agent | -| agents.image.tag | string | `"7.51.0"` | Define the Agent version to use | +| agents.image.tag | string | `"7.52.0"` | Define the Agent version to use | | agents.image.tagSuffix | string | `""` | Suffix to append to Agent tag | | agents.localService.forceLocalServiceEnabled | bool | `false` | Force the creation of the internal traffic policy service to target the agent running on the local node. By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default. This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled. | | agents.localService.overrideName | string | `""` | Name of the internal traffic service to target the agent running on the local node | @@ -544,6 +544,14 @@ helm install \ | agents.volumeMounts | list | `[]` | Specify additional volumes to mount in all containers of the agent pod | | agents.volumes | list | `[]` | Specify additional volumes to mount in the dd-agent container | | clusterAgent.additionalLabels | object | `{}` | Adds labels to the Cluster Agent deployment and pods | +| clusterAgent.admissionController.agentSidecarInjection.clusterAgentCommunicationEnabled | bool | `true` | Enable communication between Agent sidecars and the Cluster Agent. | +| clusterAgent.admissionController.agentSidecarInjection.containerRegistry | string | `nil` | | +| clusterAgent.admissionController.agentSidecarInjection.enabled | bool | `false` | Enables Datadog Agent sidecar injection. | +| clusterAgent.admissionController.agentSidecarInjection.imageName | string | `nil` | | +| clusterAgent.admissionController.agentSidecarInjection.imageTag | string | `nil` | | +| clusterAgent.admissionController.agentSidecarInjection.profiles | list | `[]` | Defines the sidecar configuration override, currently only one profile is supported. | +| clusterAgent.admissionController.agentSidecarInjection.provider | string | `nil` | Used by the admission controller to add infrastructure provider-specific configurations to the Agent sidecar. | +| clusterAgent.admissionController.agentSidecarInjection.selectors | list | `[]` | Defines the pod selector for sidecar injection, currently only one rule is supported. | | clusterAgent.admissionController.configMode | string | `nil` | The kind of configuration to be injected, it can be "hostip", "service", or "socket". | | clusterAgent.admissionController.enabled | bool | `true` | Enable the admissionController to be able to inject APM/Dogstatsd config and standard tags (env, service, version) automatically into your pods | | clusterAgent.admissionController.failurePolicy | string | `"Ignore"` | Set the failure policy for dynamic admission control.' | @@ -574,7 +582,7 @@ helm install \ | clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Cluster Agent image pullPolicy | | clusterAgent.image.pullSecrets | list | `[]` | Cluster Agent repository pullSecret (ex: specify docker registry credentials) | | clusterAgent.image.repository | string | `nil` | Override default registry + image.name for Cluster Agent | -| clusterAgent.image.tag | string | `"7.51.0"` | Cluster Agent image tag to use | +| clusterAgent.image.tag | string | `"7.52.0"` | Cluster Agent image tag to use | | clusterAgent.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent liveness probe settings | | clusterAgent.metricsProvider.aggregator | string | `"avg"` | Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum) | | clusterAgent.metricsProvider.createReaderRbac | bool | `true` | Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) | @@ -625,7 +633,7 @@ helm install \ | clusterChecksRunner.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy | | clusterChecksRunner.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) | | clusterChecksRunner.image.repository | string | `nil` | Override default registry + image.name for Cluster Check Runners | -| clusterChecksRunner.image.tag | string | `"7.51.0"` | Define the Agent version to use | +| clusterChecksRunner.image.tag | string | `"7.52.0"` | Define the Agent version to use | | clusterChecksRunner.image.tagSuffix | string | `""` | Suffix to append to Agent tag | | clusterChecksRunner.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent liveness probe settings | | clusterChecksRunner.networkPolicy.create | bool | `false` | If true, create a NetworkPolicy for the cluster checks runners. DEPRECATED. Use datadog.networkPolicy.create instead | diff --git a/charts/datadog/datadog/README.md.gotmpl b/charts/datadog/datadog/README.md.gotmpl index e0d78c0ec8..6e4708ca0b 100644 --- a/charts/datadog/datadog/README.md.gotmpl +++ b/charts/datadog/datadog/README.md.gotmpl @@ -258,7 +258,7 @@ datadog: # (...) apm: instrumentation: - enabled: false + enabled: true enabledNamespaces: - namespaceC ``` @@ -270,7 +270,7 @@ datadog: # (...) apm: instrumentation: - enabled: false + enabled: true libVersions: java: v1.18.0 python: v1.20.0 diff --git a/charts/datadog/datadog/templates/NOTES.txt b/charts/datadog/datadog/templates/NOTES.txt index c91017e0ae..e3575c2cf8 100644 --- a/charts/datadog/datadog/templates/NOTES.txt +++ b/charts/datadog/datadog/templates/NOTES.txt @@ -155,24 +155,14 @@ The Datadog Agent is listening on port {{ $apmPort }} for APM service. {{- end }} -{{- if and .Values.datadog.apm.instrumentation.enabled_namespaces (eq (include "cluster-agent-enabled" .) "false")}} +{{- if and .Values.datadog.apm.instrumentation.enabledNamespaces (not .Values.datadog.apm.instrumentation.enabled) }} ################################################################# #### WARNING: Configuration notice #### ################################################################# -You are using datadog.apm.instrumentation.enabledNamespaces but you disabled the cluster agent. This configuration is unsupported and Kubernetes resource monitoring has been turned off. -To enable it please set clusterAgent.enabled to 'true'. -{{- end }} - -{{- if and .Values.datadog.apm.instrumentation.enabled .Values.datadog.apm.instrumentation.enabledNamespaces }} - -################################################################# -#### WARNING: Configuration notice #### -################################################################# - -The options `datadog.apm.instrumentation.enabled` and `datadog.apm.instrumentation.enabledNamespaces` are set together. -APM Single Step Instrumentation will be enabled in the whole cluster. +The option `datadog.apm.instrumentation.enabledNamespaces` is set while `datadog.apm.instrumentation.enabled` is disabled. +APM Single Step Instrumentation will be disabled in the whole cluster. {{- end }} @@ -534,7 +524,7 @@ To send OTLP data to the Agent use the Service created by specifying "http://{{ ################################################################# #### WARNING: Incompatibility #### ################################################################# -You have enabled creataion of PodSecurityPolicy, however PSP have been removed from Kubernetes >= 1.25, thus PSP will not be created. +You have enabled creation of PodSecurityPolicy, however PSP have been removed from Kubernetes >= 1.25, thus PSP will not be created. You should deactivate these options: clusterAgent.podSecurity.podSecurityPolicy.create and/or agents.podSecurity.podSecurityPolicy.create {{- end }} diff --git a/charts/datadog/datadog/templates/_ac-agent-sidecar-env.yaml b/charts/datadog/datadog/templates/_ac-agent-sidecar-env.yaml new file mode 100644 index 0000000000..a2791003da --- /dev/null +++ b/charts/datadog/datadog/templates/_ac-agent-sidecar-env.yaml @@ -0,0 +1,50 @@ +{{- define "ac-agent-sidecar-env" -}} +{{- if and .Values.clusterAgent.admissionController.enabled .Values.clusterAgent.admissionController.agentSidecarInjection.enabled }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_ENABLED + value: "true" +{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.clusterAgentCommunicationEnabled }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CLUSTER_AGENT_ENABLED + value: "true" +{{- else }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CLUSTER_AGENT_ENABLED + value: "false" +{{- end }} +{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.provider }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROVIDER + value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.provider }} +{{- end }} + +{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.containerRegistry }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY + value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.containerRegistry }} +{{- else if .Values.registry }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_CONTAINER_REGISTRY + value: {{ .Values.registry }} +{{- end }} + +{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.imageName }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME + value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.imageName }} +{{- else if .Values.agents.image.name}} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_NAME + value: {{ .Values.agents.image.name }} +{{- end }} + +{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.imageTag }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG + value: {{ .Values.clusterAgent.admissionController.agentSidecarInjection.imageTag }} +{{- else if .Values.agents.image.tag}} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_IMAGE_TAG + value: {{ .Values.agents.image.tag }} +{{- end }} + +{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.selectors }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_SELECTORS + value: '{{ toJson .Values.clusterAgent.admissionController.agentSidecarInjection.selectors }}' +{{- end }} +{{- if .Values.clusterAgent.admissionController.agentSidecarInjection.profiles }} +- name: DD_ADMISSION_CONTROLLER_AGENT_SIDECAR_PROFILES + value: '{{ toJson .Values.clusterAgent.admissionController.agentSidecarInjection.profiles }}' +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/datadog/datadog/templates/_components-common-env.yaml b/charts/datadog/datadog/templates/_components-common-env.yaml index cfd5dc580c..3c67bd01c7 100644 --- a/charts/datadog/datadog/templates/_components-common-env.yaml +++ b/charts/datadog/datadog/templates/_components-common-env.yaml @@ -1,6 +1,9 @@ # The purpose of this template is to define a minimal set of environment # variables shared between components: agent, cluster-agent {{- define "components-common-env" -}} +# Workaround for issue in `7.52.0` default activating language detection +- name: DD_LANGUAGE_DETECTION_REPORTING_ENABLED + value: "false" {{- if .Values.datadog.secretBackend.command }} - name: DD_SECRET_BACKEND_COMMAND value: {{ .Values.datadog.secretBackend.command | quote }} diff --git a/charts/datadog/datadog/templates/_helpers.tpl b/charts/datadog/datadog/templates/_helpers.tpl index 9408f0f2b0..86fc75c98f 100644 --- a/charts/datadog/datadog/templates/_helpers.tpl +++ b/charts/datadog/datadog/templates/_helpers.tpl @@ -903,34 +903,4 @@ Create RBACs for custom resources {{- end -}} {{- end -}} -{{/* -Return all namespaces with enabled Single Step Instrumentation. If instrumentation.enabledNamespaces contains the namespace where Datadog is installed, -it will be removed. -*/}} -{{- define "apmInstrumentation.enabledNamespaces" -}} -{{- if and .Values.datadog.apm .Values.datadog.apm.instrumentation -}} -{{- if and .Values.datadog.apm.instrumentation.enabledNamespaces (not .Values.datadog.apm.instrumentation.enabled) -}} -{{- if has .Release.Namespace .Values.datadog.apm.instrumentation.enabledNamespaces -}} -{{- $ns := mustWithout .Values.datadog.apm.instrumentation.enabledNamespaces .Release.Namespace -}} -{{- if $ns -}} -{{- $ns | toJson | quote -}} -{{- end -}} -{{- else -}} -{{- .Values.datadog.apm.instrumentation.enabledNamespaces | toJson | quote -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{/* -Return all namespaces with disabled Single Step Instrumentation -*/}} -{{- define "apmInstrumentation.disabledNamespaces" -}} -{{- if and .Values.datadog.apm .Values.datadog.apm.instrumentation -}} -{{- if and .Values.datadog.apm.instrumentation.disabledNamespaces .Values.datadog.apm.instrumentation.enabled -}} -{{- append .Values.datadog.apm.instrumentation.disabledNamespaces .Release.Namespace | toJson | quote -}} -{{- else if .Values.datadog.apm.instrumentation.enabled -}} -{{- list .Release.Namespace | toJson | quote -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/datadog/datadog/templates/cluster-agent-deployment.yaml b/charts/datadog/datadog/templates/cluster-agent-deployment.yaml index d0bc7b0d32..cd7bd026fd 100644 --- a/charts/datadog/datadog/templates/cluster-agent-deployment.yaml +++ b/charts/datadog/datadog/templates/cluster-agent-deployment.yaml @@ -235,19 +235,20 @@ spec: - name: DD_ADMISSION_CONTROLLER_AUTO_INSTRUMENTATION_PATCHER_ENABLED value: "true" {{- end }} + {{ include "ac-agent-sidecar-env" . | nindent 10 }} - name: DD_REMOTE_CONFIGURATION_ENABLED value: {{ include "clusterAgent-remoteConfiguration-enabled" . | quote }} {{- if .Values.datadog.apm.instrumentation.enabled }} - name: DD_APM_INSTRUMENTATION_ENABLED - value: "true" + value: {{ .Values.datadog.apm.instrumentation.enabled | quote }} {{- end }} - {{- if ne (include "apmInstrumentation.enabledNamespaces" .) "" }} + {{- if .Values.datadog.apm.instrumentation.enabledNamespaces }} - name: DD_APM_INSTRUMENTATION_ENABLED_NAMESPACES - value: {{ include "apmInstrumentation.enabledNamespaces" . }} + value: {{ .Values.datadog.apm.instrumentation.enabledNamespaces | toJson | quote }} {{- end }} - {{- if ne (include "apmInstrumentation.disabledNamespaces" .) "" }} + {{- if .Values.datadog.apm.instrumentation.disabledNamespaces }} - name: DD_APM_INSTRUMENTATION_DISABLED_NAMESPACES - value: {{ include "apmInstrumentation.disabledNamespaces" . }} + value: {{ .Values.datadog.apm.instrumentation.disabledNamespaces | toJson | quote }} {{- end }} {{- if .Values.datadog.apm.instrumentation.libVersions }} - name: DD_APM_INSTRUMENTATION_LIB_VERSIONS diff --git a/charts/datadog/datadog/values.yaml b/charts/datadog/datadog/values.yaml index 8f805415a0..f39b58904a 100644 --- a/charts/datadog/datadog/values.yaml +++ b/charts/datadog/datadog/values.yaml @@ -891,7 +891,7 @@ clusterAgent: name: cluster-agent # clusterAgent.image.tag -- Cluster Agent image tag to use - tag: 7.51.0 + tag: 7.52.0 # clusterAgent.image.digest -- Cluster Agent image digest to use, takes precedence over tag if specified digest: "" @@ -1061,6 +1061,56 @@ clusterAgent: # clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service port: 8000 + agentSidecarInjection: + # clusterAgent.admissionController.agentSidecarInjection.enabled -- Enables Datadog Agent sidecar injection. + + ## When enabled, the admission controller mutating webhook will inject an Agent sidecar with minimal configuration in every pod meeting the configured criteria. + enabled: false + + # clusterAgent.admissionController.agentSidecarInjection.provider -- Used by the admission controller to add infrastructure provider-specific configurations to the Agent sidecar. + + ## Currently only "fargate" is supported. To use the feature in other environments (including local testing) omit the config. + ## ref: https://docs.datadoghq.com/integrations/eks_fargate + provider: + + # clusterAgent.admissionController.agentSidecarInjection.clusterAgentCommunicationEnabled -- Enable communication between Agent sidecars and the Cluster Agent. + clusterAgentCommunicationEnabled: true + + # clusterAgent.admissionController.containerRegistry -- Override the default registry for the sidecar Agent. + containerRegistry: + + # clusterAgent.admissionController.imageName -- Override the default agents.image.name for the Agent sidecar. + imageName: + + # clusterAgent.admissionController.imageTag -- Override the default agents.image.tag for the Agent sidecar. + imageTag: + + # clusterAgent.admissionController.agentSidecarInjection.selectors -- Defines the pod selector for sidecar injection, currently only one rule is supported. + selectors: [] + # - objectSelector: + # matchLabels: + # "podlabelKey1": podlabelValue1 + # "podlabelKey2": podlabelValue2 + # namespaceSelector: + # matchLabels: + # "nsLabelKey1": nsLabelValue1 + # "nsLabelKey2": nsLabelValue2 + + # clusterAgent.admissionController.agentSidecarInjection.profiles -- Defines the sidecar configuration override, currently only one profile is supported. + + ## This setting allows overriding the sidecar Agent configuration by adding environment variables and providing resource settings. + profiles: [] + # - env: + # - name: DD_ORCHESTRATOR_EXPLORER_ENABLED + # value: "true" + # resources: + # requests: + # cpu: "1" + # memory: "512Mi" + # limits: + # cpu: "2" + # memory: "1024Mi" + # clusterAgent.confd -- Provide additional cluster check configurations. Each key will become a file in /conf.d. ## ref: https://docs.datadoghq.com/agent/autodiscovery/ @@ -1319,7 +1369,7 @@ agents: name: agent # agents.image.tag -- Define the Agent version to use - tag: 7.51.0 + tag: 7.52.0 # agents.image.digest -- Define Agent image digest to use, takes precedence over tag if specified digest: "" @@ -1787,7 +1837,7 @@ clusterChecksRunner: name: agent # clusterChecksRunner.image.tag -- Define the Agent version to use - tag: 7.51.0 + tag: 7.52.0 # clusterChecksRunner.image.digest -- Define Agent image digest to use, takes precedence over tag if specified digest: "" diff --git a/charts/dell/csi-isilon/Chart.yaml b/charts/dell/csi-isilon/Chart.yaml index c1cdaa6f4e..111e96e118 100644 --- a/charts/dell/csi-isilon/Chart.yaml +++ b/charts/dell/csi-isilon/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerScale - catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.30.0' catalog.cattle.io/release-name: isilon apiVersion: v2 -appVersion: 2.9.1 +appVersion: 2.10.0 description: 'PowerScale CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as an Isilon StorageClass. ' @@ -12,11 +12,11 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.21.0 < 1.29.0' +kubeVersion: '>= 1.21.0 < 1.30.0' maintainers: - name: DellEMC name: csi-isilon sources: - https://github.com/dell/csi-isilon type: application -version: 2.9.1 +version: 2.10.0 diff --git a/charts/dell/csi-isilon/templates/controller.yaml b/charts/dell/csi-isilon/templates/controller.yaml index 8466a81318..67f0730e37 100644 --- a/charts/dell/csi-isilon/templates/controller.yaml +++ b/charts/dell/csi-isilon/templates/controller.yaml @@ -276,20 +276,8 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - - "--leader-election" - "--timeout=120s" - "--v=5" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} command: [ "/csi-metadata-retriever" ] env: - name: CSI_RETRIEVER_ENDPOINT diff --git a/charts/dell/csi-isilon/values.yaml b/charts/dell/csi-isilon/values.yaml index 4b0abe3f59..ea9455601b 100644 --- a/charts/dell/csi-isilon/values.yaml +++ b/charts/dell/csi-isilon/values.yaml @@ -2,24 +2,24 @@ ######################## # version: version of this values file # Note: Do not change this value -version: "v2.9.1" +version: "v2.10.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-isilon:v2.9.1 + driver: dellemc/csi-isilon:v2.10.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.1 - podmon: dellemc/podmon:v1.8.1 - authorization: dellemc/csm-authorization-sidecar:v1.9.1 - metadataretriever: dellemc/csi-metadata-retriever:v1.6.1 + replication: dellemc/dell-csi-replicator:v1.8.0 + podmon: dellemc/podmon:v1.9.0 + authorization: dellemc/csm-authorization-sidecar:v1.10.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.7.2 encryption: dellemc/csm-encryption:v0.3.0 # CSI driver log level @@ -65,7 +65,7 @@ verbose: 1 # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. -# Default value: None +# Default value: /var/lib/kubelet kubeletConfigDir: /var/lib/kubelet # enableCustomTopology: Specify if custom topology label .dellemc.com/: diff --git a/charts/dell/csi-powermax/Chart.yaml b/charts/dell/csi-powermax/Chart.yaml index e34197fcfa..bae68278fe 100644 --- a/charts/dell/csi-powermax/Chart.yaml +++ b/charts/dell/csi-powermax/Chart.yaml @@ -1,15 +1,15 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerMax - catalog.cattle.io/kube-version: '>= 1.23.0 < 1.29.0' + catalog.cattle.io/kube-version: '>= 1.23.0 < 1.30.0' catalog.cattle.io/release-name: csi-powermax apiVersion: v2 -appVersion: 2.9.1 +appVersion: 2.10.0 dependencies: - condition: required name: csireverseproxy repository: file://./charts/csireverseproxy - version: 2.8.1 + version: 2.9.0 description: 'PowerMax CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerMax StorageClass. ' @@ -18,11 +18,11 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.23.0 < 1.29.0' +kubeVersion: '>= 1.23.0 < 1.30.0' maintainers: - name: DellEMC name: csi-powermax sources: - https://github.com/dell/csi-powermax type: application -version: 2.9.1 +version: 2.10.0 diff --git a/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml b/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml index 341b4f7169..f71fb0c30d 100644 --- a/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml +++ b/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: 2.8.1 +appVersion: 2.9.0 description: A Helm chart for CSI PowerMax ReverseProxy name: csireverseproxy type: application -version: 2.8.1 +version: 2.9.0 diff --git a/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml b/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml index 5afbc2adba..7f04946a4f 100644 --- a/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml +++ b/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml @@ -1,4 +1,4 @@ -image: dellemc/csipowermax-reverseproxy:v2.8.1 +image: dellemc/csipowermax-reverseproxy:v2.9.0 port: 2222 # TLS secret which is used for setting up the proxy HTTPS server diff --git a/charts/dell/csi-powermax/templates/controller.yaml b/charts/dell/csi-powermax/templates/controller.yaml index 9ff4308d42..24a120fb63 100644 --- a/charts/dell/csi-powermax/templates/controller.yaml +++ b/charts/dell/csi-powermax/templates/controller.yaml @@ -470,8 +470,6 @@ spec: value: /app/tls - name: X_CSI_REVPROXY_WATCH_NAMESPACE value: {{ .Release.Namespace }} - - name: X_CSI_REVPROXY_IS_LEADER_ENABLED - value: "false" volumeMounts: - name: configmap-volume mountPath: /etc/config/configmap diff --git a/charts/dell/csi-powermax/values.yaml b/charts/dell/csi-powermax/values.yaml index 117dc70c90..4194785190 100644 --- a/charts/dell/csi-powermax/values.yaml +++ b/charts/dell/csi-powermax/values.yaml @@ -48,24 +48,24 @@ global: # Current version of the driver # Don't modify this value as this value will be used by the install script -version: "v2.9.1" +version: "v2.10.0" # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powermax:v2.9.1 - csireverseproxy: dellemc/csipowermax-reverseproxy:v2.8.1 + driver: dellemc/csi-powermax:v2.10.0 + csireverseproxy: dellemc/csipowermax-reverseproxy:v2.9.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.1 - authorization: dellemc/csm-authorization-sidecar:v1.9.1 + replication: dellemc/dell-csi-replicator:v1.8.0 + authorization: dellemc/csm-authorization-sidecar:v1.10.0 migration: dellemc/dell-csi-migrator:v1.3.0 # Node rescan sidecar does a rescan on nodes for identifying new paths # Default value: dellemc/dell-csi-node-rescanner:v1.0.1 @@ -104,7 +104,7 @@ imagePullPolicy: IfNotPresent # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. -# Default value: None +# Default value: /var/lib/kubelet kubeletConfigDir: /var/lib/kubelet # fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. diff --git a/charts/dell/csi-powerstore/Chart.yaml b/charts/dell/csi-powerstore/Chart.yaml index 59e29cbf00..cea1b5bbc8 100644 --- a/charts/dell/csi-powerstore/Chart.yaml +++ b/charts/dell/csi-powerstore/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerStore - catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.30.0' catalog.cattle.io/release-name: powerstore apiVersion: v2 -appVersion: 2.9.1 +appVersion: 2.10.0 description: 'PowerStore CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerStore StorageClass. ' @@ -13,11 +13,11 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.24.0 < 1.29.0' +kubeVersion: '>= 1.24.0 < 1.30.0' maintainers: - name: DellEMC name: csi-powerstore sources: - https://github.com/dell/csi-powerstore type: application -version: 2.9.1 +version: 2.10.0 diff --git a/charts/dell/csi-powerstore/values.yaml b/charts/dell/csi-powerstore/values.yaml index 500e3333d1..0254241b18 100644 --- a/charts/dell/csi-powerstore/values.yaml +++ b/charts/dell/csi-powerstore/values.yaml @@ -23,30 +23,30 @@ driverName: "csi-powerstore.dellemc.com" # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.9.1 +version: v2.10.0 # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powerstore:v2.9.1 + driver: dellemc/csi-powerstore:v2.10.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.1 - vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.4.0 - podmon: dellemc/podmon:v1.8.1 - metadataretriever: dellemc/csi-metadata-retriever:v1.6.1 + replication: dellemc/dell-csi-replicator:v1.8.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.5.0 + podmon: dellemc/podmon:v1.9.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.7.2 # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. -# Default value: None +# Default value: /var/lib/kubelet kubeletConfigDir: /var/lib/kubelet # nodeFCPortsFilterFile: It is the name of the environment variable which store path to the file which diff --git a/charts/dell/csi-unity/Chart.yaml b/charts/dell/csi-unity/Chart.yaml index b9b63b1b3c..f3604f266e 100644 --- a/charts/dell/csi-unity/Chart.yaml +++ b/charts/dell/csi-unity/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI Unity - catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.30.0' catalog.cattle.io/release-name: unity apiVersion: v2 -appVersion: 2.9.1 +appVersion: 2.10.0 description: 'Unity XT CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a Unity XT StorageClass. ' @@ -12,11 +12,11 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.24.0 < 1.29.0' +kubeVersion: '>= 1.24.0 < 1.30.0' maintainers: - name: DellEMC name: csi-unity sources: - https://github.com/dell/csi-unity type: application -version: 2.9.1 +version: 2.10.0 diff --git a/charts/dell/csi-unity/values.yaml b/charts/dell/csi-unity/values.yaml index f5da260153..6b27512ea8 100644 --- a/charts/dell/csi-unity/values.yaml +++ b/charts/dell/csi-unity/values.yaml @@ -3,22 +3,22 @@ # version: version of this values file # Note: Do not change this value -# Examples : "v2.9.1" , "nightly" -version: "v2.9.1" +# Examples : "v2.9.0" , "nightly" +version: "v2.10.0" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-unity:v2.9.1 + driver: dellemc/csi-unity:v2.10.0 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 # CSM sidecars - podmon: dellemc/podmon:v1.8.1 + podmon: dellemc/podmon:v1.9.0 # LogLevel is used to set the logging level of the driver. # Allowed values: "error", "warn"/"warning", "info", "debug" @@ -41,7 +41,7 @@ imagePullPolicy: Always # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. -# Default value: None +# Default value: /var/lib/kubelet kubeletConfigDir: /var/lib/kubelet # fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. diff --git a/charts/dell/csi-vxflexos/Chart.yaml b/charts/dell/csi-vxflexos/Chart.yaml index 8a87d74cdf..6dff463863 100644 --- a/charts/dell/csi-vxflexos/Chart.yaml +++ b/charts/dell/csi-vxflexos/Chart.yaml @@ -1,11 +1,11 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerFlex - catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.30.0' catalog.cattle.io/namespace: vxflexos catalog.cattle.io/release-name: vxflexos apiVersion: v2 -appVersion: 2.9.2 +appVersion: 2.10.0 description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a VxFlex OS StorageClass. ' @@ -13,10 +13,10 @@ icon: https://partner-charts.rancher.io/assets/logos/dell.png keywords: - csi - storage -kubeVersion: '>= 1.21.0 < 1.29.0' +kubeVersion: '>= 1.21.0 < 1.30.0' maintainers: - name: DellEMC name: csi-vxflexos sources: - https://github.com/dell/csi-vxflexos -version: 2.9.2 +version: 2.10.0 diff --git a/charts/dell/csi-vxflexos/templates/node.yaml b/charts/dell/csi-vxflexos/templates/node.yaml index a45a6c8432..85446bc2a0 100644 --- a/charts/dell/csi-vxflexos/templates/node.yaml +++ b/charts/dell/csi-vxflexos/templates/node.yaml @@ -219,6 +219,11 @@ spec: value: "{{ .Values.node.renameSDC.prefix }}" {{- end }} {{- end }} + - name: X_CSI_POWERFLEX_KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName volumeMounts: - name: driver-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com @@ -325,6 +330,8 @@ spec: mountPath: /dev - name: os-release mountPath: /host-os-release + - name: host-opt-emc-path + mountPath: /host_opt_emc_path - name: sdc-storage mountPath: /storage - name: host-opt-emc-path diff --git a/charts/dell/csi-vxflexos/values.yaml b/charts/dell/csi-vxflexos/values.yaml index 0e3847534b..64fd16c2c1 100644 --- a/charts/dell/csi-vxflexos/values.yaml +++ b/charts/dell/csi-vxflexos/values.yaml @@ -3,28 +3,28 @@ # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.9.2 +version: v2.10.0 # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-vxflexos:v2.9.2 + driver: dellemc/csi-vxflexos:v2.10.0 # "powerflexSdc" defines the SDC image for init container. - powerflexSdc: dellemc/sdc:4.5 + powerflexSdc: dellemc/sdc:4.5.1 # CSI sidecars - attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 - provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 - snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2 - resizer: registry.k8s.io/sig-storage/csi-resizer:v1.9.2 - registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 - healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 + attacher: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 + provisioner: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 + snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 + resizer: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 + registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.1 - vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.4.0 - podmon: dellemc/podmon:v1.8.1 - authorization: dellemc/csm-authorization-sidecar:v1.9.1 + replication: dellemc/dell-csi-replicator:v1.8.0 + vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.5.0 + podmon: dellemc/podmon:v1.9.0 + authorization: dellemc/csm-authorization-sidecar:v1.10.0 # Represents number of certificate secrets, which user is going to create for ssl authentication. (vxflexos-cert-0..vxflexos-cert-n) # If user does not use certificate, set to 0 @@ -42,7 +42,7 @@ logFormat: "TEXT" # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. -# Default value: None +# Default value: /var/lib/kubelet kubeletConfigDir: /var/lib/kubelet # "defaultFsType" is used to set the default FS type which will be used diff --git a/charts/f5/f5-bigip-ctlr/Chart.yaml b/charts/f5/f5-bigip-ctlr/Chart.yaml index b652af4cc6..428f7ecd0b 100644 --- a/charts/f5/f5-bigip-ctlr/Chart.yaml +++ b/charts/f5/f5-bigip-ctlr/Chart.yaml @@ -22,4 +22,4 @@ name: f5-bigip-ctlr sources: - https://github.com/F5Networks/k8s-bigip-ctlr - https://github.com/F5Networks/charts -version: 0.0.2801 +version: 0.0.2901 diff --git a/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml b/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml index dcd85c9493..8cad89b784 100644 --- a/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml +++ b/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml @@ -33,9 +33,17 @@ spec: host: type: string pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostAliases: + type: array + items: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' hostGroup: type: string pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + hostGroupVirtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' httpTraffic: type: string enum: [allow, none, redirect] @@ -54,6 +62,39 @@ spec: persistenceProfile: type: string pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + hostPersistence: + type: object + properties: + method: + type: string + enum: [ sourceAddress, destinationAddress, cookieInsert, cookieRewrite, cookiePassive, cookieHash, universal, hash, carp, none ] + metaData: + type: object + properties: + name: + type: string + key: + type: string + netmask: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + timeout: + type: integer + minimum: 1 + maximum: 65535 + offset: + type: integer + minimum: 1 + maximum: 65535 + length: + type: integer + minimum: 1 + maximum: 65535 + expiry: + type: string + pattern: '^((?:(?:[0-9]+d))|(?:(?:[0-9]+d)?((?:[01]?[0-9]|2[0-3]):[0-5][0-9](?::[0-5][0-9])?)))$' + required: + - method htmlProfile: type: string pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' @@ -178,6 +219,9 @@ spec: type: string recv: type: string + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' reference: type: string enum: [ bigip, service ] @@ -269,6 +313,9 @@ spec: reference: type: string enum: [bigip] + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' monitors: type: array items: @@ -293,6 +340,9 @@ spec: reference: type: string enum: [bigip] + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' minimumMonitors: x-kubernetes-int-or-string: true anyOf: @@ -311,12 +361,12 @@ spec: properties: clusterName: type: string - serviceName: + service: type: string pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' namespace: type: string - port: + servicePort: x-kubernetes-int-or-string: true anyOf: - type: integer @@ -450,19 +500,25 @@ spec: pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' reference: type: string - enum: [bigip, secret] + enum: [bigip, secret, hybrid] clientSSLParams: type: object properties: renegotiationEnabled: type: boolean default: true + profileReference: + type: string + enum: [ bigip, secret ] serverSSLParams: type: object properties: renegotiationEnabled: type: boolean default: true + profileReference: + type: string + enum: [ bigip, secret ] required: - termination @@ -665,12 +721,12 @@ spec: properties: clusterName: type: string - serviceName: + service: type: string pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' namespace: type: string - port: + servicePort: x-kubernetes-int-or-string: true anyOf: - type: integer @@ -1011,6 +1067,67 @@ spec: items: type: string pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + defaultPool: + type: object + properties: + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [ bigip ] + send: + type: string + recv: + type: string + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + reference: + type: string + enum: [ bigip, service ] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference profiles: type: object properties: diff --git a/charts/gluu/gluu/Chart.yaml b/charts/gluu/gluu/Chart.yaml index 5d577ceeaa..092f6f3a5a 100644 --- a/charts/gluu/gluu/Chart.yaml +++ b/charts/gluu/gluu/Chart.yaml @@ -2,27 +2,27 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/images: | - name: auth-server - image: ghcr.io/janssenproject/jans/auth-server:1.0.22-1 + image: ghcr.io/janssenproject/jans/auth-server:1.1.0-1 - name: auth-server-key-rotation - image: ghcr.io/janssenproject/jans/certmanager:1.0.22-1 + image: ghcr.io/janssenproject/jans/certmanager:1.1.0-1 - name: configuration-manager - image: ghcr.io/janssenproject/jans/configurator:1.0.22-1 + image: ghcr.io/janssenproject/jans/configurator:1.1.0-1 - name: config-api - image: ghcr.io/janssenproject/jans/config-api:1.0.22-1 + image: ghcr.io/janssenproject/jans/config-api:1.1.0-1 - name: fido2 - image: ghcr.io/janssenproject/jans/fido2:1.0.22-1 + image: ghcr.io/janssenproject/jans/fido2:1.1.0-1 - name: persistence - image: ghcr.io/janssenproject/jans/persistence-loader:1.0.22-1 + image: ghcr.io/janssenproject/jans/persistence-loader:1.1.0-1 - name: scim - image: ghcr.io/janssenproject/jans/scim:1.0.22-1 + image: ghcr.io/janssenproject/jans/scim:1.1.0-1 - name: casa - image: ghcr.io/janssenproject/jans/casa:1.0.22-1 + image: ghcr.io/janssenproject/jans/casa:1.1.0-1 - name: admin-ui - image: ghcr.io/gluufederation/flex/admin-ui:1.0.22-1 + image: ghcr.io/gluufederation/flex/admin-ui:5.1.0-1 - name: link - image: ghcr.io/janssenproject/jans/link:1.0.22-1 + image: ghcr.io/janssenproject/jans/link:1.1.0-1 - name: saml - image: ghcr.io/janssenproject/jans/saml:1.0.22-1 + image: ghcr.io/janssenproject/jans/saml:1.1.0-1 artifacthub.io/license: Apache-2.0 catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management @@ -30,64 +30,64 @@ annotations: catalog.cattle.io/kube-version: '>=v1.21.0-0' catalog.cattle.io/release-name: gluu apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 dependencies: - condition: global.config.enabled name: config repository: file://./charts/config - version: 5.0.25 + version: 1.1.0 - condition: global.config-api.enabled name: config-api repository: file://./charts/config-api - version: 5.0.25 + version: 1.1.0 - condition: global.opendj.enabled name: opendj repository: file://./charts/opendj - version: 5.0.25 + version: 5.1.0 - condition: global.auth-server.enabled name: auth-server repository: file://./charts/auth-server - version: 5.0.25 + version: 1.1.0 - condition: global.admin-ui.enabled name: admin-ui repository: file://./charts/admin-ui - version: 5.0.25 + version: 5.1.0 - condition: global.fido2.enabled name: fido2 repository: file://./charts/fido2 - version: 5.0.25 + version: 1.1.0 - condition: global.scim.enabled name: scim repository: file://./charts/scim - version: 5.0.25 + version: 1.1.0 - condition: global.nginx-ingress.enabled name: nginx-ingress repository: file://./charts/nginx-ingress - version: 5.0.25 + version: 5.1.0 - condition: global.casa.enabled name: casa repository: file://./charts/casa - version: 5.0.25 + version: 1.1.0 - condition: global.auth-server-key-rotation.enabled name: auth-server-key-rotation repository: file://./charts/auth-server-key-rotation - version: 5.0.25 + version: 1.1.0 - condition: global.persistence.enabled name: persistence repository: file://./charts/persistence - version: 5.0.25 + version: 1.1.0 - condition: global.istio.ingress name: cn-istio-ingress repository: file://./charts/cn-istio-ingress - version: 5.0.25 + version: 5.1.0 - condition: global.link.enabled name: link repository: file://./charts/link - version: 5.0.25 + version: 1.1.0 - condition: global.saml.enabled name: saml repository: file://./charts/saml - version: 5.0.25 + version: 1.1.0 description: Gluu Access and Identity Management home: https://www.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -98,4 +98,4 @@ maintainers: name: gluu sources: - https://docs.gluu.org -version: 5.0.25 +version: 5.1.0 diff --git a/charts/gluu/gluu/README.md b/charts/gluu/gluu/README.md index e97f64360a..53447b2768 100644 --- a/charts/gluu/gluu/README.md +++ b/charts/gluu/gluu/README.md @@ -1,6 +1,6 @@ # gluu -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Gluu Access and Identity Management @@ -22,26 +22,26 @@ Kubernetes: `>=v1.21.0-0` | Repository | Name | Version | |------------|------|---------| -| | admin-ui | 5.0.25 | -| | auth-server | 5.0.25 | -| | auth-server-key-rotation | 5.0.25 | -| | casa | 5.0.25 | -| | cn-istio-ingress | 5.0.25 | -| | config | 5.0.25 | -| | config-api | 5.0.25 | -| | fido2 | 5.0.25 | -| | link | 5.0.25 | -| | nginx-ingress | 5.0.25 | -| | opendj | 5.0.25 | -| | persistence | 5.0.25 | -| | saml | 5.0.25 | -| | scim | 5.0.25 | +| | admin-ui | 5.1.0 | +| | auth-server | 1.1.0 | +| | auth-server-key-rotation | 1.1.0 | +| | casa | 1.1.0 | +| | cn-istio-ingress | 5.1.0 | +| | config | 1.1.0 | +| | config-api | 1.1.0 | +| | fido2 | 1.1.0 | +| | link | 1.1.0 | +| | nginx-ingress | 5.1.0 | +| | opendj | 5.1.0 | +| | persistence | 1.1.0 | +| | saml | 1.1.0 | +| | scim | 1.1.0 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"5.1.0-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | | admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | admin-ui.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -53,7 +53,7 @@ Kubernetes: `>=v1.21.0-0` | admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | | admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | -| admin-ui.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| admin-ui.image.tag | string | `"5.1.0-1"` | Image tag to use for deploying. | | admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | | admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | | admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | @@ -69,8 +69,8 @@ Kubernetes: `>=v1.21.0-0` | admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | -| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.22_dev"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.1.0-1"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | | auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | auth-server-key-rotation.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -79,7 +79,7 @@ Kubernetes: `>=v1.21.0-0` | auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | | auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | -| auth-server-key-rotation.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | | auth-server-key-rotation.keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | | auth-server-key-rotation.keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | @@ -105,7 +105,7 @@ Kubernetes: `>=v1.21.0-0` | auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | | auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | -| auth-server.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| auth-server.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | | auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -122,7 +122,7 @@ Kubernetes: `>=v1.21.0-0` | auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. | | casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | casa.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -134,7 +134,7 @@ Kubernetes: `>=v1.21.0-0` | casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | casa.image.pullSecrets | list | `[]` | Image Pull Secrets | | casa.image.repository | string | `"ghcr.io/janssenproject/jans/casa"` | Image to use for deploying. | -| casa.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| casa.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | casa.livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | | casa.livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | | casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -152,8 +152,8 @@ Kubernetes: `>=v1.21.0-0` | casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapKey":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","kcProxy":"edge","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"team@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.22_dev"},"ldapPassword":"P@ssw0rds","ldapTruststorePassword":"changeit","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | -| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapKey":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","cnVaultAddr":"http://localhost:8200","cnVaultAppRolePath":"approle","cnVaultKvPath":"secret","cnVaultNamespace":"","cnVaultPrefix":"jans","cnVaultRoleId":"","cnVaultRoleIdFile":"/etc/certs/vault_role_id","cnVaultSecretId":"","cnVaultSecretIdFile":"/etc/certs/vault_secret_id","cnVaultVerify":false,"kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","kcProxy":"edge","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"team@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.1.0-1"},"ldapPassword":"P@ssw0rds","ldapTruststorePassword":"changeit","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | | config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | config-api.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -165,7 +165,7 @@ Kubernetes: `>=v1.21.0-0` | config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | | config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | -| config-api.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| config-api.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | | config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -225,6 +225,16 @@ Kubernetes: `>=v1.21.0-0` | config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | | config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | | config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| config.configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| config.configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| config.configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| config.configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| config.configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| config.configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| config.configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| config.configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| config.configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | | config.configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | | config.configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may be using "public" schema). | | config.configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name. | @@ -244,7 +254,7 @@ Kubernetes: `>=v1.21.0-0` | config.email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | | config.image.pullSecrets | list | `[]` | Image Pull Secrets | | config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | -| config.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| config.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | | config.ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | | config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | @@ -265,7 +275,7 @@ Kubernetes: `>=v1.21.0-0` | config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | | config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | | fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | fido2.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -277,7 +287,7 @@ Kubernetes: `>=v1.21.0-0` | fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | | fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | -| fido2.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| fido2.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | | fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | | fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -296,12 +306,13 @@ Kubernetes: `>=v1.21.0-0` | fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true},"lockEnabled":false},"auth-server-key-rotation":{"enabled":true},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","licenseSsa":"","link":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"saml":{"enabled":false,"ingress":{"samlEnabled":false},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true},"lockEnabled":false},"auth-server-key-rotation":{"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false,"fido2Enabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","licenseSsa":"","link":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"saml":{"enabled":false,"ingress":{"samlEnabled":false},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | | global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | | global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | | global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | | global.alb.ingress | bool | `false` | Activates ALB ingress | | global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server-key-rotation.initKeysLife | int | `48` | The initial auth server key rotation keys life in hours | | global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | | global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | | global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | @@ -395,7 +406,7 @@ Kubernetes: `>=v1.21.0-0` | global.config-api.plugins | string | `"admin-ui,fido2,scim,user-mgt"` | Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") | | global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | | global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | -| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes | | global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | | global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | | global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | @@ -409,8 +420,9 @@ Kubernetes: `>=v1.21.0-0` | global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | | global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | | global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | -| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false,"fido2Enabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | | global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fido2.ingress.fido2Enabled | bool | `false` | Enable endpoint /jans-fido2 | | global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | | global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | | global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | @@ -470,7 +482,7 @@ Kubernetes: `>=v1.21.0-0` | global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | | global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | | installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | -| link | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/link","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Link. | +| link | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/link","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Link. | | link.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | link.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | link.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -482,7 +494,7 @@ Kubernetes: `>=v1.21.0-0` | link.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | link.image.pullSecrets | list | `[]` | Image Pull Secrets | | link.image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | -| link.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| link.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | link.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | link.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | | link.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -499,7 +511,7 @@ Kubernetes: `>=v1.21.0-0` | link.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | link.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | link.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | | nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | | nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | | nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | @@ -516,8 +528,10 @@ Kubernetes: `>=v1.21.0-0` | nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | | nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | | nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | | nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | | nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | | nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | | nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | | nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | @@ -537,7 +551,7 @@ Kubernetes: `>=v1.21.0-0` | nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | | nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | | nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | -| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-1"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0_dev"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | | opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | @@ -550,7 +564,7 @@ Kubernetes: `>=v1.21.0-0` | opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | | opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | -| opendj.image.tag | string | `"5.0.0-1"` | Image tag to use for deploying. | +| opendj.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | | opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | | opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | | opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | @@ -568,7 +582,7 @@ Kubernetes: `>=v1.21.0-0` | opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.22_dev"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.1.0-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | | persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | persistence.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -577,7 +591,7 @@ Kubernetes: `>=v1.21.0-0` | persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | | persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | -| persistence.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| persistence.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | | persistence.resources.limits.cpu | string | `"300m"` | CPU limit | | persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | @@ -588,7 +602,7 @@ Kubernetes: `>=v1.21.0-0` | persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| saml | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/saml","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | SAML. | +| saml | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/saml","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | SAML. | | saml.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | saml.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | saml.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -600,7 +614,7 @@ Kubernetes: `>=v1.21.0-0` | saml.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | saml.image.pullSecrets | list | `[]` | Image Pull Secrets | | saml.image.repository | string | `"ghcr.io/janssenproject/jans/saml"` | Image to use for deploying. | -| saml.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| saml.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | saml.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | saml.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | | saml.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -617,7 +631,7 @@ Kubernetes: `>=v1.21.0-0` | saml.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | | saml.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | | saml.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | -| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | | scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | | scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | | scim.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | @@ -629,7 +643,7 @@ Kubernetes: `>=v1.21.0-0` | scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | scim.image.pullSecrets | list | `[]` | Image Pull Secrets | | scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | -| scim.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| scim.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | | scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | | scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | @@ -650,4 +664,4 @@ Kubernetes: `>=v1.21.0-0` | scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/charts/admin-ui/Chart.yaml index 83e122fbd6..df7736c498 100644 --- a/charts/gluu/gluu/charts/admin-ui/Chart.yaml +++ b/charts/gluu/gluu/charts/admin-ui/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Admin GUI. Requires license. home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -17,4 +17,4 @@ sources: - https://github.com/GluuFederation/docker-gluu-admin-ui - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui type: application -version: 5.0.25 +version: 5.1.0 diff --git a/charts/gluu/gluu/charts/admin-ui/README.md b/charts/gluu/gluu/charts/admin-ui/README.md index e8d60582bc..be4a003a7c 100644 --- a/charts/gluu/gluu/charts/admin-ui/README.md +++ b/charts/gluu/gluu/charts/admin-ui/README.md @@ -1,6 +1,6 @@ # admin-ui -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Admin GUI. Requires license. @@ -36,7 +36,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"5.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | | readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | @@ -57,4 +57,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml index 0dbaac0667..3d6677d3dd 100644 --- a/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml +++ b/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml @@ -102,6 +102,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "admin-ui.fullname" .}}-updatelbip mountPath: "/scripts" @@ -180,6 +188,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - name: cb-crt diff --git a/charts/gluu/gluu/charts/admin-ui/values.yaml b/charts/gluu/gluu/charts/admin-ui/values.yaml index 2fbb7400c0..4ecfeac684 100644 --- a/charts/gluu/gluu/charts/admin-ui/values.yaml +++ b/charts/gluu/gluu/charts/admin-ui/values.yaml @@ -27,7 +27,7 @@ image: # -- Image to use for deploying. repository: gluufederation/admin-ui # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 5.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml index 14d306633b..85a8bbdd60 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Responsible for regenerating auth-keys per x hours home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -15,4 +15,4 @@ sources: - https://github.com/JanssenProject/docker-jans-certmanager - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/charts/auth-server-key-rotation/README.md index 7fb435dc41..ffbd487460 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/README.md +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/README.md @@ -1,6 +1,6 @@ # auth-server-key-rotation -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Responsible for regenerating auth-keys per x hours @@ -34,7 +34,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | keysLife | int | `48` | Auth server key rotation keys life in hours | | keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | | keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | @@ -50,4 +50,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml index eddf7ec8d8..3f159db5a7 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -69,6 +69,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- with .Values.volumeMounts }} {{- toYaml . | nindent 16 }} {{- end }} @@ -141,6 +149,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - name: cb-crt diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml index d83f34c97d..9a31ff4743 100644 --- a/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml +++ b/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml @@ -18,7 +18,7 @@ image: # -- Image to use for deploying. repository: janssenproject/certmanager # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Auth server key rotation keys life in hours diff --git a/charts/gluu/gluu/charts/auth-server/Chart.yaml b/charts/gluu/gluu/charts/auth-server/Chart.yaml index 63c8bdd857..1cad3ee829 100644 --- a/charts/gluu/gluu/charts/auth-server/Chart.yaml +++ b/charts/gluu/gluu/charts/auth-server/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. @@ -19,4 +19,4 @@ sources: - https://github.com/JanssenProject/docker-jans-auth-server - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/auth-server/README.md b/charts/gluu/gluu/charts/auth-server/README.md index 8585988edd..9d30ff7b2b 100644 --- a/charts/gluu/gluu/charts/auth-server/README.md +++ b/charts/gluu/gluu/charts/auth-server/README.md @@ -1,6 +1,6 @@ # auth-server -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. @@ -37,7 +37,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | @@ -59,4 +59,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/charts/auth-server/templates/deployment.yml index 10a69dec0e..8437c16250 100644 --- a/charts/gluu/gluu/charts/auth-server/templates/deployment.yml +++ b/charts/gluu/gluu/charts/auth-server/templates/deployment.yml @@ -139,6 +139,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "auth-server.fullname" .}}-updatelbip mountPath: "/scripts" @@ -267,7 +275,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} diff --git a/charts/gluu/gluu/charts/auth-server/values.yaml b/charts/gluu/gluu/charts/auth-server/values.yaml index 6a44e8942a..56a516b513 100644 --- a/charts/gluu/gluu/charts/auth-server/values.yaml +++ b/charts/gluu/gluu/charts/auth-server/values.yaml @@ -28,7 +28,7 @@ image: # -- Image to use for deploying. repository: janssenproject/auth-server # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/charts/casa/Chart.yaml b/charts/gluu/gluu/charts/casa/Chart.yaml index 230dda86fe..17e9958fba 100644 --- a/charts/gluu/gluu/charts/casa/Chart.yaml +++ b/charts/gluu/gluu/charts/casa/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. home: https://gluu.org/docs/casa/ @@ -18,4 +18,4 @@ sources: - https://gluu.org/casa/ - https://github.com/JanssenProject/jans/docker-jans-casa type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/casa/README.md b/charts/gluu/gluu/charts/casa/README.md index 32ce166fc3..e32589eea3 100644 --- a/charts/gluu/gluu/charts/casa/README.md +++ b/charts/gluu/gluu/charts/casa/README.md @@ -1,6 +1,6 @@ # casa -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. @@ -37,7 +37,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | | livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | @@ -63,4 +63,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/charts/casa/templates/deployment.yaml index 55c1e62fdc..0161333c88 100644 --- a/charts/gluu/gluu/charts/casa/templates/deployment.yaml +++ b/charts/gluu/gluu/charts/casa/templates/deployment.yaml @@ -109,7 +109,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "casa.fullname" .}}-updatelbip mountPath: "/scripts" @@ -178,6 +185,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} diff --git a/charts/gluu/gluu/charts/casa/values.yaml b/charts/gluu/gluu/charts/casa/values.yaml index 25a92c41bb..6c97c2f9ec 100644 --- a/charts/gluu/gluu/charts/casa/values.yaml +++ b/charts/gluu/gluu/charts/casa/values.yaml @@ -27,7 +27,7 @@ image: # -- Image to use for deploying. repository: janssenproject/casa # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml index bafa0b60d1..abeafee463 100644 --- a/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml +++ b/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Istio Gateway home: https://docs.gluu.org/ icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -16,4 +16,4 @@ sources: - https://gluu.org/docs/gluu-server/ - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/cn-istio-ingress type: application -version: 5.0.25 +version: 5.1.0 diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/charts/cn-istio-ingress/README.md index 9b9ed5a87b..87dc3f6591 100644 --- a/charts/gluu/gluu/charts/cn-istio-ingress/README.md +++ b/charts/gluu/gluu/charts/cn-istio-ingress/README.md @@ -1,6 +1,6 @@ # cn-istio-ingress -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Istio Gateway @@ -22,4 +22,4 @@ Istio Gateway Kubernetes: `>=v1.21.0-0` ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/config-api/Chart.yaml b/charts/gluu/gluu/charts/config-api/Chart.yaml index a32bce5f6c..e71e87cd63 100644 --- a/charts/gluu/gluu/charts/config-api/Chart.yaml +++ b/charts/gluu/gluu/charts/config-api/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) @@ -19,4 +19,4 @@ sources: - https://github.com/JanssenProject/jans/docker-jans-config-api - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config-api type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/config-api/README.md b/charts/gluu/gluu/charts/config-api/README.md index 345cb68f25..712ee707d8 100644 --- a/charts/gluu/gluu/charts/config-api/README.md +++ b/charts/gluu/gluu/charts/config-api/README.md @@ -1,6 +1,6 @@ # config-api -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) @@ -39,7 +39,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | | livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. | @@ -63,4 +63,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/charts/config-api/templates/deployment.yaml index 350dc909f9..e9754eff7a 100644 --- a/charts/gluu/gluu/charts/config-api/templates/deployment.yaml +++ b/charts/gluu/gluu/charts/config-api/templates/deployment.yaml @@ -100,7 +100,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - name: cb-crt @@ -165,7 +172,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} diff --git a/charts/gluu/gluu/charts/config-api/values.yaml b/charts/gluu/gluu/charts/config-api/values.yaml index ece4dbbaa2..d752530b76 100644 --- a/charts/gluu/gluu/charts/config-api/values.yaml +++ b/charts/gluu/gluu/charts/config-api/values.yaml @@ -31,7 +31,7 @@ image: # -- Image to use for deploying. repository: janssenproject/config-api # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/charts/config/Chart.yaml b/charts/gluu/gluu/charts/config/Chart.yaml index 6b5713daa0..3bdb3ce63f 100644 --- a/charts/gluu/gluu/charts/config/Chart.yaml +++ b/charts/gluu/gluu/charts/config/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. home: https://docs.gluu.org @@ -18,4 +18,4 @@ sources: - https://github.com/JanssenProject/jans/docker-jans-configurator - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/config/README.md b/charts/gluu/gluu/charts/config/README.md index 88d20b5fac..f4a8a37234 100644 --- a/charts/gluu/gluu/charts/config/README.md +++ b/charts/gluu/gluu/charts/config/README.md @@ -1,6 +1,6 @@ # config -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. @@ -74,6 +74,16 @@ Kubernetes: `>=v1.21.0-0` | configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | | configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | | configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | | configmap.containerMetadataName | string | `"kubernetes"` | | | configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | | configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). | @@ -95,7 +105,7 @@ Kubernetes: `>=v1.21.0-0` | fullNameOverride | string | `""` | | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | | ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | | lifecycle | object | `{}` | | @@ -120,4 +130,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/charts/config/templates/configmaps.yaml index 2e2d0c9533..9265387494 100644 --- a/charts/gluu/gluu/charts/config/templates/configmaps.yaml +++ b/charts/gluu/gluu/charts/config/templates/configmaps.yaml @@ -56,6 +56,18 @@ data: #AWS_PROFILE # [aws_envs] END {{- end }} + # [vault_envs] Envs related to Hashicorp vault + {{ if eq .Values.global.configSecretAdapter "vault" }} + CN_SECRET_VAULT_ADDR: {{ .Values.configmap.cnVaultAddr | quote }} + CN_SECRET_VAULT_VERIFY: {{ .Values.configmap.cnVaultVerify | quote }} + CN_SECRET_VAULT_ROLE_ID_FILE: {{ .Values.configmap.cnVaultRoleIdFile | quote }} + CN_SECRET_VAULT_SECRET_ID_FILE: {{ .Values.configmap.cnVaultSecretIdFile | quote }} + CN_SECRET_VAULT_NAMESPACE: {{ .Values.configmap.cnVaultNamespace | quote }} + CN_SECRET_VAULT_KV_PATH: {{ .Values.configmap.cnVaultKvPath | quote }} + CN_SECRET_VAULT_PREFIX: {{ .Values.configmap.cnVaultPrefix | quote }} + CN_SECRET_VAULT_APPROLE_PATH: {{ .Values.configmap.cnVaultAppRolePath | quote }} + # [vault_envs] END + {{- end }} CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} diff --git a/charts/gluu/gluu/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/charts/config/templates/load-init-config.yml index 64c48a7e3c..9988d9ceb9 100644 --- a/charts/gluu/gluu/charts/config/templates/load-init-config.yml +++ b/charts/gluu/gluu/charts/config/templates/load-init-config.yml @@ -66,6 +66,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - name: cb-pass secret: @@ -125,6 +135,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - name: cb-pass mountPath: {{ .Values.global.cnCouchbasePasswordFile }} diff --git a/charts/gluu/gluu/charts/config/templates/secrets.yaml b/charts/gluu/gluu/charts/config/templates/secrets.yaml index 0167197d43..31fa0e439e 100644 --- a/charts/gluu/gluu/charts/config/templates/secrets.yaml +++ b/charts/gluu/gluu/charts/config/templates/secrets.yaml @@ -36,7 +36,8 @@ stringData: "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }}, - "salt": {{ .Values.salt | quote }} + "salt": {{ .Values.salt | quote }}, + "init_keys_exp": {{ index .Values "global" "auth-server-key-rotation" "initKeysLife" }} } {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} @@ -109,6 +110,27 @@ data: google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} {{- end}} +{{ if eq .Values.global.configSecretAdapter "vault" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-vault + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + vault_role_id: {{ .Values.configmap.cnVaultRoleId | b64enc }} + vault_secret_id: {{ .Values.configmap.cnVaultSecretId | b64enc }} +{{- end}} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} --- # Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. diff --git a/charts/gluu/gluu/charts/config/values.yaml b/charts/gluu/gluu/charts/config/values.yaml index fdfae08480..afe841a897 100644 --- a/charts/gluu/gluu/charts/config/values.yaml +++ b/charts/gluu/gluu/charts/config/values.yaml @@ -88,6 +88,28 @@ configmap: cnAwsSecretsReplicaRegions: [] # [aws_secret_manager_envs] END # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. cnLdapUrl: "opendj:1636" # -- Value passed to Java option -XX:MaxRAMPercentage @@ -154,7 +176,7 @@ image: # -- Image to use for deploying. repository: janssenproject/configurator # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- LDAP admin password if OpennDJ is used for persistence. diff --git a/charts/gluu/gluu/charts/fido2/Chart.yaml b/charts/gluu/gluu/charts/fido2/Chart.yaml index 3dd2798df7..5e53d2dc53 100644 --- a/charts/gluu/gluu/charts/fido2/Chart.yaml +++ b/charts/gluu/gluu/charts/fido2/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. home: https://docs.gluu.org/ @@ -19,4 +19,4 @@ sources: - https://github.com/JanssenProject/jans/docker-jans-fido2 - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/fido2 type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/fido2/README.md b/charts/gluu/gluu/charts/fido2/README.md index 1382db8781..f14edfea4d 100644 --- a/charts/gluu/gluu/charts/fido2/README.md +++ b/charts/gluu/gluu/charts/fido2/README.md @@ -1,6 +1,6 @@ # fido2 -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. @@ -38,7 +38,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | | livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | @@ -60,4 +60,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/charts/fido2/templates/deployment.yml index c3d0ded19f..84615d338c 100644 --- a/charts/gluu/gluu/charts/fido2/templates/deployment.yml +++ b/charts/gluu/gluu/charts/fido2/templates/deployment.yml @@ -104,7 +104,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "fido2.fullname" .}}-updatelbip mountPath: "/scripts" @@ -180,7 +187,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} diff --git a/charts/gluu/gluu/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/charts/fido2/templates/fido2-virtual-services.yaml index 88a91a994b..fe906fa682 100644 --- a/charts/gluu/gluu/charts/fido2/templates/fido2-virtual-services.yaml +++ b/charts/gluu/gluu/charts/fido2/templates/fido2-virtual-services.yaml @@ -1,4 +1,4 @@ -{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +{{- if .Values.global.istio.ingress }} apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -25,16 +25,30 @@ spec: - {{ .Release.Name }}-global-gtw {{- end }} http: + {{- if .Values.global.fido2.ingress.fido2ConfigEnabled }} - name: {{ .Release.Name }}-istio-fido2-configuration match: - uri: prefix: /.well-known/fido2-configuration rewrite: uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.fido2.ingress.fido2Enabled }} + - name: {{ .Release.Name }}-istio-fido2 + match: + - uri: + prefix: "/jans-fido2" route: - destination: host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local port: number: 8080 weight: 100 + {{- end }} {{- end }} diff --git a/charts/gluu/gluu/charts/fido2/values.yaml b/charts/gluu/gluu/charts/fido2/values.yaml index 9c90202f77..048c9db22e 100644 --- a/charts/gluu/gluu/charts/fido2/values.yaml +++ b/charts/gluu/gluu/charts/fido2/values.yaml @@ -29,7 +29,7 @@ image: # -- Image to use for deploying. repository: janssenproject/fido2 # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/charts/link/Chart.yaml b/charts/gluu/gluu/charts/link/Chart.yaml index 08eeaf76f9..307126631f 100644 --- a/charts/gluu/gluu/charts/link/Chart.yaml +++ b/charts/gluu/gluu/charts/link/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Jans Link home: https://jans.io icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png @@ -15,4 +15,4 @@ sources: - https://github.com/JanssenProject/jans/jans-link - https://github.com/JanssenProject/jans/docker-jans-link type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/link/README.md b/charts/gluu/gluu/charts/link/README.md index 23d80eb5fd..5f1d1925cc 100644 --- a/charts/gluu/gluu/charts/link/README.md +++ b/charts/gluu/gluu/charts/link/README.md @@ -1,6 +1,6 @@ # link -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Jans Link @@ -38,7 +38,7 @@ Kubernetes: `>=v1.22.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the link if needed. | | livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | @@ -62,4 +62,4 @@ Kubernetes: `>=v1.22.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/link/templates/deployment.yaml b/charts/gluu/gluu/charts/link/templates/deployment.yaml index c9c439c59f..dca074b28c 100644 --- a/charts/gluu/gluu/charts/link/templates/deployment.yaml +++ b/charts/gluu/gluu/charts/link/templates/deployment.yaml @@ -99,7 +99,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} - name: cb-crt @@ -164,7 +171,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} diff --git a/charts/gluu/gluu/charts/link/values.yaml b/charts/gluu/gluu/charts/link/values.yaml index 840a781a57..8291d38c64 100644 --- a/charts/gluu/gluu/charts/link/values.yaml +++ b/charts/gluu/gluu/charts/link/values.yaml @@ -31,7 +31,7 @@ image: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/link # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml index fabe0fae5b..d0195b4536 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml +++ b/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Nginx ingress definitions chart home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -17,4 +17,4 @@ sources: - https://kubernetes.io/docs/concepts/services-networking/ingress/ - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/nginx-ingress type: application -version: 5.0.25 +version: 5.1.0 diff --git a/charts/gluu/gluu/charts/nginx-ingress/README.md b/charts/gluu/gluu/charts/nginx-ingress/README.md index e66cff04a6..1a258970c1 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/README.md +++ b/charts/gluu/gluu/charts/nginx-ingress/README.md @@ -1,6 +1,6 @@ # nginx-ingress -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Nginx ingress definitions chart @@ -27,7 +27,7 @@ Kubernetes: `>=v1.21.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | fullnameOverride | string | `""` | | -| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | | ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | | ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | | ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | @@ -36,6 +36,7 @@ Kubernetes: `>=v1.21.0-0` | ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | | ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | | ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | | ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | | ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | | ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | @@ -62,4 +63,4 @@ Kubernetes: `>=v1.21.0-0` | nameOverride | string | `""` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml index 94e244e656..8069c0038b 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml +++ b/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml @@ -616,6 +616,62 @@ spec: --- +{{ if .Values.global.fido2.ingress.fido2Enabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2 + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2Labels }} +{{ toYaml .Values.ingress.fido2Labels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "fido2" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.fido2AdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-fido2 + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} {{ $fullName := include "nginx-ingress.fullname" . -}} {{- $ingressPath := .Values.ingress.path -}} diff --git a/charts/gluu/gluu/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/charts/nginx-ingress/values.yaml index 02ce71b132..901a6ca1a7 100644 --- a/charts/gluu/gluu/charts/nginx-ingress/values.yaml +++ b/charts/gluu/gluu/charts/nginx-ingress/values.yaml @@ -49,6 +49,8 @@ ingress: fido2Enabled: false # -- fido2 ingress resource labels. key app is taken fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } # -- Auth server config ingress resource labels. key app is taken authServerLabels: { } # -- Auth server ingress resource additional annotations. diff --git a/charts/gluu/gluu/charts/opendj/Chart.yaml b/charts/gluu/gluu/charts/opendj/Chart.yaml index 4cab677326..8575735dc7 100644 --- a/charts/gluu/gluu/charts/opendj/Chart.yaml +++ b/charts/gluu/gluu/charts/opendj/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in @@ -19,4 +19,4 @@ sources: - https://github.com/GluuFederation/docker-opendj - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/opendj type: application -version: 5.0.25 +version: 5.1.0 diff --git a/charts/gluu/gluu/charts/opendj/README.md b/charts/gluu/gluu/charts/opendj/README.md index a13db320a6..dd612c324d 100644 --- a/charts/gluu/gluu/charts/opendj/README.md +++ b/charts/gluu/gluu/charts/opendj/README.md @@ -1,6 +1,6 @@ # opendj -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. @@ -37,7 +37,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | -| image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | | lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | | lifecycle.preStop.exec.command[1] | string | `"-c"` | | | lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | @@ -72,4 +72,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml index 7483be66ca..0227258a46 100644 --- a/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml +++ b/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml @@ -1,4 +1,4 @@ -{{- if .Values.backup.enabled }} +{{- if and ( .Values.backup.enabled ) (or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid")) }} kind: CronJob apiVersion: batch/v1 metadata: diff --git a/charts/gluu/gluu/charts/opendj/values.yaml b/charts/gluu/gluu/charts/opendj/values.yaml index 2ee772cb9a..d397c37385 100644 --- a/charts/gluu/gluu/charts/opendj/values.yaml +++ b/charts/gluu/gluu/charts/opendj/values.yaml @@ -28,7 +28,7 @@ image: # -- Image to use for deploying. repository: gluufederation/opendj # -- Image tag to use for deploying. - tag: 5.0.0-15 + tag: 5.0.0_dev # -- Image Pull Secrets pullSecrets: [ ] persistence: diff --git a/charts/gluu/gluu/charts/persistence/Chart.yaml b/charts/gluu/gluu/charts/persistence/Chart.yaml index 2bf88dcf6f..afb793acb0 100644 --- a/charts/gluu/gluu/charts/persistence/Chart.yaml +++ b/charts/gluu/gluu/charts/persistence/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Job to generate data and initial config for Gluu Server persistence layer. home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -15,4 +15,4 @@ sources: - https://github.com/JanssenProject/jans/docker-jans-persistence-loader - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/persistence type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/persistence/README.md b/charts/gluu/gluu/charts/persistence/README.md index fc2306faf0..d9afcbf435 100644 --- a/charts/gluu/gluu/charts/persistence/README.md +++ b/charts/gluu/gluu/charts/persistence/README.md @@ -1,6 +1,6 @@ # persistence -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Job to generate data and initial config for Gluu Server persistence layer. @@ -34,7 +34,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | imagePullSecrets | list | `[]` | | | lifecycle | object | `{}` | | | nameOverride | string | `""` | | @@ -50,4 +50,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/charts/persistence/templates/jobs.yml index 80f8b592f7..efcf04028e 100644 --- a/charts/gluu/gluu/charts/persistence/templates/jobs.yml +++ b/charts/gluu/gluu/charts/persistence/templates/jobs.yml @@ -90,6 +90,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - name: cb-crt mountPath: "/etc/certs/couchbase.crt" @@ -142,6 +150,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} - name: cb-crt secret: diff --git a/charts/gluu/gluu/charts/persistence/values.yaml b/charts/gluu/gluu/charts/persistence/values.yaml index ad955bfa74..7517100340 100644 --- a/charts/gluu/gluu/charts/persistence/values.yaml +++ b/charts/gluu/gluu/charts/persistence/values.yaml @@ -18,7 +18,7 @@ image: # -- Image to use for deploying. repository: janssenproject/persistence # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Resource specs. diff --git a/charts/gluu/gluu/charts/saml/Chart.yaml b/charts/gluu/gluu/charts/saml/Chart.yaml index a107137cf1..3ffa22c573 100644 --- a/charts/gluu/gluu/charts/saml/Chart.yaml +++ b/charts/gluu/gluu/charts/saml/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: Jans SAML home: https://jans.io icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png @@ -15,4 +15,4 @@ name: saml sources: - https://github.com/JanssenProject/jans/docker-jans-saml type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/saml/README.md b/charts/gluu/gluu/charts/saml/README.md index 2a5b650481..d92826108f 100644 --- a/charts/gluu/gluu/charts/saml/README.md +++ b/charts/gluu/gluu/charts/saml/README.md @@ -1,6 +1,6 @@ # saml -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) Jans SAML @@ -36,7 +36,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/saml"` | Image to use for deploying. | -| image.tag | string | `"1.0.22-1"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for saml if needed. | | livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | @@ -61,4 +61,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/saml/templates/deployment.yaml b/charts/gluu/gluu/charts/saml/templates/deployment.yaml index 5992ca2315..b1045fde84 100644 --- a/charts/gluu/gluu/charts/saml/templates/deployment.yaml +++ b/charts/gluu/gluu/charts/saml/templates/deployment.yaml @@ -112,7 +112,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "saml.fullname" .}}-updatelbip mountPath: "/scripts" @@ -184,6 +191,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} diff --git a/charts/gluu/gluu/charts/saml/values.yaml b/charts/gluu/gluu/charts/saml/values.yaml index c4dbf735ee..ef911217f1 100644 --- a/charts/gluu/gluu/charts/saml/values.yaml +++ b/charts/gluu/gluu/charts/saml/values.yaml @@ -27,7 +27,7 @@ image: # -- Image to use for deploying. repository: janssenproject/saml # -- Image tag to use for deploying. - tag: 1.0.22-1 + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/charts/scim/Chart.yaml b/charts/gluu/gluu/charts/scim/Chart.yaml index c796939e6e..814b7ef079 100644 --- a/charts/gluu/gluu/charts/scim/Chart.yaml +++ b/charts/gluu/gluu/charts/scim/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 5.0.22 +appVersion: 5.1.0 description: System for Cross-domain Identity Management (SCIM) version 2.0 home: https://docs.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico @@ -17,4 +17,4 @@ sources: - https://github.com/JanssenProject/jans/docker-jans-scim - https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/scim type: application -version: 5.0.25 +version: 1.1.0 diff --git a/charts/gluu/gluu/charts/scim/README.md b/charts/gluu/gluu/charts/scim/README.md index f47ce1dab6..62d134ad39 100644 --- a/charts/gluu/gluu/charts/scim/README.md +++ b/charts/gluu/gluu/charts/scim/README.md @@ -1,6 +1,6 @@ # scim -![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) System for Cross-domain Identity Management (SCIM) version 2.0 @@ -37,7 +37,7 @@ Kubernetes: `>=v1.21.0-0` | image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | | image.pullSecrets | list | `[]` | Image Pull Secrets | | image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | -| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | | lifecycle | object | `{}` | | | livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | | livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | @@ -59,4 +59,4 @@ Kubernetes: `>=v1.21.0-0` | volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/scim/templates/deployment.yml b/charts/gluu/gluu/charts/scim/templates/deployment.yml index 8bb3605eb9..ad172ffa9f 100644 --- a/charts/gluu/gluu/charts/scim/templates/deployment.yml +++ b/charts/gluu/gluu/charts/scim/templates/deployment.yml @@ -112,6 +112,14 @@ spec: name: google-sa subPath: google-credentials.json {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} - name: {{ include "scim.fullname" .}}-updatelbip mountPath: "/scripts" @@ -178,7 +186,16 @@ spec: secret: secretName: {{ .Release.Name }}-google-sa {{- end }} - + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} {{- if not .Values.global.istio.enabled }} diff --git a/charts/gluu/gluu/charts/scim/values.yaml b/charts/gluu/gluu/charts/scim/values.yaml index b6806f2d62..84bfb61caa 100644 --- a/charts/gluu/gluu/charts/scim/values.yaml +++ b/charts/gluu/gluu/charts/scim/values.yaml @@ -28,7 +28,7 @@ image: # -- Image to use for deploying. repository: janssenproject/scim # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/gluu/gluu/openbanking-values.yaml b/charts/gluu/gluu/openbanking-values.yaml index 562c7c4bb2..5544c91790 100644 --- a/charts/gluu/gluu/openbanking-values.yaml +++ b/charts/gluu/gluu/openbanking-values.yaml @@ -28,7 +28,7 @@ auth-server: # -- Image to use for deploying. repository: janssenproject/auth-server # -- Image tag to use for deploying. - tag: 1.0.20-1 + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -167,7 +167,7 @@ config: # -- Image to use for deploying. repository: janssenproject/configurator # -- Image tag to use for deploying. - tag: 1.0.20-1 + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Organization name. Used for certificate creation. @@ -231,7 +231,7 @@ config-api: # -- Image to use for deploying. repository: janssenproject/config-api # -- Image tag to use for deploying. - tag: 1.0.20-1 + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -664,7 +664,7 @@ persistence: # -- Image to use for deploying. repository: janssenproject/persistence-loader # -- Image tag to use for deploying. - tag: 1.0.20-1 + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Resource specs. diff --git a/charts/gluu/gluu/values.schema.json b/charts/gluu/gluu/values.schema.json index f07c7855ce..ad1eb07856 100644 --- a/charts/gluu/gluu/values.schema.json +++ b/charts/gluu/gluu/values.schema.json @@ -616,7 +616,7 @@ "configSecretAdapter":{ "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", "type":"string", - "pattern":"^(kubernetes|google|aws)$" + "pattern":"^(kubernetes|google|aws|vault)$" }, "cnGoogleApplicationCredentials":{ "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", diff --git a/charts/gluu/gluu/values.yaml b/charts/gluu/gluu/values.yaml index 1b07668221..d5ea1f1015 100644 --- a/charts/gluu/gluu/values.yaml +++ b/charts/gluu/gluu/values.yaml @@ -106,7 +106,7 @@ admin-ui: # -- Image to use for deploying. repository: ghcr.io/gluufederation/flex/admin-ui # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 5.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -207,7 +207,7 @@ auth-server: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/auth-server # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -284,7 +284,7 @@ auth-server-key-rotation: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/certmanager # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Auth server key rotation keys life in hours @@ -418,6 +418,28 @@ config: cnAwsSecretsReplicaRegions: [] # [aws_secret_manager_envs] END # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. cnLdapUrl: "opendj:1636" # -- Value passed to Java option -XX:MaxRAMPercentage @@ -486,7 +508,7 @@ config: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/configurator # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- LDAP admin password if OpenDJ is used for persistence. @@ -593,7 +615,7 @@ config-api: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/config-api # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -696,7 +718,7 @@ fido2: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/fido2 # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -804,7 +826,7 @@ casa: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/casa # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -953,6 +975,8 @@ global: auth-server-key-rotation: # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. enabled: true + # -- The initial auth server key rotation keys life in hours + initKeysLife: 48 # -- Volume storage type if using AWS volumes. awsStorageType: io1 # -- Volume storage type if using Azure disks. @@ -1018,7 +1042,7 @@ global: jobTtlSecondsAfterFinished: 300 # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes configAdapterName: kubernetes - # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + # -- The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes configSecretAdapter: kubernetes # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json @@ -1105,6 +1129,8 @@ global: ingress: # -- Enable endpoint /.well-known/fido2-configuration fido2ConfigEnabled: false + # -- Enable endpoint /jans-fido2 + fido2Enabled: false # -- GCE storage kind if using Google disks gcePdStorageType: pd-standard # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. @@ -1313,6 +1339,10 @@ nginx-ingress: fido2ConfigLabels: { } # -- fido2 config ingress resource additional annotations. fido2ConfigAdditionalAnnotations: { } + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } # -- Auth server ingress resource labels. key app is taken authServerLabels: { } # -- Auth server ingress resource additional annotations. @@ -1409,7 +1439,7 @@ opendj: # -- Image to use for deploying. repository: gluufederation/opendj # -- Image tag to use for deploying. - tag: 5.0.0-1 + tag: 5.0.0_dev # -- Image Pull Secrets pullSecrets: [ ] @@ -1519,7 +1549,7 @@ persistence: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/persistence-loader # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Resource specs. @@ -1603,7 +1633,7 @@ scim: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/scim # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -1711,7 +1741,7 @@ link: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/link # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. @@ -1818,7 +1848,7 @@ saml: # -- Image to use for deploying. repository: ghcr.io/janssenproject/jans/saml # -- Image tag to use for deploying. - tag: 1.0.22_dev + tag: 1.1.0-1 # -- Image Pull Secrets pullSecrets: [ ] # -- Service replica number. diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/Chart.yaml index e93debc555..7867e6d185 100644 --- a/charts/haproxy/haproxy/Chart.yaml +++ b/charts/haproxy/haproxy/Chart.yaml @@ -1,12 +1,12 @@ annotations: artifacthub.io/changes: | - - Use Ingress Controller 1.11.0 version for base image + - Use Ingress Controller 1.11.2 version for base image catalog.cattle.io/certified: partner catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: haproxy apiVersion: v2 -appVersion: 1.11.0 +appVersion: 1.11.2 description: A Helm chart for HAProxy Kubernetes Ingress Controller home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png @@ -21,4 +21,4 @@ name: haproxy sources: - https://github.com/haproxytech/kubernetes-ingress type: application -version: 1.38.2 +version: 1.38.5 diff --git a/charts/haproxy/haproxy/templates/NOTES.txt b/charts/haproxy/haproxy/templates/NOTES.txt index 6927cf8902..0c37a87d1b 100644 --- a/charts/haproxy/haproxy/templates/NOTES.txt +++ b/charts/haproxy/haproxy/templates/NOTES.txt @@ -23,9 +23,11 @@ Service ports mapped are: containerPort: {{ $value }} protocol: TCP {{- end }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} - name: quic containerPort: {{ .Values.controller.containerPort.https }} protocol: UDP +{{- end }} {{- range .Values.controller.service.tcpPorts }} - name: {{ .name }}-tcp containerPort: {{ .targetPort }} @@ -47,6 +49,7 @@ Service ports mapped are: hostIP: {{ $hostIP }} {{- end }} {{- end }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} - name: quic containerPort: {{ .Values.controller.containerPort.https }} protocol: UDP @@ -56,6 +59,7 @@ Service ports mapped are: {{- if $hostIP }} hostIP: {{ $hostIP }} {{- end }} +{{- end }} {{- range .Values.controller.service.tcpPorts }} - name: {{ .name }}-tcp containerPort: {{ .port }} diff --git a/charts/haproxy/haproxy/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/templates/controller-daemonset.yaml index 1c8594c5e6..2495248996 100644 --- a/charts/haproxy/haproxy/templates/controller-daemonset.yaml +++ b/charts/haproxy/haproxy/templates/controller-daemonset.yaml @@ -101,8 +101,10 @@ spec: - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} - --http-bind-port={{ .Values.controller.containerPort.http }} - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} - --quic-bind-port={{ .Values.controller.containerPort.https }} - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} {{- if .Values.controller.ingressClass }} - --ingress.class={{ .Values.controller.ingressClass }} {{- end }} @@ -149,6 +151,7 @@ spec: hostIP: {{ $hostIP }} {{- end }} {{- end }} + {{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} - name: quic containerPort: {{ .Values.controller.containerPort.https }} protocol: UDP @@ -158,6 +161,7 @@ spec: {{- if $hostIP }} hostIP: {{ $hostIP }} {{- end }} + {{- end }} {{- range .Values.controller.service.tcpPorts }} - name: {{ .name }}-tcp containerPort: {{ .port }} diff --git a/charts/haproxy/haproxy/templates/controller-deployment.yaml b/charts/haproxy/haproxy/templates/controller-deployment.yaml index 990f70c147..12b7242f45 100644 --- a/charts/haproxy/haproxy/templates/controller-deployment.yaml +++ b/charts/haproxy/haproxy/templates/controller-deployment.yaml @@ -101,8 +101,10 @@ spec: - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} - --http-bind-port={{ .Values.controller.containerPort.http }} - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} - --quic-bind-port={{ .Values.controller.containerPort.https }} - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} {{- if .Values.controller.ingressClass }} - --ingress.class={{ .Values.controller.ingressClass }} {{- end }} @@ -143,9 +145,11 @@ spec: containerPort: {{ $value }} protocol: TCP {{- end }} + {{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} - name: quic containerPort: {{ .Values.controller.containerPort.https }} protocol: UDP + {{- end }} {{- range .Values.controller.service.tcpPorts }} - name: {{ .name }}-tcp containerPort: {{ .targetPort }} diff --git a/charts/haproxy/haproxy/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/templates/controller-service-metrics.yaml index 2c0f52a07d..7c97ceae81 100644 --- a/charts/haproxy/haproxy/templates/controller-service-metrics.yaml +++ b/charts/haproxy/haproxy/templates/controller-service-metrics.yaml @@ -40,11 +40,11 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} -{{- if .Values.controller.service.labels }} -{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} {{- end }} annotations: -{{- range $key, $value := .Values.controller.service.annotations }} +{{- range $key, $value := .Values.controller.service.metrics.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} spec: diff --git a/charts/haproxy/haproxy/templates/controller-service.yaml b/charts/haproxy/haproxy/templates/controller-service.yaml index d6b4b71d15..efb20692ef 100644 --- a/charts/haproxy/haproxy/templates/controller-service.yaml +++ b/charts/haproxy/haproxy/templates/controller-service.yaml @@ -67,7 +67,7 @@ spec: nodePort: {{ .Values.controller.service.nodePorts.https }} {{- end }} {{- end }} - {{- if .Values.controller.service.enablePorts.quic }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} - name: quic port: {{ .Values.controller.service.ports.https }} protocol: UDP diff --git a/charts/haproxy/haproxy/values.yaml b/charts/haproxy/haproxy/values.yaml index b3bdb0181a..3cd4ffd452 100644 --- a/charts/haproxy/haproxy/values.yaml +++ b/charts/haproxy/haproxy/values.yaml @@ -460,6 +460,17 @@ controller: ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ # sessionAffinity: "" + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + ## Controller DaemonSet configuration ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ daemonset: diff --git a/charts/harbor/harbor/Chart.yaml b/charts/harbor/harbor/Chart.yaml index c2acd24b28..e077f02120 100644 --- a/charts/harbor/harbor/Chart.yaml +++ b/charts/harbor/harbor/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.20-0' catalog.cattle.io/release-name: harbor apiVersion: v1 -appVersion: 2.10.0 +appVersion: 2.10.1 description: An open source trusted cloud native registry that stores, signs, and scans content home: https://goharbor.io @@ -24,4 +24,4 @@ name: harbor sources: - https://github.com/goharbor/harbor - https://github.com/goharbor/harbor-helm -version: 1.14.0 +version: 1.14.1 diff --git a/charts/harbor/harbor/README.md b/charts/harbor/harbor/README.md index c69f54c035..472324a3ff 100644 --- a/charts/harbor/harbor/README.md +++ b/charts/harbor/harbor/README.md @@ -235,6 +235,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `core.priorityClassName` | The priority class to run the pod as | | | `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | | `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | | **Jobservice** | | | | `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | | `jobservice.image.tag` | Tag for jobservice image | `dev` | @@ -296,6 +297,7 @@ The following table lists the configurable parameters of the Harbor chart and th | `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | | `trivy.insecure` | The flag to skip verifying registry certificate | `false` | | `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | | `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | | `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | | `trivy.timeout` | The duration to wait for scan completion | `5m0s` | @@ -405,4 +407,5 @@ The following table lists the configurable parameters of the Harbor chart and th [resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ [trivy]: https://github.com/aquasecurity/trivy [trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db [trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/templates/_helpers.tpl b/charts/harbor/harbor/templates/_helpers.tpl index 8fce623dbc..b3430a1f36 100644 --- a/charts/harbor/harbor/templates/_helpers.tpl +++ b/charts/harbor/harbor/templates/_helpers.tpl @@ -98,7 +98,7 @@ app: "{{ template "harbor.name" . }}" {{- if eq .Values.database.type "internal" -}} {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}} {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} - {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}} + {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}} {{- else -}} {{- .Values.database.internal.password -}} {{- end -}} diff --git a/charts/harbor/harbor/templates/core/core-cm.yaml b/charts/harbor/harbor/templates/core/core-cm.yaml index 65237eb00a..93cab01b4c 100644 --- a/charts/harbor/harbor/templates/core/core-cm.yaml +++ b/charts/harbor/harbor/templates/core/core-cm.yaml @@ -75,6 +75,9 @@ data: {{- if .Values.core.gdpr.deleteUser}} GDPR_DELETE_USER: "true" {{- end }} + {{- if .Values.core.gdpr.auditLogsCompliant}} + GDPR_AUDIT_LOGS: "true" + {{- end }} {{- end }} {{- if .Values.cache.enabled }} diff --git a/charts/harbor/harbor/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/templates/trivy/trivy-sts.yaml index aba23c9e8a..7ee4e1068f 100644 --- a/charts/harbor/harbor/templates/trivy/trivy-sts.yaml +++ b/charts/harbor/harbor/templates/trivy/trivy-sts.yaml @@ -93,6 +93,8 @@ spec: value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} - name: "SCANNER_TRIVY_SKIP_UPDATE" value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" + value: {{ .Values.trivy.skipJavaDBUpdate | default false | quote }} - name: "SCANNER_TRIVY_OFFLINE_SCAN" value: {{ .Values.trivy.offlineScan | default false | quote }} - name: "SCANNER_TRIVY_SECURITY_CHECKS" diff --git a/charts/harbor/harbor/values.yaml b/charts/harbor/harbor/values.yaml index 4edd63fa8c..49e9d458d6 100644 --- a/charts/harbor/harbor/values.yaml +++ b/charts/harbor/harbor/values.yaml @@ -385,7 +385,7 @@ enableMigrateHelmHook: false nginx: image: repository: goharbor/nginx-photon - tag: v2.10.0 + tag: v2.10.1 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -416,7 +416,7 @@ nginx: portal: image: repository: goharbor/harbor-portal - tag: v2.10.0 + tag: v2.10.1 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -449,7 +449,7 @@ portal: core: image: repository: goharbor/harbor-core - tag: v2.10.0 + tag: v2.10.1 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -524,11 +524,12 @@ core: artifactPullAsyncFlushDuration: gdpr: deleteUser: false + auditLogsCompliant: false jobservice: image: repository: goharbor/harbor-jobservice - tag: v2.10.0 + tag: v2.10.1 replicas: 1 revisionHistoryLimit: 10 # set the service account to be used, default if left empty @@ -589,7 +590,7 @@ registry: registry: image: repository: goharbor/registry-photon - tag: v2.10.0 + tag: v2.10.1 # resources: # requests: # memory: 256Mi @@ -598,7 +599,7 @@ registry: controller: image: repository: goharbor/harbor-registryctl - tag: v2.10.0 + tag: v2.10.1 # resources: # requests: @@ -669,7 +670,7 @@ trivy: # repository the repository for Trivy adapter image repository: goharbor/trivy-adapter-photon # tag the tag for Trivy adapter image - tag: v2.10.0 + tag: v2.10.1 # set the service account to be used, default if left empty serviceAccountName: "" # mount the service account token @@ -708,6 +709,10 @@ trivy: # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the # `/home/scanner/.cache/trivy/db/trivy.db` path. skipUpdate: false + # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the + # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path + # + skipJavaDBUpdate: false # The offlineScan option prevents Trivy from sending API requests to identify dependencies. # # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. @@ -755,7 +760,7 @@ database: automountServiceAccountToken: false image: repository: goharbor/harbor-db - tag: v2.10.0 + tag: v2.10.1 # The initial superuser password for internal database password: "changeit" # The size limit for Shared memory, pgSQL use it for shared_buffer @@ -828,7 +833,7 @@ redis: automountServiceAccountToken: false image: repository: goharbor/redis-photon - tag: v2.10.0 + tag: v2.10.1 # resources: # requests: # memory: 256Mi @@ -892,7 +897,7 @@ exporter: automountServiceAccountToken: false image: repository: goharbor/harbor-exporter - tag: v2.10.0 + tag: v2.10.1 nodeSelector: {} tolerations: [] affinity: {} diff --git a/charts/jenkins/jenkins/CHANGELOG.md b/charts/jenkins/jenkins/CHANGELOG.md index 81f9159293..aae9635280 100644 --- a/charts/jenkins/jenkins/CHANGELOG.md +++ b/charts/jenkins/jenkins/CHANGELOG.md @@ -12,6 +12,22 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 5.1.4 + +Update `docker.io/bats/bats` to version `1.11.0` + +## 5.1.3 + +Update `jenkins/jenkins` to version `2.440.2-jdk17` + +## 5.1.2 + +Update `kubernetes` to version `4203.v1dd44f5b_1cf9` + +## 5.1.1 + +Update `kubernetes` to version `4199.va_1647c280eb_2` + ## 5.1.0 Add `agent.restrictedPssSecurityContext` to automatically inject in the jnlp container a securityContext that is suitable for the use of the restricted Pod Security Standard diff --git a/charts/jenkins/jenkins/Chart.yaml b/charts/jenkins/jenkins/Chart.yaml index 1502d6c9ab..e27a284cc8 100644 --- a/charts/jenkins/jenkins/Chart.yaml +++ b/charts/jenkins/jenkins/Chart.yaml @@ -1,10 +1,10 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Add `agent.restrictedPssSecurityContext` to automatically inject in the jnlp container a securityContext that is suitable for the use of the restricted Pod Security Standard + - Update `docker.io/bats/bats` to version `1.11.0` artifacthub.io/images: | - name: jenkins - image: docker.io/jenkins/jenkins:2.440.1-jdk17 + image: docker.io/jenkins/jenkins:2.440.2-jdk17 - name: k8s-sidecar image: docker.io/kiwigrid/k8s-sidecar:1.26.1 - name: inbound-agent @@ -22,7 +22,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.14-0' catalog.cattle.io/release-name: jenkins apiVersion: v2 -appVersion: 2.440.1 +appVersion: 2.440.2 description: 'Jenkins - Build great things at any scale! As the leading open source automation server, Jenkins provides over 1800 plugins to support building, deploying and automating any project. ' @@ -50,4 +50,4 @@ sources: - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin type: application -version: 5.1.0 +version: 5.1.4 diff --git a/charts/jenkins/jenkins/VALUES.md b/charts/jenkins/jenkins/VALUES.md index a3282295fa..a9a4f47381 100644 --- a/charts/jenkins/jenkins/VALUES.md +++ b/charts/jenkins/jenkins/VALUES.md @@ -155,7 +155,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | [controller.initializeOnce](./values.yaml#L414) | bool | Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` | `false` | | [controller.installLatestPlugins](./values.yaml#L403) | bool | Download the minimum required version or latest version of all dependencies | `true` | | [controller.installLatestSpecifiedPlugins](./values.yaml#L406) | bool | Set to true to download the latest version of any plugin that is requested to have the latest version | `false` | -| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4193.vded98e56cc25","workflow-aggregator:596.v8c21c963d92d","git:5.2.1","configuration-as-code:1775.v810dc950b_514"]` | +| [controller.installPlugins](./values.yaml#L395) | list | List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` | `["kubernetes:4203.v1dd44f5b_1cf9","workflow-aggregator:596.v8c21c963d92d","git:5.2.1","configuration-as-code:1775.v810dc950b_514"]` | | [controller.javaOpts](./values.yaml#L156) | string | Append to `JAVA_OPTS` env var | `nil` | | [controller.jenkinsAdminEmail](./values.yaml#L96) | string | Email address for the administrator of the Jenkins instance | `nil` | | [controller.jenkinsHome](./values.yaml#L101) | string | Custom Jenkins home path | `"/var/jenkins_home"` | @@ -266,7 +266,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | [fullnameOverride](./values.yaml#L13) | string | Override the full resource names | `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` | | [helmtest.bats.image.registry](./values.yaml#L1302) | string | Registry of the image used to test the framework | `"docker.io"` | | [helmtest.bats.image.repository](./values.yaml#L1304) | string | Repository of the image used to test the framework | `"bats/bats"` | -| [helmtest.bats.image.tag](./values.yaml#L1306) | string | Tag of the image to test the framework | `"v1.10.0"` | +| [helmtest.bats.image.tag](./values.yaml#L1306) | string | Tag of the image to test the framework | `"1.11.0"` | | [kubernetesURL](./values.yaml#L24) | string | The URL of the Kubernetes API server | `"https://kubernetes.default"` | | [nameOverride](./values.yaml#L10) | string | Override the resource name prefix | `Chart.Name` | | [namespaceOverride](./values.yaml#L16) | string | Override the deployment namespace | `Release.Namespace` | diff --git a/charts/jenkins/jenkins/values.yaml b/charts/jenkins/jenkins/values.yaml index 424028ae89..3f096e6f7e 100644 --- a/charts/jenkins/jenkins/values.yaml +++ b/charts/jenkins/jenkins/values.yaml @@ -393,7 +393,7 @@ controller: # Plugins will be installed during Jenkins controller start # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - - kubernetes:4193.vded98e56cc25 + - kubernetes:4203.v1dd44f5b_1cf9 - workflow-aggregator:596.v8c21c963d92d - git:5.2.1 - configuration-as-code:1775.v810dc950b_514 @@ -1303,4 +1303,4 @@ helmtest: # -- Repository of the image used to test the framework repository: "bats/bats" # -- Tag of the image to test the framework - tag: "v1.10.0" + tag: "1.11.0" diff --git a/charts/kasten/k10/Chart.lock b/charts/kasten/k10/Chart.lock index ba278885db..f099112688 100644 --- a/charts/kasten/k10/Chart.lock +++ b/charts/kasten/k10/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: "" version: 25.12.0 digest: sha256:f3e6926f6a711f61ab0e6598105cbee8806113bb02992529f05c3645fe99161c -generated: "2024-02-23T17:36:20.968673984Z" +generated: "2024-03-25T18:11:54.998934672Z" diff --git a/charts/kasten/k10/Chart.yaml b/charts/kasten/k10/Chart.yaml index ce732ff6c0..d332e28a76 100644 --- a/charts/kasten/k10/Chart.yaml +++ b/charts/kasten/k10/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: k10 apiVersion: v2 -appVersion: 6.5.5 +appVersion: 6.5.9 dependencies: - condition: grafana.enabled name: grafana @@ -21,4 +21,4 @@ maintainers: - email: contact@kasten.io name: kastenIO name: k10 -version: 6.5.501 +version: 6.5.901 diff --git a/charts/kasten/k10/templates/NOTES.txt b/charts/kasten/k10/templates/NOTES.txt index 4f8db38bd8..7d8d2522b0 100644 --- a/charts/kasten/k10/templates/NOTES.txt +++ b/charts/kasten/k10/templates/NOTES.txt @@ -57,12 +57,6 @@ for more information. {{ end }} -{{- if .Values.auth.dex.enabled }} --------------------- -Deprecation warning: The `auth.dex` block of values will be deprecated in favor of `auth.openshift` and `auth.ldap` in version 6.5. --------------------- -{{- end }} - {{- if .Values.restore }} {{- if or (empty .Values.restore.copyImagePullSecrets) (.Values.restore.copyImagePullSecrets) }} -------------------- diff --git a/charts/kasten/k10/templates/_definitions.tpl b/charts/kasten/k10/templates/_definitions.tpl index 24261beb1a..1236a138d0 100644 --- a/charts/kasten/k10/templates/_definitions.tpl +++ b/charts/kasten/k10/templates/_definitions.tpl @@ -29,9 +29,9 @@ vbrintegrationapi: {{- end -}} {{- define "k10.colocatedServiceLookup" -}} crypto: +- repositories - bloblifecyclemanager - garbagecollector -- repositories dashboardbff: - vbrintegrationapi state: @@ -212,7 +212,7 @@ state-svc: {{- define "k10.aggAuditPolicyFile" -}}agg-audit-policy.yaml{{- end -}} {{- define "k10.siemAuditLogFilePath" -}}-{{- end -}} {{- define "k10.siemAuditLogFileSize" -}}100{{- end -}} -{{- define "k10.kanisterToolsImageTag" -}}0.105.0{{- end -}} +{{- define "k10.kanisterToolsImageTag" -}}0.106.0{{- end -}} {{- define "k10.disabledServicesEnvVar" -}}K10_DISABLED_SERVICES{{- end -}} {{- define "k10.openShiftClientSecretEnvVar" -}}K10_OPENSHIFT_CLIENT_SECRET{{- end -}} {{- define "k10.defaultK10DefaultPriorityClassName" -}}{{- end -}} diff --git a/charts/kasten/k10/templates/_helpers.tpl b/charts/kasten/k10/templates/_helpers.tpl index 8f18ae2b52..4cbd4b755e 100644 --- a/charts/kasten/k10/templates/_helpers.tpl +++ b/charts/kasten/k10/templates/_helpers.tpl @@ -193,6 +193,13 @@ kubernetes.io/ingress.class: {{ .Values.ingress.class | quote }} {{- end -}} {{- end -}} +{{/* Return ingress class name in spec */}} +{{- define "specIngressClassName" -}} +{{- if and .Values.ingress.class (semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version) -}} +ingressClassName: {{ .Values.ingress.class }} +{{- end -}} +{{- end -}} + {{/* Helm required labels */}} {{- define "helm.labels" -}} heritage: {{ .Release.Service }} @@ -1141,3 +1148,9 @@ running in the same cluster. {{- end -}} {{- end -}} {{- end -}} + +{{/* Returns a generated name for the OpenShift Service Account secret */}} +{{- define "get.openshiftServiceAccountSecretName" -}} + {{- $serviceAccount := required "auth.openshift.serviceAccount field is required" .Values.auth.openshift.serviceAccount -}} + {{ printf "%s-k10-secret" $serviceAccount | quote }} +{{- end -}} diff --git a/charts/kasten/k10/templates/_k10_container.tpl b/charts/kasten/k10/templates/_k10_container.tpl index 48c2690da7..3042d9b59c 100644 --- a/charts/kasten/k10/templates/_k10_container.tpl +++ b/charts/kasten/k10/templates/_k10_container.tpl @@ -65,6 +65,11 @@ stating that types are not same for the equality check - containerPort: 24225 protocol: TCP {{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] livenessProbe: {{- if eq $service "aggregatedapis" }} tcpSocket: @@ -671,6 +676,25 @@ stating that types are not same for the equality check value: {{ .Values.global.persistence.diskSpaceAlertPercent | quote }} {{- end -}} {{- end -}} +{{- if eq $service "controllermanager" }} + {{- if .Values.multicluster.primary.create }} + {{- if not .Values.multicluster.enabled }} + {{- fail "Cannot setup cluster as primary without enabling feature with multicluster.enabled=true" -}} + {{- end }} + {{- if not .Values.multicluster.primary.name }} + {{- fail "Cannot setup cluster as primary without setting cluster name with multicluster.primary.name" -}} + {{- end }} + {{- if not .Values.multicluster.primary.ingressURL }} + {{- fail "Cannot setup cluster as primary without providing an ingress with multicluster.primary.ingressURL" -}} + {{- end }} + - name: K10_MC_CREATE_PRIMARY + value: "true" + - name: K10_MC_PRIMARY_NAME + value: {{ .Values.multicluster.primary.name | quote }} + - name: K10_MC_PRIMARY_INGRESS_URL + value: {{ .Values.multicluster.primary.ingressURL | quote }} + {{- end }} +{{- end -}} {{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} volumeMounts: {{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} @@ -762,7 +786,7 @@ stating that types are not same for the equality check readOnly: true {{- end }} {{- end }} {{/* and (eq $service "catalog") $.stateful */}} -{{- if and ( eq $service "auth" ) ( or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true")) }} +{{- if and ( eq $service "auth" ) ( eq (include "check.dexAuth" .) "true" ) }} - name: dex image: {{ include "get.dexImage" . }} {{- if .Values.auth.ldap.enabled }} @@ -775,7 +799,12 @@ stating that types are not same for the equality check command: ["/usr/local/bin/docker-entrypoint", "dex", "serve", "/etc/dex/cfg/config.yaml"] env: - name: {{ include "k10.openShiftClientSecretEnvVar" . }} -{{- if .Values.auth.openshift.clientSecretName }} +{{- if and (not .Values.auth.openshift.clientSecretName) (not .Values.auth.openshift.clientSecret) }} + valueFrom: + secretKeyRef: + name: {{ include "get.openshiftServiceAccountSecretName" . }} + key: token +{{- else if .Values.auth.openshift.clientSecretName }} valueFrom: secretKeyRef: name: {{ .Values.auth.openshift.clientSecretName }} @@ -783,8 +812,6 @@ stating that types are not same for the equality check {{- else }} value: {{ .Values.auth.openshift.clientSecret }} {{- end }} -{{- else }} - command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] {{- end }} ports: - name: http diff --git a/charts/kasten/k10/templates/_k10_image_tag.tpl b/charts/kasten/k10/templates/_k10_image_tag.tpl index ffb9d596fc..56d3c4e42f 100644 --- a/charts/kasten/k10/templates/_k10_image_tag.tpl +++ b/charts/kasten/k10/templates/_k10_image_tag.tpl @@ -1 +1 @@ -{{- define "k10.imageTag" -}}6.5.5{{- end -}} \ No newline at end of file +{{- define "k10.imageTag" -}}6.5.9{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_k10_template.tpl b/charts/kasten/k10/templates/_k10_template.tpl index 5d22e97172..a9f3769667 100644 --- a/charts/kasten/k10/templates/_k10_template.tpl +++ b/charts/kasten/k10/templates/_k10_template.tpl @@ -107,7 +107,7 @@ spec: {{- $needsVolumesHeader = true }} {{- else if eq (include "check.cacertconfigmap" $main_context) "true" }} {{- $needsVolumesHeader = true }} - {{- else if and ( eq $service "auth" ) ( or $main_context.Values.auth.dex.enabled (eq (include "check.dexAuth" $main_context) "true")) }} + {{- else if and ( eq $service "auth" ) ( eq (include "check.dexAuth" $main_context) "true" ) }} {{- $needsVolumesHeader = true }} {{- else if eq $service "frontend" }} {{- $needsVolumesHeader = true }} @@ -201,7 +201,7 @@ spec: secret: secretName: controllermanager-certs {{- end }} -{{- if and ( has "auth" $containersInThisPod) (or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true")) }} +{{- if and ( has "auth" $containersInThisPod) ( eq (include "check.dexAuth" .) "true" ) }} - name: config configMap: name: k10-dex diff --git a/charts/kasten/k10/templates/ingress.yaml b/charts/kasten/k10/templates/ingress.yaml index 9cc2e7d776..e80f8817e1 100644 --- a/charts/kasten/k10/templates/ingress.yaml +++ b/charts/kasten/k10/templates/ingress.yaml @@ -19,6 +19,7 @@ metadata: {{ toYaml .Values.ingress.annotations | indent 4 }} {{- end }} spec: +{{ include "specIngressClassName" . | indent 2 }} {{- if .Values.ingress.tls.enabled }} tls: - hosts: diff --git a/charts/kasten/k10/templates/k10-config.yaml b/charts/kasten/k10/templates/k10-config.yaml index a6688d67d3..0dc1d8dcc5 100644 --- a/charts/kasten/k10/templates/k10-config.yaml +++ b/charts/kasten/k10/templates/k10-config.yaml @@ -104,49 +104,6 @@ metadata: data: {{ include "k10.features" . | indent 2}} {{ end }} -{{ if .Values.auth.dex.enabled }} ---- -kind: ConfigMap -apiVersion: v1 -metadata: - labels: -{{ include "helm.labels" . | indent 4 }} - name: k10-dex - namespace: {{ .Release.Namespace }} -data: - config.yaml: | - issuer: {{ .Values.auth.oidcAuth.providerURL }} - storage: - type: memory - web: - http: 0.0.0.0:8080 - logger: - level: info - format: text - connectors: - - type: oidc - id: google - name: Google - config: - issuer: {{ .Values.auth.dex.providerURL }} - clientID: {{ .Values.auth.oidcAuth.clientID }} - clientSecret: {{ .Values.auth.oidcAuth.clientSecret }} - redirectURI: {{ .Values.auth.dex.redirectURL }} - scopes: - - openid - - profile - - email - oauth2: - skipApprovalScreen: true - staticClients: - - name: 'K10' - id: {{ .Values.auth.oidcAuth.clientID }} - secret: {{ .Values.auth.oidcAuth.clientSecret }} - redirectURIs: - - {{ printf "%s/k10/auth-svc/v0/oidc/redirect" .Values.auth.oidcAuth.redirectURL }} - enablePasswordDB: true - staticPasswords: -{{ end }} {{ if .Values.auth.openshift.enabled }} --- kind: ConfigMap diff --git a/charts/kasten/k10/templates/k10-scc.yaml b/charts/kasten/k10/templates/k10-scc.yaml index cc58aa0077..221f8e965c 100644 --- a/charts/kasten/k10/templates/k10-scc.yaml +++ b/charts/kasten/k10/templates/k10-scc.yaml @@ -16,22 +16,24 @@ allowedCapabilities: - CHOWN - FOWNER - DAC_OVERRIDE -defaultAddCapabilities: null +defaultAddCapabilities: + - CHOWN + - FOWNER + - DAC_OVERRIDE fsGroup: type: RunAsAny -priority: 0 +priority: 15 readOnlyRootFilesystem: false requiredDropCapabilities: - - KILL - - MKNOD - - SETUID - - SETGID + - ALL runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny +seccompProfiles: + - runtime/default users: - system:serviceaccount:{{.Release.Namespace}}:{{ template "serviceAccountName" . }} volumes: diff --git a/charts/kasten/k10/templates/networkpolicy.yaml b/charts/kasten/k10/templates/networkpolicy.yaml index 1467c54b8d..6ad570b1d9 100644 --- a/charts/kasten/k10/templates/networkpolicy.yaml +++ b/charts/kasten/k10/templates/networkpolicy.yaml @@ -203,7 +203,7 @@ spec: - protocol: TCP port: {{ $mutating_webhook_port }} {{- end -}} -{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }} +{{- if eq (include "check.dexAuth" .) "true" }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 diff --git a/charts/kasten/k10/templates/secrets.yaml b/charts/kasten/k10/templates/secrets.yaml index ba095c4c39..97a05def84 100644 --- a/charts/kasten/k10/templates/secrets.yaml +++ b/charts/kasten/k10/templates/secrets.yaml @@ -146,7 +146,17 @@ stringData: logout-url: {{ default "" .Values.auth.oidcAuth.logoutURL | b64enc | quote }} type: Opaque {{- end }} -{{- if and .Values.auth.openshift.enabled }} +{{- if and (.Values.auth.openshift.enabled) (and (not .Values.auth.openshift.clientSecretName) (not .Values.auth.openshift.clientSecret)) }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ include "get.openshiftServiceAccountSecretName" . }} + annotations: + kubernetes.io/service-account.name: {{ .Values.auth.openshift.serviceAccount | quote }} +{{- end }} +{{- if and (.Values.auth.openshift.enabled) (not .Values.auth.openshift.secretName) }} --- apiVersion: v1 kind: Secret diff --git a/charts/kasten/k10/templates/v0services.yaml b/charts/kasten/k10/templates/v0services.yaml index 5135e58f22..be5a13c7cd 100644 --- a/charts/kasten/k10/templates/v0services.yaml +++ b/charts/kasten/k10/templates/v0services.yaml @@ -160,7 +160,7 @@ spec: run: {{ . }}-svc --- {{ end -}} -{{- if or .Values.auth.dex.enabled (eq (include "check.dexAuth" .) "true") }} +{{- if eq (include "check.dexAuth" .) "true" }} apiVersion: v1 kind: Service metadata: diff --git a/charts/kasten/k10/values.schema.json b/charts/kasten/k10/values.schema.json index da54ca1ced..0e20cdfbbd 100644 --- a/charts/kasten/k10/values.schema.json +++ b/charts/kasten/k10/values.schema.json @@ -707,6 +707,31 @@ "default": true, "title": "Enable the multi-cluster system", "description": "Choose whether to enable the multi-cluster system components and capabilities" + }, + "primary": { + "type": "object", + "title": "Multi-cluster primary configuration", + "description": "Configure multi-cluster primary", + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "Setup cluster as a multi-cluster primary", + "description": "Choose whether to setup cluster as a multi-cluster primary" + }, + "name": { + "type": "string", + "default": "", + "title": "Primary cluster name", + "description": "Choose the cluster name for multi-cluster primary" + }, + "ingressURL": { + "type": "string", + "default": "", + "title": "Primary cluster dashboard URL", + "description": "Choose the dashboard URL for the multi-cluster primary; e.g. https://cluster-name.domain/k10" + } + } } } }, @@ -1324,31 +1349,6 @@ } } }, - "dex": { - "type": "object", - "title": "Dex based authentication", - "description": "Configure Dex based authentication to access K10 dashboard", - "properties": { - "enabled": { - "type": "boolean", - "default": false, - "title": "Enable Dex based authentication", - "description": "Enable Dex based authentication to access K10 dashboard" - }, - "providerURL": { - "type": "string", - "default": "", - "title": "Dex provider URL", - "description": "Set Dex provider URL" - }, - "redirectURL": { - "type": "string", - "default": "", - "title": "K10 gateway service URL", - "description": "URL to the K10 gateway service" - } - } - }, "openshift": { "type": "object", "title": "OpenShift OAuth server based authentication", @@ -2049,6 +2049,25 @@ "default": 1000, "title": "FSGroup ID", "description": "FSGroup that owns K10 service container volumes" + }, + "runAsNonRoot": { + "type": "boolean", + "default": true, + "title": "RunAsNonRoot", + "description": "Indicates that K10 service containers should run as non-root user." + }, + "seccompProfile": { + "type": "object", + "title": "Seccomp Profile object", + "description": "Sets the Seccomp profile for K10 service containers", + "properties": { + "type": { + "type": "string", + "default": "RuntimeDefault", + "title": "Seccomp profile type", + "description": "Sets the Seccomp profile type for K10 service containers" + } + } } } }, diff --git a/charts/kasten/k10/values.yaml b/charts/kasten/k10/values.yaml index 2c327e3e7c..5e47ccf043 100644 --- a/charts/kasten/k10/values.yaml +++ b/charts/kasten/k10/values.yaml @@ -152,6 +152,10 @@ cluster: multicluster: enabled: true + primary: + create: false + name: "" + ingressURL: "" prometheus: rbac: @@ -266,10 +270,6 @@ auth: secretName: "" sessionDuration: "1h" #Maximum OIDC session duration. Default value is 1 hour refreshTokenSupport: false #Enable Refresh Token support. Disabled by default - dex: - enabled: false - providerURL: "" - redirectURL: "" openshift: enabled: false serviceAccount: "" #service account used as the OAuth client @@ -390,8 +390,11 @@ services: dashboardbff: hostNetwork: false securityContext: - runAsUser: 1000 + runAsUser: 1000 # Will override any USER instruction that a container image set for running the entrypoint and command. fsGroup: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault aggregatedapis: hostNetwork: false diff --git a/charts/linkerd/linkerd-control-plane/Chart.yaml b/charts/linkerd/linkerd-control-plane/Chart.yaml index 854c8730a0..c50601fc6c 100644 --- a/charts/linkerd/linkerd-control-plane/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/Chart.yaml @@ -6,7 +6,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 -appVersion: edge-24.3.3 +appVersion: edge-24.3.4 dependencies: - name: partials repository: file://./charts/partials @@ -26,4 +26,4 @@ name: linkerd-control-plane sources: - https://github.com/linkerd/linkerd2/ type: application -version: 2024.3.3 +version: 2024.3.4 diff --git a/charts/linkerd/linkerd-control-plane/README.md b/charts/linkerd/linkerd-control-plane/README.md index 64bebbbe0c..80069744b8 100644 --- a/charts/linkerd/linkerd-control-plane/README.md +++ b/charts/linkerd/linkerd-control-plane/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 2024.3.3](https://img.shields.io/badge/Version-2024.3.3-informational?style=flat-square) +![Version: 2024.3.4](https://img.shields.io/badge/Version-2024.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) @@ -141,7 +141,7 @@ Kubernetes: `>=1.22.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | -| clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"` | The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all private networks are specified so that resolution works in typical Kubernetes environments. | +| clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"` | The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments. | | cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | | commonLabels | object | `{}` | Labels to apply to all resources | | controlPlaneTracing | bool | `false` | enables control plane tracing | @@ -203,7 +203,7 @@ Kubernetes: `>=1.22.0-0` | policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the policy controller container image | | policyController.image.version | string | linkerdVersion | Tag for the policy controller container image | | policyController.logLevel | string | `"info"` | Log level for the policy controller | -| policyController.probeNetworks | list | `["0.0.0.0/0"]` | The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized. | +| policyController.probeNetworks | list | `["0.0.0.0/0","::/0"]` | The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized. | | policyController.resources | object | destinationResources | policy controller resource requests & limits | | policyController.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the policy controller can use | | policyController.resources.cpu.request | string | `""` | Amount of CPU units that the policy controller requests | diff --git a/charts/linkerd/linkerd-control-plane/templates/destination.yaml b/charts/linkerd/linkerd-control-plane/templates/destination.yaml index c0d2418cda..f0840e5848 100644 --- a/charts/linkerd/linkerd-control-plane/templates/destination.yaml +++ b/charts/linkerd/linkerd-control-plane/templates/destination.yaml @@ -302,10 +302,10 @@ spec: name: sp-tls readOnly: true - args: - - --admin-addr=0.0.0.0:9990 + - --admin-addr=[::]:9990 - --control-plane-namespace={{.Release.Namespace}} - - --grpc-addr=0.0.0.0:8090 - - --server-addr=0.0.0.0:9443 + - --grpc-addr=[::]:8090 + - --server-addr=[::]:9443 - --server-tls-key=/var/run/linkerd/tls/tls.key - --server-tls-certs=/var/run/linkerd/tls/tls.crt - --cluster-networks={{.Values.clusterNetworks}} diff --git a/charts/linkerd/linkerd-control-plane/values.yaml b/charts/linkerd/linkerd-control-plane/values.yaml index fb129e6111..ca522a31c4 100644 --- a/charts/linkerd/linkerd-control-plane/values.yaml +++ b/charts/linkerd/linkerd-control-plane/values.yaml @@ -8,9 +8,9 @@ clusterDomain: cluster.local # -- The cluster networks for which service discovery is performed. This should # include the pod and service networks, but need not include the node network. # -# By default, all private networks are specified so that resolution works in -# typical Kubernetes environments. -clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16" +# By default, all IPv4 private networks and all accepted IPv6 ULAs are +# specified so that resolution works in typical Kubernetes environments. +clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8" # -- Docker image pull policy imagePullPolicy: IfNotPresent # -- Log level for the control plane components @@ -22,7 +22,7 @@ controlPlaneTracing: false # -- namespace to send control plane traces to controlPlaneTracingNamespace: linkerd-jaeger # -- control plane version. See Proxy section for proxy version -linkerdVersion: edge-24.3.3 +linkerdVersion: edge-24.3.4 # -- default kubernetes deployment strategy deploymentStrategy: rollingUpdate: @@ -92,6 +92,7 @@ policyController: # By default, all networks are allowed so that all probes are authorized. probeNetworks: - 0.0.0.0/0 + - "::/0" # -- policy controller resource requests & limits # @default -- destinationResources diff --git a/charts/linkerd/linkerd-crds/Chart.yaml b/charts/linkerd/linkerd-crds/Chart.yaml index fe7af45db2..a4d2f4245e 100644 --- a/charts/linkerd/linkerd-crds/Chart.yaml +++ b/charts/linkerd/linkerd-crds/Chart.yaml @@ -23,4 +23,4 @@ name: linkerd-crds sources: - https://github.com/linkerd/linkerd2/ type: application -version: 2024.3.3 +version: 2024.3.4 diff --git a/charts/linkerd/linkerd-crds/README.md b/charts/linkerd/linkerd-crds/README.md index a21c459dda..1bfa538454 100644 --- a/charts/linkerd/linkerd-crds/README.md +++ b/charts/linkerd/linkerd-crds/README.md @@ -3,7 +3,7 @@ Linkerd gives you observability, reliability, and security for your microservices — with no code change required. -![Version: 2024.3.3](https://img.shields.io/badge/Version-2024.3.3-informational?style=flat-square) +![Version: 2024.3.4](https://img.shields.io/badge/Version-2024.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) **Homepage:** diff --git a/charts/loft/loft/Chart.yaml b/charts/loft/loft/Chart.yaml index ad48b787ea..6305c128a0 100644 --- a/charts/loft/loft/Chart.yaml +++ b/charts/loft/loft/Chart.yaml @@ -28,4 +28,4 @@ name: loft sources: - https://github.com/loft-sh/loft type: application -version: 3.4.1 +version: 3.4.2 diff --git a/charts/minio/minio-operator/Chart.yaml b/charts/minio/minio-operator/Chart.yaml index 1b3e2c2aab..60aef022ad 100644 --- a/charts/minio/minio-operator/Chart.yaml +++ b/charts/minio/minio-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: minio-operator apiVersion: v2 -appVersion: v5.0.13 +appVersion: v5.0.14 description: A Helm chart for MinIO Operator home: https://min.io icon: https://min.io/resources/img/logo/MINIO_wordmark.png @@ -19,4 +19,4 @@ name: minio-operator sources: - https://github.com/minio/operator type: application -version: 5.0.13 +version: 5.0.14 diff --git a/charts/minio/minio-operator/Chart.yaml-e b/charts/minio/minio-operator/Chart.yaml-e deleted file mode 100644 index be0963e356..0000000000 --- a/charts/minio/minio-operator/Chart.yaml-e +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v2 -description: A Helm chart for MinIO Operator -name: operator -version: 5.0.13 -appVersion: v5.0.13 -keywords: - - storage - - object-storage - - S3 -home: https://min.io -icon: https://min.io/resources/img/logo/MINIO_wordmark.png -sources: - - https://github.com/minio/operator -maintainers: - - name: MinIO, Inc - email: dev@minio.io -type: application diff --git a/charts/minio/minio-operator/templates/job.min.io_jobs.yaml b/charts/minio/minio-operator/templates/job.min.io_jobs.yaml index 37df0e4cd5..806f496731 100644 --- a/charts/minio/minio-operator/templates/job.min.io_jobs.yaml +++ b/charts/minio/minio-operator/templates/job.min.io_jobs.yaml @@ -66,6 +66,9 @@ spec: - continueOnFailure - stopOnFailure type: string + mcImage: + default: minio/mc:latest + type: string serviceAccountName: type: string tenant: @@ -98,11 +101,10 @@ spec: - result type: object type: array + message: + type: string phase: type: string - required: - - commands - - phase type: object type: object served: true diff --git a/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml b/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml index e3bf49be81..12c0db12c8 100644 --- a/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml +++ b/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml @@ -2048,6 +2048,67 @@ spec: required: - name type: object + containerSecurityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object env: items: properties: diff --git a/charts/minio/minio-operator/templates/operator-clusterrole.yaml b/charts/minio/minio-operator/templates/operator-clusterrole.yaml index 318760e830..0e551ffae4 100644 --- a/charts/minio/minio-operator/templates/operator-clusterrole.yaml +++ b/charts/minio/minio-operator/templates/operator-clusterrole.yaml @@ -3,16 +3,6 @@ kind: ClusterRole metadata: name: minio-operator-role rules: - - apiGroups: - - "job.min.io" - resources: - - miniojobs - verbs: - - list - - get - - update - - delete - - watch - apiGroups: - "apiextensions.k8s.io" resources: @@ -151,6 +141,7 @@ rules: - apiGroups: - minio.min.io - sts.min.io + - job.min.io resources: - "*" verbs: diff --git a/charts/minio/minio-operator/values.yaml b/charts/minio/minio-operator/values.yaml index fd13287bba..cdbeb19121 100644 --- a/charts/minio/minio-operator/values.yaml +++ b/charts/minio/minio-operator/values.yaml @@ -32,14 +32,14 @@ operator: ### # Specify the Operator container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.14 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.13 + # tag: v5.0.14 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -53,7 +53,7 @@ operator: # image: repository: quay.io/minio/operator - tag: v5.0.13 + tag: v5.0.14 pullPolicy: IfNotPresent ### # @@ -171,14 +171,14 @@ console: ### # Specify the Operator Console container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.14 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.13 + # tag: v5.0.14 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -193,7 +193,7 @@ console: # The specified values should match that of ``operator.image`` to ensure predictable operations. image: repository: quay.io/minio/operator - tag: v5.0.13 + tag: v5.0.14 pullPolicy: IfNotPresent ### # An array of environment variables to pass to the Operator Console deployment. diff --git a/charts/minio/minio-operator/values.yaml-e b/charts/minio/minio-operator/values.yaml-e deleted file mode 100644 index fd13287bba..0000000000 --- a/charts/minio/minio-operator/values.yaml-e +++ /dev/null @@ -1,314 +0,0 @@ -### -# Root key for Operator Helm Chart -operator: - ### - # An array of environment variables to pass to the Operator deployment. - # Pass an empty array to start Operator with defaults. - # - # For example: - # - # .. code-block:: yaml - # - # env: - # - name: MINIO_OPERATOR_DEPLOYMENT_NAME - # valueFrom: - # fieldRef: - # fieldPath: metadata.labels['app.kubernetes.io/name'] - # - name: MINIO_CONSOLE_TLS_ENABLE - # value: "off" - # - name: CLUSTER_DOMAIN - # value: "cluster.domain" - # - name: WATCHED_NAMESPACE - # value: "" - # - name: MINIO_OPERATOR_RUNTIME - # value: "OpenShift" - # - # See `Operator environment variables `__ for a list of all supported values. - env: - - name: OPERATOR_STS_ENABLED - value: "on" - # An array of additional annotations to be applied to the operator service account - serviceAccountAnnotations: [] - ### - # Specify the Operator container image to use for the deployment. - # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. - # The container pulls the image if not already present: - # - # .. code-block:: yaml - # - # image: - # repository: quay.io/minio/operator - # tag: v5.0.13 - # pullPolicy: IfNotPresent - # - # The chart also supports specifying an image based on digest value: - # - # .. code-block:: yaml - # - # image: - # repository: quay.io/minio/operator@sha256 - # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 - # pullPolicy: IfNotPresent - # - image: - repository: quay.io/minio/operator - tag: v5.0.13 - pullPolicy: IfNotPresent - ### - # - # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. - # Only one array element is supported at this time. - imagePullSecrets: [ ] - ### - # - # The name of a custom `Container Runtime `__ to use for the Operator pods. - runtimeClassName: ~ - ### - # An array of `initContainers `__ to start up before the Operator pods. - # Exercise care as ``initContainer`` failures prevent Operator pods from starting. - # Pass an empty array to start the Operator normally. - initContainers: [ ] - ### - # The number of Operator pods to deploy. - # Higher values increase availability in the event of worker node failures. - # - # The cluster must have sufficient number of available worker nodes to fulfill the request. - # Operator pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node. - replicaCount: 2 - ### - # The Kubernetes `SecurityContext `__ to use for deploying Operator resources. - # - # You may need to modify these values to meet your cluster's security and access settings. - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - fsGroup: 1000 - ### - # The Kubernetes `SecurityContext `__ to use for deploying Operator containers. - # You may need to modify these values to meet your cluster's security and access settings. - containerSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - ### - # An array of `Volumes `__ which the Operator can mount to pods. - # - # The volumes must exist *and* be accessible to the Operator pods. - volumes: [ ] - ### - # An array of volume mount points associated to each Operator container. - # - # Specify each item in the array as follows: - # - # .. code-block:: yaml - # - # volumeMounts: - # - name: volumename - # mountPath: /path/to/mount - # - # The ``name`` field must correspond to an entry in the ``volumes`` array. - volumeMounts: [ ] - ### - # Any `Node Selectors `__ to apply to Operator pods. - # - # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Operator pods. - # - # If no worker nodes match the specified selectors, the Operator deployment will fail. - nodeSelector: { } - ### - # - # The `Pod Priority `__ to assign to Operator pods. - priorityClassName: "" - ### - # - # The `affinity `__ or anti-affinity settings to apply to Operator pods. - # - # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: name - operator: In - values: - - minio-operator - topologyKey: kubernetes.io/hostname - ### - # - # An array of `Toleration labels `__ to associate to Operator pods. - # - # These settings determine the distribution of pods across worker nodes. - tolerations: [ ] - ### - # - # An array of `Topology Spread Constraints `__ to associate to Operator pods. - # - # These settings determine the distribution of pods across worker nodes. - topologySpreadConstraints: [ ] - ### - # - # The `Requests or Limits `__ for resources to associate to Operator pods. - # - # These settings can control the minimum and maximum resources requested for each pod. - # If no worker nodes can meet the specified requests, the Operator may fail to deploy. - resources: - requests: - cpu: 200m - memory: 256Mi - ephemeral-storage: 500Mi - -### -# Root key for Operator Console -console: - ### - # Specify ``false`` to disable the Operator Console. - # - # If the Operator Console is disabled, all management of Operator Tenants must be done through the Kubernetes API. - enabled: true - ### - # Specify the Operator Console container image to use for the deployment. - # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.13 tag. - # The container pulls the image if not already present: - # - # .. code-block:: yaml - # - # image: - # repository: quay.io/minio/operator - # tag: v5.0.13 - # pullPolicy: IfNotPresent - # - # The chart also supports specifying an image based on digest value: - # - # .. code-block:: yaml - # - # image: - # repository: quay.io/minio/operator@sha256 - # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 - # pullPolicy: IfNotPresent - # - # The specified values should match that of ``operator.image`` to ensure predictable operations. - image: - repository: quay.io/minio/operator - tag: v5.0.13 - pullPolicy: IfNotPresent - ### - # An array of environment variables to pass to the Operator Console deployment. - # Pass an empty array to start Operator Console with defaults. - env: [ ] - ### - # - # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. - imagePullSecrets: [ ] - ### - # - # The name of a custom `Container Runtime `__ to use for the Operator Console pods. - runtimeClassName: ~ - ### - # An array of `initContainers `__ to start up before the Operator Console pods. - # Exercise care as ``initContainer`` failures prevent Console pods from starting. - # Pass an empty array to start the Console normally. - initContainers: [ ] - ### - # The number of Operator Console pods to deploy. - # Higher values increase availability in the event of worker node failures. - # - # The cluster must have sufficient number of available worker nodes to fulfill the request. - # Console pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node. - replicaCount: 1 - ### - # Any `Node Selectors `__ to apply to Operator Console pods. - # - # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Console pods. - # - # If no worker nodes match the specified selectors, the Console deployment will fail. - nodeSelector: { } - ### - # - # The `affinity `__ or anti-affinity settings to apply to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: name - operator: In - values: - - minio-operator - topologyKey: kubernetes.io/hostname - ### - # - # An array of `Toleration labels `__ to associate to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes. - tolerations: [ ] - ### - # - # An array of `Topology Spread Constraints `__ to associate to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes. - topologySpreadConstraints: [ ] - ### - # - # The `Requests or Limits `__ for resources to associate to Operator Console pods. - # - # These settings can control the minimum and maximum resources requested for each pod. - # If no worker nodes can meet the specified requests, the Console may fail to deploy. - resources: - requests: - cpu: 0.25 - memory: 512Mi - ### - # The Kubernetes `SecurityContext `__ to use for deploying Operator Console resources. - # - # You may need to modify these values to meet your cluster's security and access settings. - securityContext: - runAsUser: 1000 - runAsNonRoot: true - ### - # The Kubernetes `SecurityContext `__ to use for deploying Operator Console containers. - # You may need to modify these values to meet your cluster's security and access settings. - containerSecurityContext: - runAsUser: 1000 - runAsNonRoot: true - ### - # Configures `Ingress `__ for the Operator Console. - # - # Set the keys to conform to the Ingress controller and configuration of your choice. - ingress: - enabled: false - ingressClassName: "" - labels: { } - annotations: { } - tls: [ ] - host: console.local - path: / - pathType: Prefix - ### - # An array of `Volumes `__ which the Operator Console can mount to pods. - # - # The volumes must exist *and* be accessible to the Console pods. - volumes: - - name: tmp - emptyDir: {} - ### - # An array of volume mount points associated to each Operator Console container. - # - # Specify each item in the array as follows: - # - # .. code-block:: yaml - # - # volumeMounts: - # - name: volumename - # mountPath: /path/to/mount - # - # The ``name`` field must correspond to an entry in the ``volumes`` array. - volumeMounts: - - name: tmp - readOnly: false - mountPath: /tmp/certs/CAs diff --git a/charts/ngrok/kubernetes-ingress-controller/Chart.lock b/charts/ngrok/kubernetes-ingress-controller/Chart.lock index 3d386e3340..e59e892385 100644 --- a/charts/ngrok/kubernetes-ingress-controller/Chart.lock +++ b/charts/ngrok/kubernetes-ingress-controller/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: https://charts.bitnami.com/bitnami - version: 2.16.1 -digest: sha256:3c125c13875dbcbcfb32c9452f42151d76831466fcc92bb8ff22ba1ed587b536 -generated: "2024-02-27T12:05:25.026947838-05:00" + version: 2.19.0 +digest: sha256:9d633ce0386ef6e5855933e3b4144996795219b3dcbc920b5eda03565c91b1f6 +generated: "2024-03-15T11:15:37.790716635-05:00" diff --git a/charts/ngrok/kubernetes-ingress-controller/Chart.yaml b/charts/ngrok/kubernetes-ingress-controller/Chart.yaml index 2231d5285b..40d3b18abb 100644 --- a/charts/ngrok/kubernetes-ingress-controller/Chart.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/Chart.yaml @@ -3,7 +3,7 @@ annotations: catalog.cattle.io/display-name: ngrok Ingress Controller catalog.cattle.io/release-name: kubernetes-ingress-controller apiVersion: v2 -appVersion: 0.10.2 +appVersion: 0.10.3 dependencies: - name: common repository: file://./charts/common @@ -22,4 +22,4 @@ keywords: name: kubernetes-ingress-controller sources: - https://github.com/ngrok/kubernetes-ingress-controller -version: 0.12.2 +version: 0.12.3 diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml b/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml index 33799499ec..f86ccd23a4 100644 --- a/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.16.1 +appVersion: 2.19.0 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com @@ -20,4 +20,4 @@ name: common sources: - https://github.com/bitnami/charts type: library -version: 2.16.1 +version: 2.19.0 diff --git a/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_compatibility.tpl b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_compatibility.tpl new file mode 100644 index 0000000000..17665d567f --- /dev/null +++ b/charts/ngrok/kubernetes-ingress-controller/charts/common/templates/_compatibility.tpl @@ -0,0 +1,39 @@ +{{/* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} +{{- if .context.Values.global.compatibility -}} + {{- if .context.Values.global.compatibility.openshift -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/controller-deployment.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/controller-deployment.yaml index 30002bc954..d1f7642a9c 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/controller-deployment.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/controller-deployment.yaml @@ -75,6 +75,9 @@ spec: {{- if .Values.watchNamespace }} - --watch-namespace={{ .Values.watchNamespace}} {{- end }} + {{- if .Values.useExperimentalGatewayApi }} + - --use-experimental-gateway-api={{ .Values.useExperimentalGatewayApi }} + {{- end }} - --zap-log-level={{ .Values.log.level }} - --zap-stacktrace-level={{ .Values.log.stacktraceLevel }} - --zap-encoder={{ .Values.log.format }} diff --git a/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml b/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml index 0590bcab93..55d5c617ce 100644 --- a/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml +++ b/charts/ngrok/kubernetes-ingress-controller/templates/rbac/role.yaml @@ -23,6 +23,15 @@ rules: verbs: - create - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - update + - watch - apiGroups: - "" resources: @@ -39,6 +48,60 @@ rules: - get - list - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - list + - update + - watch - apiGroups: - ingress.k8s.ngrok.com resources: @@ -203,34 +266,6 @@ rules: - get - patch - update -- apiGroups: - - networking.k8s.io - resources: - - gatewayclasses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - gatewayclasses/status - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - gateways - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - gateways/status - verbs: - - get - apiGroups: - networking.k8s.io resources: diff --git a/charts/percona/psmdb-operator/Chart.yaml b/charts/percona/psmdb-operator/Chart.yaml index 1853d521b2..65eb4f1aac 100644 --- a/charts/percona/psmdb-operator/Chart.yaml +++ b/charts/percona/psmdb-operator/Chart.yaml @@ -16,4 +16,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: psmdb-operator -version: 1.15.3 +version: 1.15.4 diff --git a/charts/percona/psmdb-operator/README.md b/charts/percona/psmdb-operator/README.md index 04a7ec42f3..e7f4ae4e7d 100644 --- a/charts/percona/psmdb-operator/README.md +++ b/charts/percona/psmdb-operator/README.md @@ -34,6 +34,8 @@ The chart can be customized using the following configurable parameters: | `tolerations` | List of node taints to tolerate | `[]` | | `annotations` | PSMDB Operator Deployment annotations | `{}` | | `podAnnotations` | PSMDB Operator Pod annotations | `{}` | +| `labels` | PSMDB Operator Deployment labels | `{}` | +| `podLabels` | PSMDB Operator Pod labels | `{}` | | `resources` | Resource requests and limits | `{}` | | `nodeSelector` | Labels for Pod assignment | `{}` | | `podAnnotations` | Annotations for pod | `{}` | diff --git a/charts/percona/psmdb-operator/templates/deployment.yaml b/charts/percona/psmdb-operator/templates/deployment.yaml index 5ab469894d..c70f73205b 100644 --- a/charts/percona/psmdb-operator/templates/deployment.yaml +++ b/charts/percona/psmdb-operator/templates/deployment.yaml @@ -5,6 +5,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "psmdb-operator.labels" . | nindent 4 }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.annotations }} annotations: {{- toYaml . | nindent 4 }} @@ -24,6 +27,9 @@ spec: labels: app.kubernetes.io/name: {{ include "psmdb-operator.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: serviceAccountName: {{ include "psmdb-operator.fullname" . }} securityContext: diff --git a/charts/percona/psmdb-operator/values.yaml b/charts/percona/psmdb-operator/values.yaml index 3e3a047cad..d41e8df911 100644 --- a/charts/percona/psmdb-operator/values.yaml +++ b/charts/percona/psmdb-operator/values.yaml @@ -40,11 +40,17 @@ serviceAccount: # annotations to add to the operator deployment annotations: {} +# labels to add to the operator deployment +labels: {} + # annotations to add to the operator pod podAnnotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: "8080" +# labels to the operator pod +podLabels: {} + podSecurityContext: {} # runAsNonRoot: true # runAsUser: 2 diff --git a/charts/percona/pxc-db/Chart.yaml b/charts/percona/pxc-db/Chart.yaml index 2eb6ab1b33..dd87fc56a4 100644 --- a/charts/percona/pxc-db/Chart.yaml +++ b/charts/percona/pxc-db/Chart.yaml @@ -17,4 +17,4 @@ maintainers: - email: natalia.marukovich@percona.com name: nmarukovich name: pxc-db -version: 1.14.0 +version: 1.14.1 diff --git a/charts/percona/pxc-db/README.md b/charts/percona/pxc-db/README.md index 70337d499a..4108943878 100644 --- a/charts/percona/pxc-db/README.md +++ b/charts/percona/pxc-db/README.md @@ -52,7 +52,7 @@ The chart can be customized using the following configurable parameters: | `pxc.size` | PXC Cluster target member (pod) quantity. Can't even if `allowUnsafeConfigurations` is `true` | `3` | | `pxc.clusterSecretName` | Specify if you want to use custom or Operator generated users secret (if the one specified doesn't exist) | `` | | `pxc.image.repository` | PXC Container image repository | `percona/percona-xtradb-cluster` | -| `pxc.image.tag` | PXC Container image tag | `8.0.32-24.2` | +| `pxc.image.tag` | PXC Container image tag | `8.0.35-27.1` | | `pxc.imagePullPolicy` | The policy used to update images | `` | | `pxc.autoRecovery` | Enable full cluster crash auto recovery | `true` | | `pxc.expose.enabled` | Enable or disable exposing `Percona XtraDB Cluster` nodes with dedicated IP addresses | `true` | diff --git a/charts/percona/pxc-db/values.yaml b/charts/percona/pxc-db/values.yaml index 55b65c80f8..356a5eb6b3 100644 --- a/charts/percona/pxc-db/values.yaml +++ b/charts/percona/pxc-db/values.yaml @@ -55,7 +55,7 @@ pxc: size: 3 image: repository: percona/percona-xtradb-cluster - tag: 8.0.32-24.2 + tag: 8.0.35-27.1 # imagePullPolicy: Always autoRecovery: true # expose: diff --git a/charts/redpanda/redpanda/.helmignore b/charts/redpanda/redpanda/.helmignore index d7883b5fc8..d5bb5e6ba6 100644 --- a/charts/redpanda/redpanda/.helmignore +++ b/charts/redpanda/redpanda/.helmignore @@ -24,3 +24,5 @@ README.md.gotmpl .vscode/ *.go +testdata/ +ci/ diff --git a/charts/redpanda/redpanda/Chart.lock b/charts/redpanda/redpanda/Chart.lock index edf6b52b77..d4e101c5d4 100644 --- a/charts/redpanda/redpanda/Chart.lock +++ b/charts/redpanda/redpanda/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: https://charts.redpanda.com version: 0.1.10 digest: sha256:9705ddcac0c386a44d8fa28cff078e52e0277f81e70db1c5c772303dcfb2ce69 -generated: "2024-03-13T15:41:09.286245943Z" +generated: "2024-03-22T16:33:22.867183926Z" diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 0972c364e6..656a529dce 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/redpanda:v23.3.7 + image: docker.redpanda.com/redpandadata/redpanda:v23.3.9 - name: busybox image: busybox:latest - name: mintel/docker-alpine-bash-curl-jq @@ -17,7 +17,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: redpanda apiVersion: v2 -appVersion: v23.3.7 +appVersion: v23.3.9 dependencies: - condition: console.enabled name: console @@ -37,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.7.34 +version: 5.7.35 diff --git a/charts/redpanda/redpanda/charts/connectors/ci/01-default-values.yaml b/charts/redpanda/redpanda/charts/connectors/ci/01-default-values.yaml deleted file mode 100644 index d0dbb71c23..0000000000 --- a/charts/redpanda/redpanda/charts/connectors/ci/01-default-values.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -connectors: - bootstrapServers: "redpanda-0.redpanda.redpanda.svc.cluster.local.:9093,redpanda-1.redpanda.redpanda.svc.cluster.local.:9093,redpanda-2.redpanda.redpanda.svc.cluster.local.:9093" - brokerTLS: - enabled: true - ca: - secretRef: redpanda-default-cert - -logging: - level: trace - -deployment: - annotations: - test: test - test2: test2 - -service: - annotations: - test: test - test2: test2 diff --git a/charts/redpanda/redpanda/charts/connectors/ci/02-broker-tls-values.yaml b/charts/redpanda/redpanda/charts/connectors/ci/02-broker-tls-values.yaml deleted file mode 100644 index 42f0ebc173..0000000000 --- a/charts/redpanda/redpanda/charts/connectors/ci/02-broker-tls-values.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -connectors: - bootstrapServers: "redpanda-0.redpanda.redpanda.svc.cluster.local.:9093,redpanda-1.redpanda.redpanda.svc.cluster.local.:9093,redpanda-2.redpanda.redpanda.svc.cluster.local.:9093" - brokerTLS: - enabled: true - ca: - secretRef: redpanda-default-cert - cert: - secretRef: redpanda-default-cert - key: - secretRef: redpanda-default-cert - -logging: - level: trace diff --git a/charts/redpanda/redpanda/ci/01-default-values.yaml b/charts/redpanda/redpanda/ci/01-default-values.yaml deleted file mode 100644 index f99648d1ab..0000000000 --- a/charts/redpanda/redpanda/ci/01-default-values.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -# This is left empty to test the default values diff --git a/charts/redpanda/redpanda/ci/02-one-node-cluster-no-tls-no-sasl-values.yaml b/charts/redpanda/redpanda/ci/02-one-node-cluster-no-tls-no-sasl-values.yaml deleted file mode 100644 index 716368be9f..0000000000 --- a/charts/redpanda/redpanda/ci/02-one-node-cluster-no-tls-no-sasl-values.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -commonLabels: - testlabel: "exercise_common_labels_template" -statefulset: - replicas: 1 -tls: - enabled: false -auth: - sasl: - enabled: false -storage: - persistentVolume: - size: 3Gi -# Removed until tests are working reliably -# connectors: -# enabled: true -# logging: -# level: debug - -# tests to ensure this large int isn't converted to scientific notation for the rpk commands -# in post-upgrade job. -config: - cluster: - retention_local_target_ms_default: 21600000 diff --git a/charts/redpanda/redpanda/ci/03-one-node-cluster-tls-no-sasl-values.yaml b/charts/redpanda/redpanda/ci/03-one-node-cluster-tls-no-sasl-values.yaml deleted file mode 100644 index d36ef92fbc..0000000000 --- a/charts/redpanda/redpanda/ci/03-one-node-cluster-tls-no-sasl-values.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -statefulset: - replicas: 1 -tls: - enabled: true -auth: - sasl: - enabled: false -storage: - persistentVolume: - size: 3Gi -# Removed until tests are working reliably -# connectors: -# enabled: true -# logging: -# level: debug diff --git a/charts/redpanda/redpanda/ci/04-one-node-cluster-no-tls-sasl-values.yaml b/charts/redpanda/redpanda/ci/04-one-node-cluster-no-tls-sasl-values.yaml deleted file mode 100644 index 0f04c7578d..0000000000 --- a/charts/redpanda/redpanda/ci/04-one-node-cluster-no-tls-sasl-values.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -statefulset: - replicas: 1 -tls: - enabled: false -auth: - sasl: - enabled: true - secretRef: "redpanda-users" - users: - - name: admin - password: hunter2 - mechanism: SCRAM-SHA-256 - -storage: - persistentVolume: - size: 3Gi -# Removed until tests are working reliably -# connectors: -# enabled: true -# logging: -# level: debug diff --git a/charts/redpanda/redpanda/ci/05-one-node-cluster-tls-sasl-values.yaml b/charts/redpanda/redpanda/ci/05-one-node-cluster-tls-sasl-values.yaml deleted file mode 100644 index 47e87512e9..0000000000 --- a/charts/redpanda/redpanda/ci/05-one-node-cluster-tls-sasl-values.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -statefulset: - replicas: 1 - -tls: - enabled: true - -auth: - sasl: - enabled: true - secretRef: "redpanda-users" - users: - - name: admins - password: change-me - mechanism: SCRAM-SHA-256 - -config: - cluster: - default_topic_replications: 3 - kafka_nodelete_topics: ['audit', 'consumer_offsets', '_schemas', 'my_sample_topic'] - -storage: - persistentVolume: - size: 3Gi -# Removed until tests are working reliably -# connectors: -# enabled: true -# logging: -# level: debug diff --git a/charts/redpanda/redpanda/ci/06-rack-awareness-values.yaml b/charts/redpanda/redpanda/ci/06-rack-awareness-values.yaml deleted file mode 100644 index 07abfb5ace..0000000000 --- a/charts/redpanda/redpanda/ci/06-rack-awareness-values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -rackAwareness: - enabled: true -rbac: - enabled: true -serviceAccount: - create: true diff --git a/charts/redpanda/redpanda/ci/07-multiple-listeners-values.yaml b/charts/redpanda/redpanda/ci/07-multiple-listeners-values.yaml deleted file mode 100644 index 0608b6a5e9..0000000000 --- a/charts/redpanda/redpanda/ci/07-multiple-listeners-values.yaml +++ /dev/null @@ -1,74 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -tls: - certs: - cert2: - caEnabled: false -listeners: - kafka: - tls: - enabled: false - external: - ext2: - port: 19094 - advertisedPorts: - - 31292 - tls: - enabled: true - ext3: - port: 29094 - advertisedPorts: - - 31392 - tls: - enabled: true - cert: cert2 - requireClientAuth: true - schemaRegistry: - tls: - enabled: false - external: - ext2: - port: 18081 - advertisedPorts: - - 30181 - tls: - enabled: true - ext3: - port: 28081 - advertisedPorts: - - 30281 - tls: - enabled: true - cert: cert2 - requireClientAuth: true - http: - tls: - enabled: false - external: - ext2: - port: 18083 - advertisedPorts: - - 30183 - tls: - enabled: true - ext3: - port: 28083 - advertisedPorts: - - 30283 - tls: - enabled: true - cert: cert2 - requireClientAuth: true diff --git a/charts/redpanda/redpanda/ci/08-custom-podantiaffinity-values.yaml b/charts/redpanda/redpanda/ci/08-custom-podantiaffinity-values.yaml deleted file mode 100644 index 4b76c14862..0000000000 --- a/charts/redpanda/redpanda/ci/08-custom-podantiaffinity-values.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -statefulset: - replicas: 3 - podAntiAffinity: - type: custom - custom: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app.kubernetes.io/name: redpanda - app.kubernetes.io/instance: "redpanda" diff --git a/charts/redpanda/redpanda/ci/09-initcontainers-resources-values.yaml b/charts/redpanda/redpanda/ci/09-initcontainers-resources-values.yaml deleted file mode 100644 index e96bcb3c90..0000000000 --- a/charts/redpanda/redpanda/ci/09-initcontainers-resources-values.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -statefulset: - sideCars: - configWatcher: - extraVolumeMounts: |- - - name: test-extra-volume - mountPath: /fake/lifecycle - initContainers: - configurator: - resources: - requests: - memory: "20Mi" - cpu: "100m" - limits: - memory: "60Mi" - cpu: "200m" - extraVolumeMounts: |- - - name: test-extra-volume - mountPath: /fake/lifecycle - tuning: - extraVolumeMounts: |- - - name: test-extra-volume - mountPath: /fake/lifecycle - setDataDirOwnership: - extraVolumeMounts: |- - - name: test-extra-volume - mountPath: /fake/lifecycle - setTieredStorageCacheDirOwnership: - extraVolumeMounts: |- - - name: test-extra-volume - mountPath: /fake/lifecycle - extraInitContainers: |- - - name: "test-init-container" - image: "mintel/docker-alpine-bash-curl-jq:latest" - command: [ "/bin/bash", "-c" ] - args: - - | - set -xe - echo "Hello World!" - extraVolumes: |- - - name: test-extra-volume - secret: - secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle - defaultMode: 0774 - extraVolumeMounts: |- - - name: test-extra-volume - mountPath: /fake/lifecycle diff --git a/charts/redpanda/redpanda/ci/10-external-addresses-values.yaml b/charts/redpanda/redpanda/ci/10-external-addresses-values.yaml deleted file mode 100644 index 77302a9daf..0000000000 --- a/charts/redpanda/redpanda/ci/10-external-addresses-values.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -# the number of replicas should match the length of the addresses -statefulset: - replicas: 3 - -external: - enabled: true - # was LoadBalancer, here we are concerned with external addresses working so this is ok - type: NodePort - domain: my-domain - addresses: - - redpanda-1 - - 127.0.0.1 - - 192.168.0.1 diff --git a/charts/redpanda/redpanda/ci/11-update-sasl-users-values.yaml b/charts/redpanda/redpanda/ci/11-update-sasl-users-values.yaml deleted file mode 100644 index ba51829977..0000000000 --- a/charts/redpanda/redpanda/ci/11-update-sasl-users-values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -# This relies on .github/create-sasl-secret.sh and moving those files into the redpanda template directory -auth: - sasl: - enabled: true - secretRef: "some-users" - users: - - name: admin - password: badpassword - mechanism: SCRAM-SHA-256 - - name: user1 - password: pass1word - mechanism: SCRAM-SHA-512 - - name: someuser - password: ABC123r - mechanism: SCRAM-SHA-512 - - name: anotherme - password: blah2784a - mechanism: SCRAM-SHA-512 diff --git a/charts/redpanda/redpanda/ci/12-external-cert-secrets-values.yaml b/charts/redpanda/redpanda/ci/12-external-cert-secrets-values.yaml deleted file mode 100644 index 6743eac7dd..0000000000 --- a/charts/redpanda/redpanda/ci/12-external-cert-secrets-values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -tls: - enabled: true - certs: - # in the future we want to also add the - default: - caEnabled: true - external: - secretRef: - name: external-tls-secret - caEnabled: true - -external: - enabled: true - type: NodePort - domain: random-domain - -listeners: - # NOT including admin-api listeners because it only has one and it is using internal - # tls certs by default. - # -- Kafka API listeners. - kafka: - # -- The port for internal client connections. - port: 9093 - tls: - # Optional flag to override the global TLS enabled flag. - # enabled: true - cert: default - requireClientAuth: false - external: - default: - # enabled: true - # -- The port used for external client connections. - port: 9094 - # -- If undefined, `listeners.kafka.external.default.port` is used. - advertisedPorts: - - 30090 - tls: - # enabled: true - cert: external - # -- Schema registry listeners. - schemaRegistry: - enabled: true - port: 8081 - kafkaEndpoint: default - tls: - # Optional flag to override the global TLS enabled flag. - # enabled: true - cert: default - requireClientAuth: false - external: - default: - # enabled: true - port: 8084 - advertisedPorts: - - 30080 - tls: - # enabled: true - cert: external - # -- HTTP API listeners (aka PandaProxy). - http: - enabled: true - port: 8082 - kafkaEndpoint: default - tls: - # Optional flag to override the global TLS enabled flag. - # enabled: true - cert: default - requireClientAuth: false - external: - default: - # enabled: true - port: 8083 - advertisedPorts: - - 30070 - tls: - # enabled: true - cert: external diff --git a/charts/redpanda/redpanda/ci/13-loadbalancer-tls-values.yaml b/charts/redpanda/redpanda/ci/13-loadbalancer-tls-values.yaml deleted file mode 100644 index 255976b1ef..0000000000 --- a/charts/redpanda/redpanda/ci/13-loadbalancer-tls-values.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -external: - enabled: true - type: LoadBalancer - # If specified, then it will be appended to the `external.addresses` values as each broker's advertised address - domain: random-domain - -tls: - enabled: true - certs: - default: - caEnabled: true - external: - secretRef: - name: external-tls-secret - caEnabled: true diff --git a/charts/redpanda/redpanda/ci/14-prometheus-no-tls-values.yaml b/charts/redpanda/redpanda/ci/14-prometheus-no-tls-values.yaml deleted file mode 100644 index 8d64ea1662..0000000000 --- a/charts/redpanda/redpanda/ci/14-prometheus-no-tls-values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -tls: - enabled: false - -monitoring: - enabled: true diff --git a/charts/redpanda/redpanda/ci/15-prometheus-tls-values.yaml b/charts/redpanda/redpanda/ci/15-prometheus-tls-values.yaml deleted file mode 100644 index 1d8ba49a0c..0000000000 --- a/charts/redpanda/redpanda/ci/15-prometheus-tls-values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -tls: - enabled: true - -monitoring: - enabled: true diff --git a/charts/redpanda/redpanda/ci/16-controller-sidecar-values.yaml b/charts/redpanda/redpanda/ci/16-controller-sidecar-values.yaml deleted file mode 100644 index ab157923bd..0000000000 --- a/charts/redpanda/redpanda/ci/16-controller-sidecar-values.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -rbac: - enabled: true - -statefulset: - sideCars: - controllers: - enabled: true diff --git a/charts/redpanda/redpanda/ci/17-resources-without-unit-values.yaml b/charts/redpanda/redpanda/ci/17-resources-without-unit-values.yaml deleted file mode 100644 index 04e29c36cc..0000000000 --- a/charts/redpanda/redpanda/ci/17-resources-without-unit-values.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -resources: - cpu: - cores: "1" - memory: - container: - max: 2500Mi - min: 2500Mi - redpanda: - memory: "2097152000" - reserveMemory: "0" diff --git a/charts/redpanda/redpanda/ci/18-single-external-address-values.yaml b/charts/redpanda/redpanda/ci/18-single-external-address-values.yaml deleted file mode 100644 index b710777bb7..0000000000 --- a/charts/redpanda/redpanda/ci/18-single-external-address-values.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -# the number of replicas should match the length of the addresses -statefulset: - replicas: 3 - -external: - enabled: true - domain: my-domain - addresses: - - $PREFIX_TEMPLATE - prefixTemplate: $POD_ORDINAL-XYZ-$(echo -n $HOST_IP_ADDRESS | sha256sum - | head -c 7) diff --git a/charts/redpanda/redpanda/ci/21-eks-tiered-storage-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/21-eks-tiered-storage-with-creds-values.yaml.tpl deleted file mode 100644 index dc7e8e5536..0000000000 --- a/charts/redpanda/redpanda/ci/21-eks-tiered-storage-with-creds-values.yaml.tpl +++ /dev/null @@ -1,35 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - tiered: - config: - cloud_storage_enabled: true - cloud_storage_credentials_source: config_file - cloud_storage_access_key: "${AWS_ACCESS_KEY_ID}" - cloud_storage_secret_key: "${AWS_SECRET_ACCESS_KEY}" - cloud_storage_region: "${AWS_REGION}" - cloud_storage_bucket: "${TEST_BUCKET}" - cloud_storage_segment_max_upload_interval_sec: 1 -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/22-gke-tiered-storage-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/22-gke-tiered-storage-with-creds-values.yaml.tpl deleted file mode 100644 index 2b9aa4aeac..0000000000 --- a/charts/redpanda/redpanda/ci/22-gke-tiered-storage-with-creds-values.yaml.tpl +++ /dev/null @@ -1,47 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - tiered: - config: - cloud_storage_enabled: true - cloud_storage_api_endpoint: storage.googleapis.com - cloud_storage_credentials_source: config_file - cloud_storage_region: "US-WEST1" - cloud_storage_bucket: "${TEST_BUCKET}" - cloud_storage_segment_max_upload_interval_sec: 1 - cloud_storage_access_key: "${GCP_ACCESS_KEY_ID}" - cloud_storage_secret_key: "${GCP_SECRET_ACCESS_KEY}" -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - - -resources: - cpu: - cores: 400m - memory: - container: - max: 2.0Gi - redpanda: - memory: 1Gi - reserveMemory: 100Mi - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/23-aks-tiered-storage-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/23-aks-tiered-storage-with-creds-values.yaml.tpl deleted file mode 100644 index 241ffb7537..0000000000 --- a/charts/redpanda/redpanda/ci/23-aks-tiered-storage-with-creds-values.yaml.tpl +++ /dev/null @@ -1,48 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - persistentVolume: - storageClass: managed-csi - tiered: - persistentVolume: - storageClass: managed-csi - config: - cloud_storage_enabled: true - cloud_storage_credentials_source: config_file - cloud_storage_segment_max_upload_interval_sec: 1 - cloud_storage_azure_storage_account: ${TEST_STORAGE_ACCOUNT} - cloud_storage_azure_container: ${TEST_STORAGE_CONTAINER} - cloud_storage_azure_shared_key: ${TEST_AZURE_SHARED_KEY} -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - -resources: - cpu: - cores: 400m - memory: - container: - max: 2.0Gi - redpanda: - memory: 1Gi - reserveMemory: 100Mi - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/24-eks-tiered-storage-persistent-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/24-eks-tiered-storage-persistent-with-creds-values.yaml.tpl deleted file mode 100644 index 1e11a83333..0000000000 --- a/charts/redpanda/redpanda/ci/24-eks-tiered-storage-persistent-with-creds-values.yaml.tpl +++ /dev/null @@ -1,36 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - tiered: - mountType: persistentVolume - config: - cloud_storage_enabled: true - cloud_storage_credentials_source: config_file - cloud_storage_access_key: "${AWS_ACCESS_KEY_ID}" - cloud_storage_secret_key: "${AWS_SECRET_ACCESS_KEY}" - cloud_storage_region: "${AWS_REGION}" - cloud_storage_bucket: "${TEST_BUCKET}" - cloud_storage_segment_max_upload_interval_sec: 1 -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/25-gke-tiered-storage-persistent-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/25-gke-tiered-storage-persistent-with-creds-values.yaml.tpl deleted file mode 100644 index 60f6eed3eb..0000000000 --- a/charts/redpanda/redpanda/ci/25-gke-tiered-storage-persistent-with-creds-values.yaml.tpl +++ /dev/null @@ -1,48 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - tiered: - mountType: persistentVolume - config: - cloud_storage_enabled: true - cloud_storage_api_endpoint: storage.googleapis.com - cloud_storage_credentials_source: config_file - cloud_storage_region: "US-WEST1" - cloud_storage_bucket: "${TEST_BUCKET}" - cloud_storage_segment_max_upload_interval_sec: 1 - cloud_storage_access_key: "${GCP_ACCESS_KEY_ID}" - cloud_storage_secret_key: "${GCP_SECRET_ACCESS_KEY}" -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - - -resources: - cpu: - cores: 400m - memory: - container: - max: 2.0Gi - redpanda: - memory: 1Gi - reserveMemory: 100Mi - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/26-aks-tiered-storage-persistent-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/26-aks-tiered-storage-persistent-with-creds-values.yaml.tpl deleted file mode 100644 index b82f9b85df..0000000000 --- a/charts/redpanda/redpanda/ci/26-aks-tiered-storage-persistent-with-creds-values.yaml.tpl +++ /dev/null @@ -1,49 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - persistentVolume: - storageClass: managed-csi - tiered: - mountType: persistentVolume - persistentVolume: - storageClass: managed-csi - config: - cloud_storage_enabled: true - cloud_storage_credentials_source: config_file - cloud_storage_segment_max_upload_interval_sec: 1 - cloud_storage_azure_storage_account: ${TEST_STORAGE_ACCOUNT} - cloud_storage_azure_container: ${TEST_STORAGE_CONTAINER} - cloud_storage_azure_shared_key: ${TEST_AZURE_SHARED_KEY} -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - -resources: - cpu: - cores: 400m - memory: - container: - max: 2.0Gi - redpanda: - memory: 1Gi - reserveMemory: 100Mi - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/27-eks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/27-eks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl deleted file mode 100644 index f92ec7a9ca..0000000000 --- a/charts/redpanda/redpanda/ci/27-eks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl +++ /dev/null @@ -1,38 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - persistentVolume: - nameOverwrite: shadow-index-cache - tiered: - mountType: persistentVolume - config: - cloud_storage_enabled: true - cloud_storage_credentials_source: config_file - cloud_storage_access_key: "${AWS_ACCESS_KEY_ID}" - cloud_storage_secret_key: "${AWS_SECRET_ACCESS_KEY}" - cloud_storage_region: "${AWS_REGION}" - cloud_storage_bucket: "${TEST_BUCKET}" - cloud_storage_segment_max_upload_interval_sec: 1 -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/28-gke-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/28-gke-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl deleted file mode 100644 index ebc096f912..0000000000 --- a/charts/redpanda/redpanda/ci/28-gke-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl +++ /dev/null @@ -1,50 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - persistentVolume: - nameOverwrite: shadow-index-cache - tiered: - mountType: persistentVolume - config: - cloud_storage_enabled: true - cloud_storage_api_endpoint: storage.googleapis.com - cloud_storage_credentials_source: config_file - cloud_storage_region: "US-WEST1" - cloud_storage_bucket: "${TEST_BUCKET}" - cloud_storage_segment_max_upload_interval_sec: 1 - cloud_storage_access_key: "${GCP_ACCESS_KEY_ID}" - cloud_storage_secret_key: "${GCP_SECRET_ACCESS_KEY}" -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - - -resources: - cpu: - cores: 400m - memory: - container: - max: 2.0Gi - redpanda: - memory: 1Gi - reserveMemory: 100Mi - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/29-aks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/29-aks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl deleted file mode 100644 index bf5a1eafe0..0000000000 --- a/charts/redpanda/redpanda/ci/29-aks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl +++ /dev/null @@ -1,50 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -storage: - persistentVolume: - storageClass: managed-csi - nameOverwrite: shadow-index-cache - tiered: - mountType: persistentVolume - persistentVolume: - storageClass: managed-csi - config: - cloud_storage_enabled: true - cloud_storage_credentials_source: config_file - cloud_storage_segment_max_upload_interval_sec: 1 - cloud_storage_azure_storage_account: ${TEST_STORAGE_ACCOUNT} - cloud_storage_azure_container: ${TEST_STORAGE_CONTAINER} - cloud_storage_azure_shared_key: ${TEST_AZURE_SHARED_KEY} -enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" - -resources: - cpu: - cores: 400m - memory: - container: - max: 2.0Gi - redpanda: - memory: 1Gi - reserveMemory: 100Mi - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl b/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl deleted file mode 100644 index c2dbef2ce2..0000000000 --- a/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl +++ /dev/null @@ -1,37 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -enterprise: - license: "${REDPANDA_LICENSE}" - -auth: - sasl: - enabled: true - users: - - name: admin - password: change-me - mechanism: SCRAM-SHA-512 - -auditLogging: - enabled: true - listeners: default - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/97-license-key-values.yaml.tpl b/charts/redpanda/redpanda/ci/97-license-key-values.yaml.tpl deleted file mode 100644 index b1abb8be43..0000000000 --- a/charts/redpanda/redpanda/ci/97-license-key-values.yaml.tpl +++ /dev/null @@ -1,25 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -enterprise: - license: "${REDPANDA_LICENSE}" - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/98-license-secret-values.yaml b/charts/redpanda/redpanda/ci/98-license-secret-values.yaml deleted file mode 100644 index f66a39ccc5..0000000000 --- a/charts/redpanda/redpanda/ci/98-license-secret-values.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -enterprise: - licenseSecretRef: - name: redpanda-license - key: license-key - -console: - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml b/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml deleted file mode 100644 index 637cd0f68e..0000000000 --- a/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. ---- -enterprise: - licenseSecretRef: - name: redpanda-license - key: license-key - -storage: - tiered: - config: - cloud_storage_enabled: true - cloud_storage_cache_size: 11G - cloud_storage_secret_key: test - cloud_storage_access_key: test - cloud_storage_region: test - cloud_storage_bucket: test - storage_zero_value: 0 - storage_null_value: null - storage_empty_array_value: [] - storage_empty_map_value: {} - storage_empty_string_value: "" - -config: - cluster: - enable_idempotence: false - cluster_zero_value: 0 - cluster_null_value: null - cluster_empty_array_value: [] - cluster_empty_map_value: {} - cluster_empty_string_value: "" - tunable: - tunable_zero_value: 0 - tunable_null_value: null - tunable_empty_array_value: [] - tunable_empty_map_value: {} - tunable_empty_string_value: "" - node: - node_zero_value: 0 - node_null_value: null - node_empty_array_value: [] - node_empty_map_value: {} - node_empty_string_value: "" - -console: - extraEnv: - - name: TEST - value: test - extraVolumeMounts: - - name: redpanda-license - mountPath: /mnt/test - readOnly: true - extraVolumes: - - name: redpanda-license - secret: - defaultMode: 0420 - secretName: redpanda-license - # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console - # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. - image: - registry: redpandadata - repository: console-unstable - tag: master-8a51854 diff --git a/charts/redpanda/redpanda/templates/_configmap.tpl b/charts/redpanda/redpanda/templates/_configmap.tpl index 988a133f33..c43a387561 100644 --- a/charts/redpanda/redpanda/templates/_configmap.tpl +++ b/charts/redpanda/redpanda/templates/_configmap.tpl @@ -663,7 +663,7 @@ rpk: {{- define "rpk-config-external" -}} {{- $brokers := list -}} {{- $admin := list -}} - {{- $profile := keys .Values.listeners.kafka.external | first -}} + {{- $profile := keys .Values.listeners.kafka.external | sortAlpha | first -}} {{- $kafkaListener := get .Values.listeners.kafka.external $profile -}} {{- $adminListener := dict -}} {{- if .Values.listeners.admin.external -}} diff --git a/charts/redpanda/redpanda/templates/_helpers.tpl b/charts/redpanda/redpanda/templates/_helpers.tpl index 453d189113..2cb0745da2 100644 --- a/charts/redpanda/redpanda/templates/_helpers.tpl +++ b/charts/redpanda/redpanda/templates/_helpers.tpl @@ -477,6 +477,12 @@ fsGroupChangePolicy: {{ dig "securityContext" "fsGroupChangePolicy" "OnRootMisma {{- define "container-security-context" -}} runAsUser: {{ dig "podSecurityContext" "runAsUser" .Values.statefulset.securityContext.runAsUser .Values.statefulset }} runAsGroup: {{ dig "podSecurityContext" "fsGroup" .Values.statefulset.securityContext.fsGroup .Values.statefulset }} +{{- if hasKey .Values.statefulset.securityContext "allowPrivilegeEscalation" }} +allowPrivilegeEscalation: {{ dig "podSecurityContext" "allowPrivilegeEscalation" .Values.statefulset.securityContext.allowPrivilegeEscalation .Values.statefulset }} +{{- end -}} +{{- if hasKey .Values.statefulset.securityContext "runAsNonRoot" }} +runAsNonRoot: {{ dig "podSecurityContext" "runAsNonRoot" .Values.statefulset.securityContext.runAsNonRoot .Values.statefulset }} +{{- end -}} {{- end -}} {{- define "admin-tls-curl-flags" -}} diff --git a/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml b/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml index 25071ebfb2..2b4dcc758a 100644 --- a/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml +++ b/charts/redpanda/redpanda/templates/post-install-upgrade-job.yaml @@ -135,7 +135,9 @@ spec: resources: {{- toYaml . | nindent 10 }} {{- end }} - securityContext: {{ include "container-security-context" . | nindent 10 }} + securityContext: {{- $defaultContext := include "container-security-context" . | fromYaml -}} + {{- $customContext := .Values.post_install_job.securityContext -}} + {{- merge $defaultContext $customContext | toYaml | nindent 10 }} volumeMounts: {{- include "default-mounts" . | nindent 10 }} volumes: {{ include "default-volumes" . | nindent 8 }} serviceAccountName: {{ include "redpanda.serviceAccountName" . }} diff --git a/charts/redpanda/redpanda/templates/post-upgrade.yaml b/charts/redpanda/redpanda/templates/post-upgrade.yaml index 548048abe5..8572db614a 100644 --- a/charts/redpanda/redpanda/templates/post-upgrade.yaml +++ b/charts/redpanda/redpanda/templates/post-upgrade.yaml @@ -113,7 +113,9 @@ spec: resources: {{- toYaml . | nindent 10 }} {{- end }} - securityContext: {{ include "container-security-context" . | nindent 10 }} + securityContext:{{- $defaultContext := include "container-security-context" . | fromYaml -}} + {{- $customContext := .Values.post_upgrade_job.securityContext -}} + {{- merge $defaultContext $customContext | toYaml | nindent 10 }} {{- if .Values.post_upgrade_job.extraEnv }} env: {{- include "common.tplvalues.render" (dict "value" .Values.post_upgrade_job.extraEnv "context" $) | nindent 10 }} diff --git a/charts/redpanda/redpanda/templates/values.yaml b/charts/redpanda/redpanda/templates/values.yaml new file mode 100644 index 0000000000..a4e5752a45 --- /dev/null +++ b/charts/redpanda/redpanda/templates/values.yaml @@ -0,0 +1,2 @@ +{{- /* Generated from "values.go" */ -}} + diff --git a/charts/redpanda/redpanda/values.schema.json b/charts/redpanda/redpanda/values.schema.json index 28ff1041b4..8e79fd2542 100644 --- a/charts/redpanda/redpanda/values.schema.json +++ b/charts/redpanda/redpanda/values.schema.json @@ -1,27 +1,7 @@ { "$schema": "http://json-schema.org/schema#", - "type": "object", - "required": [ - "image" - ], "properties": { - "nameOverride": { - "type": "string" - }, - "fullnameOverride": { - "type": "string" - }, - "clusterDomain": { - "type": "string" - }, - "commonLabels": { - "type": "object" - }, - "nodeSelector": { - "type": "object" - }, "affinity": { - "type": "object", "properties": { "nodeAffinity": { "type": "object" @@ -32,116 +12,68 @@ "podAntiAffinity": { "type": "object" } - } - }, - "tolerations": { - "type": "array" + }, + "type": "object" }, - "image": { - "description": "Values used to define the container image to be used for Redpanda", - "type": "object", - "required": [ - "repository", - "pullPolicy" - ], + "auditLogging": { "properties": { - "repository": { - "description": "container image repository", - "default": "docker.redpanda.com/redpandadata/redpanda", - "type": "string", - "pattern": "^[a-z0-9-_/.]+$" + "clientMaxBufferSize": { + "type": "integer" }, - "tag": { - "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.", - "default": "Chart.appVersion", - "type": "string", - "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$" + "enabled": { + "type": "boolean" }, - "pullPolicy": { - "description": "The Kubernetes Pod image pull policy.", - "type": "string", - "pattern": "^(Always|Never|IfNotPresent)$" - } - } - }, - "service": { - "type": "object", - "properties": { - "name": { - "type": "string" + "enabledEventTypes": { + "items": { + "type": "string" + }, + "type": [ + "array", + "null" + ] }, - "internal": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - } - } - } - } - }, - "license_key": { - "type": "string", - "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$", - "deprecated": true - }, - "license_secret_ref": { - "type": "object", - "deprecated": true, - "properties": { - "secret_name": { - "type": "string" + "excludedPrincipals": { + "items": { + "type": "string" + }, + "type": [ + "array", + "null" + ] }, - "secret_key": { - "type": "string" - } - } - }, - "enterprise": { - "type": "object", - "properties": { - "license": { + "excludedTopics": { + "items": { + "type": "string" + }, + "type": [ + "array", + "null" + ] + }, + "listener": { "type": "string" }, - "licenseSecretRef": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "key": { - "type": "string" - } - } - } - } - }, - "rackAwareness": { - "type": "object", - "required": [ - "enabled", - "nodeAnnotation" - ], - "properties": { - "enabled": { - "type": "boolean" + "partitions": { + "type": "integer" }, - "nodeAnnotation": { - "type": "string" + "queueDrainIntervalMs": { + "type": "integer" + }, + "queueMaxBufferSizePerShard": { + "type": "integer" + }, + "replicationFactor": { + "type": [ + "integer", + "null" + ] } - } + }, + "type": "object" }, "auth": { - "type": "object", - "required": [ - "sasl" - ], "properties": { "sasl": { - "type": "object", - "required": [ - "enabled" - ], "properties": { "enabled": { "type": "boolean" @@ -153,887 +85,958 @@ "type": "string" }, "users": { - "type": "array", - "minItems": 0, "items": { "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, "name": { "type": "string" }, "password": { "type": "string" - }, - "mechanism": { - "type": "string", - "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$" - } - } - } - } - } - } - } - }, - "tls": { - "type": "object", - "required": [ - "enabled" - ], - "properties": { - "enabled": { - "type": "boolean" - }, - "certs": { - "type": "object", - "minProperties": 1, - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "object", - "required": [ - "caEnabled" - ], - "properties": { - "issuerRef": { - "type": "object", - "additionalProperties": false, - "properties": { - "kind": { - "type": "string", - "enum": ["ClusterIssuer", "Issuer"] - }, - "name": { - "type": "string" - } - } - }, - "secretRef": { - "type": "object", - "properties": { - "name": { - "type": "string" - } } }, - "caEnabled": { - "type": "boolean" - }, - "duration": { - "type": "string", - "pattern": ".*[smh]$" - } - } - } - } - } - } - }, - "external": { - "type": "object", - "required": [ - "enabled" - ], - "properties": { - "enabled": { - "type": "boolean" - }, - "service": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" + "type": "object" + }, + "type": "array" } - } - }, - "type": { - "type": "string", - "pattern": "^(LoadBalancer|NodePort)$" - }, - "domain": { - "type": "string", - "format": "idn-hostname" - }, - "addresses": { - "type": "array" - }, - "sourceRanges": { - "type": "array" - }, - "prefixTemplate": { - "type": "string" - }, - "annotations": { - "type": "object" - }, - "externalDns": { - "type": "object", + }, "required": [ "enabled" ], - "properties": { - "enabled": { - "type": "boolean" - } - } + "type": "object" } - } - }, - "logging": { - "type": "object", + }, "required": [ - "logLevel", - "usageStats" + "sasl" ], - "parameters": { - "logLevel": { - "type": "string", - "pattern": "^(error|warn|info|debug|trace)$" - }, - "usageStats": { - "type": "object", - "required": [ - "enabled" - ], - "properties": { - "enabled": { - "type": "boolean" - } - } - } - } + "type": "object" }, - "monitoring": { - "type": "object", - "required": [ - "enabled", - "scrapeInterval" - ], + "clusterDomain": { + "type": "string" + }, + "commonLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "config": { "properties": { - "enabled": { - "type": "boolean" - }, - "scrapeInterval": { - "type": "string", - "pattern": ".*[smh]$" - }, - "labels": { + "cluster": { "type": "object" }, - "tlsConfig": { + "node": { "type": "object" - } - } - }, - "resources": { - "type": "object", - "required": [ - "cpu", - "memory" - ], - "properties": { - "cpu": { - "type": "object", - "required": [ - "cores" - ], + }, + "pandaproxy_client": { "properties": { - "cores": { - "type": ["integer", "string"] + "consumer_heartbeat_interval_ms": { + "type": "integer" }, - "overprovisioned": { - "type": "boolean" + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" } - } + }, + "type": "object" }, - "memory": { - "type": "object", + "rpk": { + "type": "object" + }, + "schema_registry_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tunable": { + "additionalProperties": true, + "properties": { + "group_initial_rebalance_delay": { + "type": "integer" + }, + "log_retention_ms": { + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "cluster", + "node", + "tunable" + ], + "type": "object" + }, + "enterprise": { + "properties": { + "license": { + "type": "string" + }, + "licenseSecretRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external": { + "properties": { + "addresses": { + "items": { + "type": "string" + }, + "type": "array" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "domain": { + "format": "idn-hostname", + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "externalDns": { + "properties": { + "enabled": { + "type": "boolean" + } + }, "required": [ - "container" + "enabled" ], + "type": "object" + }, + "prefixTemplate": { + "type": "string" + }, + "service": { "properties": { - "enable_memory_locking": { + "enabled": { "type": "boolean" - }, - "container": { - "type": "object", - "required": [ - "max" - ], - "properties": { - "min": { - "type": "string", - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$" - }, - "max": { - "type": "string", - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$" - } - } } - } + }, + "type": "object" + }, + "sourceRanges": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "pattern": "^(LoadBalancer|NodePort)$", + "type": "string" } - } + }, + "required": [ + "enabled" + ], + "type": "object" }, - "storage": { - "type": "object", + "fullnameOverride": { + "type": "string" + }, + "image": { + "description": "Values used to define the container image to be used for Redpanda", + "properties": { + "pullPolicy": { + "description": "The Kubernetes Pod image pull policy.", + "pattern": "^(Always|Never|IfNotPresent)$", + "type": "string" + }, + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda", + "description": "container image repository", + "pattern": "^[a-z0-9-_/.]+$", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, "required": [ - "hostPath", - "persistentVolume", - "tiered" + "repository", + "pullPolicy" ], + "type": "object" + }, + "license_key": { + "deprecated": true, + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$", + "type": "string" + }, + "license_secret_ref": { + "deprecated": true, "properties": { - "hostPath": { + "secret_key": { "type": "string" }, - "tiered": { - "type": "object", - "required": [ - "mountType" - ], + "secret_name": { + "type": "string" + } + }, + "type": "object" + }, + "listeners": { + "properties": { + "admin": { "properties": { - "mountType": { - "type": "string", - "pattern": "^(none|hostPath|emptyDir|persistentVolume)$" + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "enabled": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" }, - "hostPath": { - "type": "string" + "port": { + "type": "integer" }, - "persistentVolume": { - "type": "object", - "required": [ - "storageClass", - "labels", - "annotations" - ], + "tls": { "properties": { - "storageClass": { + "cert": { "type": "string" }, - "labels": { - "type": "object" - }, - "annotations": { - "type": "object" - }, "enabled": { "type": "boolean" }, - "size": { - "type": "string" - }, - "nameOverwrite": { - "type": "string" + "requireClientAuth": { + "type": "boolean" } - } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "http": { + "properties": { + "authenticationMethod": { + "pattern": "http_basic|none", + "type": [ + "string", + "null" + ] }, - "credentialsSecretRef": { - "type": "object", - "properties": { - "accessKey": { - "type": "object", - "configurationKey": { - "type": "string" - }, - "name": { - "type": "string" - }, - "key": { - "type": "string" - } - }, - "secretKey": { - "type": "object", - "configurationKey": { - "type": "string" - }, - "name": { - "type": "string" + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "pattern": "http_basic|none", + "type": [ + "string", + "null" + ] + }, + "enabled": { + "type": "boolean" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + } + }, + "required": [], + "type": "object" + } }, - "key": { - "type": "string" - } - }, - "configurationKey": { - "type": "string", - "deprecated": true - }, - "name": { - "type": "string", - "deprecated": true - }, - "key": { - "type": "string", - "deprecated": true + "required": [ + "port" + ], + "type": "object" } - } + }, + "type": "object" }, - "config":{ - "type": "object", - "required": [ - "cloud_storage_enabled", - "cloud_storage_region", - "cloud_storage_bucket" - ], + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { "properties": { - "cloud_storage_enable_remote_write": { - "type": "boolean" - }, - "cloud_storage_enable_remote_read": { - "type": "boolean" - }, - "cloud_storage_credentials_source": { - "type": "string", - "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$" - }, - "cloud_storage_region": { - "type": "string" - }, - "cloud_storage_bucket": { - "type": "string" - }, - "cloud_storage_api_endpoint": { - "type": "string" - }, - "cloud_storage_cache_size": { - "type": ["integer", "string"] - }, - "cloud_storage_cache_directory": { - "type": "string" - }, - "cloud_storage_cache_check_interval": { - "type": "integer" - }, - "cloud_storage_initial_backoff_ms": { - "type": "integer" - }, - "cloud_storage_max_connections": { - "type": "integer" - }, - "cloud_storage_segment_upload_timeout_ms": { - "type": "integer" - }, - "cloud_storage_manifest_upload_timeout_ms": { - "type": "integer" - }, - "cloud_storage_max_connection_idle_time_ms": { - "type": "integer" - }, - "cloud_storage_segment_max_upload_interval_sec": { - "type": "integer" - }, - "cloud_storage_trust_file": { + "cert": { "type": "string" }, - "cloud_storage_upload_ctrl_update_interval_ms": { - "type": "integer" - }, - "cloud_storage_upload_ctrl_p_coeff": { - "type": "integer" - }, - "cloud_storage_upload_ctrl_d_coeff": { - "type": "integer" - }, - "cloud_storage_upload_ctrl_min_shares": { - "type": "integer" - }, - "cloud_storage_upload_ctrl_max_shares": { - "type": "integer" - }, - "cloud_storage_reconciliation_interval_ms": { - "type": "integer" - }, - "cloud_storage_disable_tls": { + "enabled": { "type": "boolean" }, - "cloud_storage_api_endpoint_port": { - "type": "integer" - }, - "cloud_storage_azure_adls_endpoint": { - "type": "string" - }, - "cloud_storage_azure_adls_port": { - "type": "integer" + "requireClientAuth": { + "type": "boolean" } - } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" } - } - }, - "tieredStorageHostPath": { - "deprecated": true, - "type": "string" - }, - "persistentVolume": { - "deprecated": true, - "type": "object", + }, "required": [ "enabled", - "size", - "storageClass", - "labels", - "annotations" + "tls", + "kafkaEndpoint", + "port" ], + "type": "object" + }, + "kafka": { "properties": { - "enabled": { - "type": "boolean" - }, - "size": { - "type": "string", - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$" - }, - "storageClass": { - "type": "string" + "authenticationMethod": { + "pattern": "sasl|none|mtls_identity", + "type": [ + "string", + "null" + ] }, - "labels": { + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "pattern": "sasl|none|mtls_identity", + "type": [ + "string", + "null" + ] + }, + "enabled": { + "type": "boolean" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, "type": "object" }, - "annotations": { + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], "type": "object" } - } - }, - "tieredStoragePersistentVolume": { - "deprecated": true, - "type": "object", + }, "required": [ - "enabled", - "storageClass", - "labels", - "annotations" + "tls", + "port" ], + "type": "object" + }, + "rpc": { "properties": { - "enabled": { - "type": "boolean" - }, - "storageClass": { - "type": "string" - }, - "labels": { - "type": "object" + "port": { + "type": "integer" }, - "annotations": { + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], "type": "object" } - } + }, + "required": [ + "port", + "tls" + ], + "type": "object" }, - "tieredConfig":{ - "deprecated": true, - "type": "object", + "schemaRegistry": { "properties": { - "cloud_storage_enable_remote_write": { - "type": "boolean" + "authenticationMethod": { + "pattern": "http_basic|none", + "type": [ + "string", + "null" + ] }, - "cloud_storage_enable_remote_read": { + "enabled": { "type": "boolean" }, - "cloud_storage_credentials_source": { - "type": "string", - "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$" - }, - "cloud_storage_region": { - "type": "string" - }, - "cloud_storage_bucket": { - "type": "string" - }, - "cloud_storage_api_endpoint": { - "type": "string" - }, - "cloud_storage_cache_size": { - "type": "integer" - }, - "cloud_storage_cache_directory": { - "type": "string" - }, - "cloud_storage_cache_check_interval": { - "type": "integer" - }, - "cloud_storage_initial_backoff_ms": { - "type": "integer" - }, - "cloud_storage_max_connections": { - "type": "integer" - }, - "cloud_storage_segment_upload_timeout_ms": { - "type": "integer" - }, - "cloud_storage_manifest_upload_timeout_ms": { - "type": "integer" - }, - "cloud_storage_max_connection_idle_time_ms": { - "type": "integer" - }, - "cloud_storage_segment_max_upload_interval_sec": { - "type": "integer" - }, - "cloud_storage_trust_file": { - "type": "string" - }, - "cloud_storage_upload_ctrl_update_interval_ms": { - "type": "integer" - }, - "cloud_storage_upload_ctrl_p_coeff": { - "type": "integer" - }, - "cloud_storage_upload_ctrl_d_coeff": { - "type": "integer" - }, - "cloud_storage_upload_ctrl_min_shares": { - "type": "integer" + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "pattern": "http_basic|none", + "type": [ + "string", + "null" + ] + }, + "enabled": { + "type": "boolean" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + } + }, + "required": [], + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" }, - "cloud_storage_upload_ctrl_max_shares": { - "type": "integer" + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" }, - "cloud_storage_reconciliation_interval_ms": { + "port": { "type": "integer" }, - "cloud_storage_disable_tls": { + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "kafkaEndpoint", + "port", + "tls" + ], + "type": "object" + } + }, + "required": [ + "admin", + "http", + "kafka", + "schemaRegistry", + "rpc" + ], + "type": "object" + }, + "logging": { + "properties": { + "logLevel": { + "pattern": "^(error|warn|info|debug|trace)$", + "type": "string" + }, + "usageStats": { + "properties": { + "enabled": { "type": "boolean" - }, - "cloud_storage_api_endpoint_port": { - "type": "integer" - }, - "cloud_storage_azure_adls_endpoint": { - "type": "string" - }, - "cloud_storage_azure_adls_port": { - "type": "integer" } - } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "logLevel", + "usageStats" + ], + "type": "object" + }, + "monitoring": { + "properties": { + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "scrapeInterval": { + "pattern": ".*[smh]$", + "type": "string" + }, + "tlsConfig": { + "type": "object" } - } + }, + "required": [ + "enabled", + "scrapeInterval" + ], + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" }, "post_install_job": { - "type": "object", "properties": { + "affinity": { + "type": "object" + }, "resources": { - "type": "object", "properties": { - "requests": { - "type": "object", + "limits": { "properties": { "cpu": { - "type": ["integer", "string"] + "type": [ + "integer", + "string" + ] }, "memory": { - "type": "string", - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$" + "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$", + "type": "string" } - } + }, + "type": "object" }, - "limits": { - "type": "object", + "requests": { "properties": { "cpu": { - "type": ["integer", "string"] + "type": [ + "integer", + "string" + ] }, "memory": { - "type": "string", - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$" + "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$", + "type": "string" } - } + }, + "type": "object" } - } - }, - "affinity": { + }, "type": "object" } - } + }, + "type": "object" }, "post_upgrade_job": { - "type": "object", "properties": { + "affinity": { + "type": "object" + }, + "extraEnv": { + "type": [ + "array", + "string" + ] + }, + "extraEnvFrom": { + "type": [ + "array", + "string" + ] + }, "resources": { - "type": "object", "properties": { - "requests": { - "type": "object", + "limits": { "properties": { "cpu": { - "type": ["integer", "string"] + "type": [ + "integer", + "string" + ] }, "memory": { - "type": "string", - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$" + "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$", + "type": "string" } - } + }, + "type": "object" }, - "limits": { - "type": "object", + "requests": { "properties": { "cpu": { - "type": ["integer", "string"] + "type": [ + "integer", + "string" + ] }, "memory": { - "type": "string", - "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$" + "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$", + "type": "string" } - } + }, + "type": "object" } - } - }, - "extraEnv": { - "type": ["array", "string"] - }, - "extraEnvFrom": { - "type": ["array", "string"] - }, - "affinity": { + }, "type": "object" } - } + }, + "type": "object" }, - "statefulset": { - "type": "object", + "rackAwareness": { + "properties": { + "enabled": { + "type": "boolean" + }, + "nodeAnnotation": { + "type": "string" + } + }, "required": [ - "replicas", - "updateStrategy", - "budget", - "annotations", - "startupProbe", - "livenessProbe", - "readinessProbe", - "podAffinity", - "podAntiAffinity", - "nodeSelector", - "priorityClassName", - "tolerations", - "topologySpreadConstraints", - "securityContext", - "sideCars" + "enabled", + "nodeAnnotation" ], + "type": "object" + }, + "rbac": { "properties": { - "replicas": { - "type": "integer" - }, - "updateStrategy": { - "type": "object", - "required": [ - "type" - ], - "properties": { - "type": { - "type": "string", - "pattern": "^(RollingUpdate|OnDelete)$" - } - } - }, - "budget": { - "type": "object", - "required": [ - "maxUnavailable" - ], - "properties": { - "maxUnavailable": { - "type": "integer" - } - } - }, "annotations": { + "additionalProperties": { + "type": "string" + }, "type": "object" }, - "startupProbe": { - "type": "object", - "required": [ - "initialDelaySeconds", - "failureThreshold", - "periodSeconds" - ], + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "annotations" + ], + "type": "object" + }, + "resources": { + "properties": { + "cpu": { "properties": { - "initialDelaySeconds": { - "type": "integer" - }, - "failureThreshold": { - "type": "integer" + "cores": { + "type": [ + "integer", + "string" + ] }, - "periodSeconds": { - "type": "integer" + "overprovisioned": { + "type": "boolean" } - } - }, - "livenessProbe": { - "type": "object", + }, "required": [ - "initialDelaySeconds", - "failureThreshold", - "periodSeconds" + "cores" ], - "properties": { - "initialDelaySeconds": { - "type": "integer" - }, - "failureThreshold": { - "type": "integer" - }, - "periodSeconds": { - "type": "integer" - } - } + "type": "object" }, - "readinessProbe": { - "type": "object", - "required": [ - "initialDelaySeconds", - "failureThreshold", - "periodSeconds" - ], + "memory": { "properties": { - "initialDelaySeconds": { - "type": "integer" - }, - "failureThreshold": { - "type": "integer" + "container": { + "properties": { + "max": { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$", + "type": "string" + }, + "min": { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$", + "type": "string" + } + }, + "required": [ + "max" + ], + "type": "object" }, - "periodSeconds": { - "type": "integer" + "enable_memory_locking": { + "type": "boolean" } - } - }, - "nodeAffinity": { - "type": "object" - }, - "podAffinity": { - "type": "object" - }, - "podAntiAffinity": { - "type": "object", + }, "required": [ - "topologyKey", - "type", - "weight" + "container" ], + "type": "object" + } + }, + "required": [ + "cpu", + "memory" + ], + "type": "object" + }, + "service": { + "properties": { + "internal": { "properties": { - "topologyKey": { - "type": "string" - }, - "type": { - "type": "string", - "pattern": "^(hard|soft|custom)$" - }, - "weight": { - "type": "integer" - }, - "custom": { + "annotations": { + "additionalProperties": { + "type": "string" + }, "type": "object" } - } - }, - "nodeSelector": { + }, "type": "object" }, - "priorityClassName": { + "name": { "type": "string" + } + }, + "type": "object" + }, + "serviceAccount": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "tolerations": { - "type": "array" + "create": { + "type": "boolean" }, - "topologySpreadConstraints": { - "type": "array", - "minItems": 1, + "name": { + "type": "string" + } + }, + "required": [ + "create", + "name", + "annotations" + ], + "type": "object" + }, + "statefulset": { + "properties": { + "additionalRedpandaCmdFlags": { "items": { - "properties": { - "maxSkew": { - "type": "integer" - }, - "topologyKey": { - "type": "string" - }, - "whenUnsatisfiable": { - "type": "string", - "pattern": "^(ScheduleAnyway|DoNotSchedule)$" - } - } - } + "type": "string" + }, + "type": "array" }, - "securityContext": { - "type": "object", - "required": [ - "fsGroup", - "runAsUser" - ], + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "budget": { "properties": { - "fsGroup": { - "type": "integer" - }, - "runAsUser": { + "maxUnavailable": { "type": "integer" - }, - "fsGroupChangePolicy": { - "type": "string", - "pattern": "^(OnRootMismatch|Always)$" } - } + }, + "required": [ + "maxUnavailable" + ], + "type": "object" }, - "sideCars": { - "type": "object", + "extraVolumeMounts": { + "type": "string" + }, + "extraVolumes": { + "type": "string" + }, + "initContainers": { "properties": { - "configWatcher": { - "type": "object", + "configurator": { "properties": { - "enabled": { - "type": "boolean" + "extraVolumeMounts": { + "type": "string" }, "resources": { "type": "object" - }, - "securityContext": { - "type": "object" - }, - "extraVolumeMounts": { - "type": "string" } }, - "controllers": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "resources": { - "type": "object" - }, - "securityContext": { - "type": "object" - }, - "run": { - "type": "array" - }, - "healthProbeAddress": { - "type": "string" - }, - "metricsAddress": { - "type": "string" - }, - "image": { - "description": "Values used to define the container image to be used for Redpanda", - "type": "object", - "required": [ - "repository", - "tag" - ], - "properties": { - "repository": { - "description": "container image repository", - "default": "docker.redpanda.com/redpandadata/redpanda-operator", - "type": "string", - "pattern": "^[a-z0-9-_/.]+$" - }, - "tag": { - "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.", - "default": "Chart.appVersion", - "type": "string", - "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$" - } - } - } - } - } - } - } - }, - "initContainers": { - "type": "object", - "properties": { + "type": "object" + }, + "extraInitContainers": { + "type": "string" + }, "fsValidator": { - "type": "object", "properties": { "enabled": { "type": "boolean" @@ -1041,615 +1044,728 @@ "expectedFS": { "type": "string" }, - "resources": { - "type": "object" - }, "extraVolumeMounts": { "type": "string" - } - } - }, - "tuning": { - "type": "object", - "properties": { + }, "resources": { "type": "object" - }, - "extraVolumeMounts": { - "type": "string" } - } + }, + "type": "object" }, "setDataDirOwnership": { - "type": "object", "properties": { - "resources": { - "type": "object" - }, "enabled": { "type": "boolean" }, "extraVolumeMounts": { "type": "string" + }, + "resources": { + "type": "object" } - } + }, + "type": "object" }, "setTieredStorageCacheDirOwnership": { - "type": "object", "properties": { - "resources": { - "type": "object" - }, "extraVolumeMounts": { "type": "string" + }, + "resources": { + "type": "object" } - } + }, + "type": "object" }, - "configurator": { - "type": "object", + "tuning": { "properties": { - "resources": { - "type": "object" - }, "extraVolumeMounts": { "type": "string" + }, + "resources": { + "type": "object" } - } - }, - "extraInitContainers": { - "type": "string" + }, + "type": "object" } - } - }, - "additionalRedpandaCmdFlags": { - "type": "array" - }, - "terminationGracePeriodSeconds": { - "type": "integer" - }, - "extraVolumes": { - "type": "string" - }, - "extraVolumeMounts": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "required": [ - "create", - "annotations", - "name" - ], - "properties": { - "create": { - "type": "boolean" - }, - "annotations": { + }, "type": "object" }, - "name": { - "type": "string" - } - } - }, - "rbac": { - "type": "object", - "required": [ - "enabled", - "annotations" - ], - "properties": { - "enabled": { - "type": "boolean" - }, - "annotations": { + "livenessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], "type": "object" - } - } - }, - "tuning": { - "type": "object", - "properties": { - "tune_aio_events": { - "type": "boolean" }, - "tune_clocksource": { - "type": "boolean" + "nodeAffinity": { + "type": "object" }, - "tune_ballast_file": { - "type": "boolean" + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "ballast_file_path": { - "type": "string" + "podAffinity": { + "type": "object" }, - "ballast_file_size": { - "type": "string" + "podAntiAffinity": { + "properties": { + "custom": { + "type": "object" + }, + "topologyKey": { + "type": "string" + }, + "type": { + "pattern": "^(hard|soft|custom)$", + "type": "string" + }, + "weight": { + "type": "integer" + } + }, + "required": [ + "topologyKey", + "type", + "weight" + ], + "type": "object" }, - "well_known_io": { + "priorityClassName": { "type": "string" - } - } - }, - "listeners": { - "type": "object", - "required": [ - "admin", - "kafka", - "http", - "rpc", - "schemaRegistry" - ], - "properties": { - "admin": { - "type": "object", + }, + "readinessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, "required": [ - "port", - "tls" + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" ], + "type": "object" + }, + "replicas": { + "type": "integer" + }, + "securityContext": { "properties": { - "port": { + "fsGroup": { "type": "integer" }, - "external": { - "type": "object", - "minProperties": 1, - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "advertisedPorts": { - "type": "array", - "minItems": 1, - "items": { - "type": "integer" - } - } - } - } - } + "fsGroupChangePolicy": { + "pattern": "^(OnRootMismatch|Always)$", + "type": "string" }, - "tls": { - "type": "object", - "required": [ - "cert", - "requireClientAuth" - ], + "runAsUser": { + "type": "integer" + } + }, + "required": [ + "fsGroup", + "runAsUser" + ], + "type": "object" + }, + "sideCars": { + "properties": { + "configWatcher": { "properties": { "enabled": { "type": "boolean" }, - "cert": { + "extraVolumeMounts": { "type": "string" }, - "requireClientAuth": { - "type": "boolean" - } - } - } - } - }, - "kafka": { - "type": "object", - "required": [ - "port", - "tls" - ], - "properties": { - "port": { - "type": "integer" - }, - "external": { - "type": "object", - "minProperties": 1, - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "object", - "required": [ - "port" - ], - "properties": { - "prefixTemplate": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "port": { - "type": "integer" - }, - "advertisedPorts": { - "type": "array", - "minItems": 1, - "items": { - "type": "integer" - } - }, - "authenticationMethod": { - "type": ["string", "null"], - "pattern": "sasl|none|mtls_identity" - } - } + "resources": { + "type": "object" + }, + "securityContext": { + "type": "object" } - } + }, + "type": "object" }, - "tls": { - "type": "object", - "required": [ - "cert", - "requireClientAuth" - ], + "controllers": { "properties": { "enabled": { "type": "boolean" }, - "cert": { - "type": "string" + "image": { + "properties": { + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda-operator", + "pattern": "^[a-z0-9-_/.]+$", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "tag", + "repository" + ], + "type": "object" }, - "requireClientAuth": { - "type": "boolean" - } - } + "resources": true, + "securityContext": true + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "failureThreshold": { + "type": "integer" }, - "authenticationMethod": { - "type": ["string", "null"], - "pattern": "sasl|none|mtls_identity" + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" } - } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" }, - "http": { - "type": "object", + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "items": true, + "type": "array" + }, + "topologySpreadConstraints": { + "items": { + "properties": { + "maxSkew": { + "type": "integer" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "pattern": "^(ScheduleAnyway|DoNotSchedule)$", + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "updateStrategy": { + "properties": { + "type": { + "pattern": "^(RollingUpdate|OnDelete)$", + "type": "string" + } + }, "required": [ - "enabled", - "port", - "kafkaEndpoint", - "tls" + "type" ], + "type": "object" + } + }, + "required": [ + "replicas", + "updateStrategy", + "annotations", + "budget", + "startupProbe", + "livenessProbe", + "readinessProbe", + "podAffinity", + "podAntiAffinity", + "nodeSelector", + "priorityClassName", + "topologySpreadConstraints", + "tolerations", + "securityContext", + "sideCars" + ], + "type": "object" + }, + "storage": { + "properties": { + "hostPath": { + "type": "string" + }, + "persistentVolume": { + "deprecated": true, "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, "enabled": { "type": "boolean" }, - "port": { - "type": "integer" - }, - "kafkaEndpoint": { - "type": "string", - "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$" - }, - "authenticationMethod": { - "type": ["string", "null"], - "pattern": "http_basic|none" + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "external": { - "type": "object", - "minProperties": 1, - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "object", - "required": [ - "port" - ], - "properties": { - "prefixTemplate": { - "type": "string" - }, - "enabled": { - "type": "boolean" - }, - "port": { - "type": "integer" - }, - "advertisedPorts": { - "type": "array", - "minItems": 1, - "items": { - "type": "integer" - } - }, - "authenticationMethod": { - "type": ["string", "null"], - "pattern": "http_basic|none" - }, - "tls": { - "type": "object", - "required": [], - "properties": { - "enabled": { - "type": "boolean" - }, - "cert": { - "type": "string" - }, - "requireClientAuth": { - "type": "boolean" - } - } - } - } - } - } + "size": { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(k|M|G|Ki|Mi|Gi)$", + "type": "string" }, - "tls": { - "type": "object", - "required": [ - "cert", - "requireClientAuth" - ], - "properties": { - "enabled": { - "type": "boolean" - }, - "cert": { - "type": "string" - }, - "requireClientAuth": { - "type": "boolean" - } - } + "storageClass": { + "type": "string" } - } - }, - "rpc": { - "type": "object", + }, "required": [ - "port", - "tls" + "annotations", + "enabled", + "labels", + "size", + "storageClass" ], + "type": "object" + }, + "tiered": { "properties": { - "port": { - "type": "integer" - }, - "tls": { - "type": "object", - "required": [ - "cert", - "requireClientAuth" - ], + "config": { "properties": { - "enabled": { - "type": "boolean" + "cloud_storage_api_endpoint": { + "type": "string" }, - "cert": { + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { "type": "string" }, - "requireClientAuth": { + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "type": [ + "integer", + "string" + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" } - } - } - } - }, - "schemaRegistry": { - "type": "object", - "required": [ - "enabled", - "port", - "kafkaEndpoint", - "tls" - ], - "properties": { - "enabled": { - "type": "boolean" - }, - "port": { - "type": "integer" - }, - "kafkaEndpoint": { - "type": "string", - "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$" - }, - "authenticationMethod": { - "type": ["string", "null"], - "pattern": "http_basic|none" + }, + "required": [ + "cloud_storage_enabled", + "cloud_storage_bucket", + "cloud_storage_region" + ], + "type": "object" }, - "external": { - "type": "object", - "minProperties": 1, - "patternProperties": { - "^[A-Za-z_][A-Za-z0-9_]*$": { - "type": "object", + "credentialsSecretRef": { + "properties": { + "accessKey": { "properties": { - "enabled": { - "type": "boolean" + "configurationKey": { + "type": "string" }, - "port": { - "type": "integer" + "key": { + "type": "string" }, - "advertisedPorts": { - "type": "array", - "minItems": 1, - "items": { - "type": "integer" - } + "name": { + "type": "string" + } + }, + "type": "object" + }, + "configurationKey": { + "deprecated": true, + "type": "string" + }, + "key": { + "deprecated": true, + "type": "string" + }, + "name": { + "deprecated": true, + "type": "string" + }, + "secretKey": { + "properties": { + "configurationKey": { + "type": "string" }, - "authenticationMethod": { - "type": ["string", "null"], - "pattern": "http_basic|none" + "key": { + "type": "string" }, - "tls": { - "type": "object", - "required": [], - "properties": { - "enabled": { - "type": "boolean" - }, - "cert": { - "type": "string" - }, - "requireClientAuth": { - "type": "boolean" - } - } + "name": { + "type": "string" } - } + }, + "type": "object" } - } + }, + "type": "object" + }, + "hostPath": { + "type": "string" }, - "tls": { - "type": "object", - "required": [ - "cert", - "requireClientAuth" - ], + "mountType": { + "pattern": "^(none|hostPath|emptyDir|persistentVolume)$", + "type": "string" + }, + "persistentVolume": { "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, "enabled": { "type": "boolean" }, - "cert": { + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { "type": "string" }, - "requireClientAuth": { - "type": "boolean" + "size": { + "type": "string" + }, + "storageClass": { + "type": "string" } - } - } - } - } - } - }, - "config": { - "type": "object", - "required": [ - "cluster", - "tunable", - "node" - ], - "properties": { - "cluster": { - "type": "object" - }, - "tunable": { - "type": "object", - "additionalProperties": true, - "properties": { - "log_retention_ms": {"type": "integer"}, - "group_initial_rebalance_delay": {"type": "integer"} + }, + "required": [ + "annotations", + "labels", + "storageClass" + ], + "type": "object" } - }, - "node": { - "type": "object" - }, - "rpk": { + }, + "required": [ + "mountType" + ], "type": "object" }, - "schema_registry_client": { - "type": "object", + "tieredConfig": { + "deprecated": true, "properties": { - "retries": { - "type": "integer" + "cloud_storage_api_endpoint": { + "type": "string" }, - "retry_base_backoff_ms": { + "cloud_storage_api_endpoint_port": { "type": "integer" }, - "produce_batch_record_count": { - "type": "integer" + "cloud_storage_azure_adls_endpoint": { + "type": "string" }, - "produce_batch_size_bytes": { + "cloud_storage_azure_adls_port": { "type": "integer" }, - "produce_batch_delay_ms": { - "type": "integer" + "cloud_storage_bucket": { + "type": "string" }, - "consumer_request_timeout_ms": { + "cloud_storage_cache_check_interval": { "type": "integer" }, - "consumer_request_max_bytes": { - "type": "integer" + "cloud_storage_cache_directory": { + "type": "string" }, - "consumer_session_timeout_ms": { + "cloud_storage_cache_size": { "type": "integer" }, - "consumer_rebalance_timeout_ms": { + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { "type": "integer" }, - "consumer_heartbeat_interval_ms": { + "cloud_storage_manifest_upload_timeout_ms": { "type": "integer" - } - } - }, - "pandaproxy_client": { - "type": "object", - "properties": { - "retries": { + }, + "cloud_storage_max_connection_idle_time_ms": { "type": "integer" }, - "retry_base_backoff_ms": { + "cloud_storage_max_connections": { "type": "integer" }, - "produce_batch_record_count": { + "cloud_storage_reconciliation_interval_ms": { "type": "integer" }, - "produce_batch_size_bytes": { + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { "type": "integer" }, - "produce_batch_delay_ms": { + "cloud_storage_segment_upload_timeout_ms": { "type": "integer" }, - "consumer_request_timeout_ms": { + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { "type": "integer" }, - "consumer_request_max_bytes": { + "cloud_storage_upload_ctrl_max_shares": { "type": "integer" }, - "consumer_session_timeout_ms": { + "cloud_storage_upload_ctrl_min_shares": { "type": "integer" }, - "consumer_rebalance_timeout_ms": { + "cloud_storage_upload_ctrl_p_coeff": { "type": "integer" }, - "consumer_heartbeat_interval_ms": { + "cloud_storage_upload_ctrl_update_interval_ms": { "type": "integer" } - } + }, + "type": "object" + }, + "tieredStorageHostPath": { + "deprecated": true, + "type": "string" + }, + "tieredStoragePersistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "storageClass" + ], + "type": "object" } - } + }, + "required": [ + "hostPath", + "tiered", + "persistentVolume" + ], + "type": "object" }, - "auditLogging": { - "type": "object", + "tests": { "properties": { "enabled": { "type": "boolean" + } + }, + "type": "object" + }, + "tls": { + "properties": { + "certs": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "caEnabled": { + "type": "boolean" + }, + "duration": { + "pattern": ".*[smh]$", + "type": "string" + }, + "issuerRef": { + "properties": { + "kind": { + "enum": [ + "ClusterIssuer", + "Issuer" + ], + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "caEnabled" + ], + "type": "object" + } + }, + "type": "object" }, - "listener": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "tolerations": { + "items": { + "type": "object" + }, + "type": "array" + }, + "tuning": { + "properties": { + "ballast_file_path": { "type": "string" }, - "partitions": { - "type": "integer" - }, - "enabledEventTypes": { - "type": ["array", "null"] - }, - "excludedTopics": { - "type": ["array", "null"] - }, - "excludedPrincipals": { - "type": ["array", "null"] - }, - "clientMaxBufferSize": { - "type": "integer" + "ballast_file_size": { + "type": "string" }, - "queueDrainIntervalMs": { - "type": "integer" + "tune_aio_events": { + "type": "boolean" }, - "queueMaxBufferSizePerShard": { - "type": "integer" + "tune_ballast_file": { + "type": "boolean" }, - "replicationFactor": { - "type": ["integer", "null"] - } - } - }, - "tests": { - "type": "object", - "properties": { - "enabled": { + "tune_clocksource": { "type": "boolean" + }, + "well_known_io": { + "type": "string" } - } + }, + "type": "object" } - } + }, + "required": [ + "image" + ], + "type": "object" } diff --git a/charts/redpanda/redpanda/values.yaml b/charts/redpanda/redpanda/values.yaml index 7c1cdeb87c..fa467605f1 100644 --- a/charts/redpanda/redpanda/values.yaml +++ b/charts/redpanda/redpanda/values.yaml @@ -577,6 +577,10 @@ post_install_job: # memory: 1024Mi # labels: {} # annotations: {} + # You can set the security context as nessesary for the post-install job as follows + # securityContext: + # allowPrivilegeEscalation: false + # runAsNonRoot: true affinity: {} post_upgrade_job: @@ -602,6 +606,10 @@ post_upgrade_job: # extraEnvFrom: # - secretRef: # name: redpanda-aws-secrets + # You can set the security context as nessesary for the post-upgrade job as follows + # securityContext: + # allowPrivilegeEscalation: false + # runAsNonRoot: true affinity: {} # When helm upgrade is performed the post-upgrade job is scheduled before Statefulset successfully finish # its rollout. User can extend Job default backoff limit of `6`. diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index bd444f34f3..7d73fcf38a 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 2.1.92 +appVersion: 2.1.136 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 2.1.8 +version: 2.1.12 diff --git a/charts/speedscale/speedscale-operator/README.md b/charts/speedscale/speedscale-operator/README.md index fc52c23030..bcbf750f04 100644 --- a/charts/speedscale/speedscale-operator/README.md +++ b/charts/speedscale/speedscale-operator/README.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.1.8 +### Upgrade to 2.1.12 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.8/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.12/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/app-readme.md b/charts/speedscale/speedscale-operator/app-readme.md index fc52c23030..bcbf750f04 100644 --- a/charts/speedscale/speedscale-operator/app-readme.md +++ b/charts/speedscale/speedscale-operator/app-readme.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.1.8 +### Upgrade to 2.1.12 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.8/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.1.12/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/templates/tls.yaml b/charts/speedscale/speedscale-operator/templates/tls.yaml index aecc76bebd..495bc0586e 100644 --- a/charts/speedscale/speedscale-operator/templates/tls.yaml +++ b/charts/speedscale/speedscale-operator/templates/tls.yaml @@ -45,27 +45,6 @@ spec: containers: - args: - |- - ARCH=$(uname -m) - case $ARCH in - x86_64) - ARCH=amd64 - ;; - arm | arm64 | aarch64) - ARCH=arm64 - ;; - esac - {{- if .Values.http_proxy }} - HTTP_PROXY={{ .Values.http_proxy | quote }} \ - {{- end }} - {{- if .Values.https_proxy }} - HTTPS_PROXY={{ .Values.https_proxy | quote }} \ - {{- end }} - {{- if .Values.no_proxy }} - NO_PROXY={{ .Values.no_proxy | quote }} \ - {{- end }} - curl -Lfs "https://storage.googleapis.com/kubernetes-release/release/v1.20.0/bin/linux/${ARCH}/kubectl" \ - -o /usr/local/bin/kubectl - chmod +x /usr/local/bin/kubectl keytool -importcert -noprompt -cacerts -storepass changeit -alias speedscale -file /etc/ssl/speedscale/tls.crt kubectl -n ${POD_NAMESPACE} delete secret speedscale-jks || true kubectl -n ${POD_NAMESPACE} create secret generic speedscale-jks --from-file=cacerts.jks=${JAVA_HOME}/lib/security/cacerts @@ -89,7 +68,7 @@ spec: - secretRef: name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}' optional: false - image: 'openjdk' + image: '{{ .Values.image.registry }}/amazoncorretto' imagePullPolicy: {{ .Values.image.pullPolicy }} name: create-jks resources: {} diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index 23b5a46e46..4cff9245c6 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v2.1.92 + tag: v2.1.136 pullPolicy: Always # Log level for Speedscale components. diff --git a/index.yaml b/index.yaml index 71f86aed61..02949bc42a 100644 --- a/index.yaml +++ b/index.yaml @@ -80,6 +80,63 @@ entries: - assets/datawiza/access-broker-0.1.1.tgz version: 0.1.1 airflow: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Airflow + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: airflow + category: WorkFlow + images: | + - name: airflow + image: docker.io/bitnami/airflow:2.8.3-debian-12-r0 + - name: airflow-exporter + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-12-r27 + - name: airflow-scheduler + image: docker.io/bitnami/airflow-scheduler:2.8.3-debian-12-r0 + - name: airflow-worker + image: docker.io/bitnami/airflow-worker:2.8.3-debian-12-r0 + - name: git + image: docker.io/bitnami/git:2.44.0-debian-12-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 2.8.3 + created: "2024-03-25T14:58:29.197998926-06:00" + dependencies: + - condition: redis.enabled + name: redis + repository: file://./charts/redis + version: 19.x.x + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 15.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Airflow is a tool to express and execute workflows as directed + acyclic graphs (DAGs). It includes utilities to schedule tasks, monitor task + progress and handle task dependencies. + digest: 28d74effb12574491144ff9d3cc1403f4f1c3b05cb00e61a10d7c64c6a9b0cab + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/airflow-1.svg + keywords: + - apache + - airflow + - workflow + - dag + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: airflow + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/airflow + urls: + - assets/bitnami/airflow-18.0.0.tgz + version: 18.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Airflow @@ -2812,7 +2869,7 @@ entries: - annotations: artifacthub.io/changes: | - kind: changed - description: Bump argo-cd to v2.10.3 + description: Bump argo-cd to v2.10.4 artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -2822,8 +2879,47 @@ entries: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 + appVersion: v2.10.4 + created: "2024-03-25T14:58:27.97528249-06:00" + dependencies: + - condition: redis-ha.enabled + name: redis-ha + repository: file://./charts/redis-ha + version: 4.26.1 + description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery + tool for Kubernetes. + digest: f8815a3a3f97258a8a44f77ae335f4ab61ec59ad37552a7d9045ff6f505ac83b + home: https://github.com/argoproj/argo-helm + icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png + keywords: + - argoproj + - argocd + - gitops + kubeVersion: '>=1.23.0-0' + maintainers: + - name: argoproj + url: https://argoproj.github.io/ + name: argo-cd + sources: + - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd + - https://github.com/argoproj/argo-cd + urls: + - assets/argo/argo-cd-6.7.3.tgz + version: 6.7.3 + - annotations: + artifacthub.io/changes: | + - kind: changed + description: Bump argo-cd to v2.10.3 + artifacthub.io/signKey: | + fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 + url: https://argoproj.github.io/argo-helm/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Argo CD + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: argo-cd + apiVersion: v2 appVersion: v2.10.3 - created: "2024-03-15T00:32:07.838872385Z" + created: "2024-03-25T14:58:06.317079479-06:00" dependencies: - condition: redis-ha.enabled name: redis-ha @@ -2831,7 +2927,7 @@ entries: version: 4.26.1 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. - digest: f1c2eadccbf1096791a686f96eff45fd5017a4f6945a381c45cba077eaa019e5 + digest: c1119aa60610e9aa2881f40788fe29bce451b16a457dab9b719c965dd311595c home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png keywords: @@ -12173,6 +12269,48 @@ entries: - assets/asserts/asserts-1.6.0.tgz version: 1.6.0 cassandra: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Cassandra + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: cassandra + category: Database + images: | + - name: cassandra + image: docker.io/bitnami/cassandra:4.1.4-debian-12-r4 + - name: cassandra-exporter + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-12-r17 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 4.1.4 + created: "2024-03-25T14:58:29.291455427-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Cassandra is an open source distributed database management + system designed to handle large amounts of data across many servers, providing + high availability with no single point of failure. + digest: 26a62f8a9c0f0cd3d528dbfb6f7599e10bce41b17dc5e18cfcbcec001d6f4ece + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/cassandra-4.svg + keywords: + - cassandra + - database + - nosql + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: cassandra + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/cassandra + urls: + - assets/bitnami/cassandra-11.0.0.tgz + version: 11.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Cassandra @@ -19102,6 +19240,32 @@ entries: - assets/crate/crate-operator-2.16.0.tgz version: 2.16.0 csi-isilon: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerScale + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.30.0' + catalog.cattle.io/release-name: isilon + apiVersion: v2 + appVersion: 2.10.0 + created: "2024-03-25T14:58:32.47024598-06:00" + description: 'PowerScale CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as an Isilon + StorageClass. ' + digest: dbf51aee0b2b6054b1a94194f65a17a6ff6c591e3ae3b98ae93bb2628dd7b59e + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.21.0 < 1.30.0' + maintainers: + - name: DellEMC + name: csi-isilon + sources: + - https://github.com/dell/csi-isilon + type: application + urls: + - assets/dell/csi-isilon-2.10.0.tgz + version: 2.10.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerScale @@ -19205,6 +19369,38 @@ entries: - assets/dell/csi-isilon-2.6.1.tgz version: 2.6.1 csi-powermax: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerMax + catalog.cattle.io/kube-version: '>= 1.23.0 < 1.30.0' + catalog.cattle.io/release-name: csi-powermax + apiVersion: v2 + appVersion: 2.10.0 + created: "2024-03-25T14:58:32.473793418-06:00" + dependencies: + - condition: required + name: csireverseproxy + repository: file://./charts/csireverseproxy + version: 2.9.0 + description: 'PowerMax CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a PowerMax + StorageClass. ' + digest: 25441def50a585fa233d8189e9be16d7c14c0261eee7c01a4c8e0f39e6b5f1e7 + home: https://github.com/dell/csi-powermax + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.23.0 < 1.30.0' + maintainers: + - name: DellEMC + name: csi-powermax + sources: + - https://github.com/dell/csi-powermax + type: application + urls: + - assets/dell/csi-powermax-2.10.0.tgz + version: 2.10.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerMax @@ -19365,6 +19561,33 @@ entries: - assets/dell/csi-powermax-2.6.0.tgz version: 2.6.0 csi-powerstore: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerStore + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.30.0' + catalog.cattle.io/release-name: powerstore + apiVersion: v2 + appVersion: 2.10.0 + created: "2024-03-25T14:58:32.479123958-06:00" + description: 'PowerStore CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a PowerStore + StorageClass. ' + digest: 3cd34a4c9e1c4ca3b9173b9ec8eef8f1e3b5d8086c8d19ca1f3423e4d453f964 + home: https://github.com/dell/csi-powerstore + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.24.0 < 1.30.0' + maintainers: + - name: DellEMC + name: csi-powerstore + sources: + - https://github.com/dell/csi-powerstore + type: application + urls: + - assets/dell/csi-powerstore-2.10.0.tgz + version: 2.10.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerStore @@ -19550,6 +19773,32 @@ entries: - assets/dell/csi-powerstore-2.4.0.tgz version: 2.4.0 csi-unity: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI Unity + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.30.0' + catalog.cattle.io/release-name: unity + apiVersion: v2 + appVersion: 2.10.0 + created: "2024-03-25T14:58:32.485767037-06:00" + description: 'Unity XT CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a Unity + XT StorageClass. ' + digest: 95e8fc5fabe9143dd885d7329c6e4f1c619e1dd4e68a31e963456db53ad3e849 + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.24.0 < 1.30.0' + maintainers: + - name: DellEMC + name: csi-unity + sources: + - https://github.com/dell/csi-unity + type: application + urls: + - assets/dell/csi-unity-2.10.0.tgz + version: 2.10.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI Unity @@ -19705,6 +19954,32 @@ entries: - assets/dell/csi-unity-2.4.0.tgz version: 2.4.0 csi-vxflexos: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerFlex + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.30.0' + catalog.cattle.io/namespace: vxflexos + catalog.cattle.io/release-name: vxflexos + apiVersion: v2 + appVersion: 2.10.0 + created: "2024-03-25T14:58:32.490916286-06:00" + description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a VxFlex + OS StorageClass. ' + digest: bfdf99fa7a89c6ac19853a3f86ba72a8d8cde558b2b1f19f9c04aec31c21de7c + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.21.0 < 1.30.0' + maintainers: + - name: DellEMC + name: csi-vxflexos + sources: + - https://github.com/dell/csi-vxflexos + urls: + - assets/dell/csi-vxflexos-2.10.0.tgz + version: 2.10.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerFlex @@ -20405,6 +20680,43 @@ entries: - assets/weka/csi-wekafsplugin-0.6.400.tgz version: 0.6.400 datadog: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog + catalog.cattle.io/kube-version: '>=1.10-0' + catalog.cattle.io/release-name: datadog + apiVersion: v1 + appVersion: "7" + created: "2024-03-25T14:58:32.381368865-06:00" + dependencies: + - condition: clusterAgent.metricsProvider.useDatadogMetrics + name: datadog-crds + repository: https://helm.datadoghq.com + tags: + - install-crds + version: 1.0.1 + - condition: datadog.kubeStateMetricsEnabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 2.13.2 + description: Datadog Agent + digest: cdcf7a2f991c565e3fe426b4ade4b4a7c06d2180316292713c23650d1c860122 + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-3.59.2.tgz + version: 3.59.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog @@ -23534,6 +23846,39 @@ entries: - assets/datadog/datadog-2.4.200.tgz version: 2.4.200 datadog-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog Operator + catalog.cattle.io/release-name: datadog-operator + apiVersion: v2 + appVersion: 1.4.0 + created: "2024-03-25T14:58:32.468093926-06:00" + dependencies: + - alias: datadogCRDs + condition: installCRDs + name: datadog-crds + repository: file://./charts/datadog-crds + tags: + - install-crds + version: =1.4.0 + description: Datadog Operator + digest: 8846c295100528432b24293f36b1ea65d22372582a7db09e130108e1048026a9 + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog-operator + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-operator-1.5.2.tgz + version: 1.5.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog Operator @@ -25732,6 +26077,35 @@ entries: - assets/linux-polska/ezd-crd-1.3.1.tgz version: 1.3.1 f5-bigip-ctlr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes + and OpenShift + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: f5-bigip-ctlr + apiVersion: v1 + created: "2024-03-25T14:58:32.612914367-06:00" + description: Deploy the F5 Networks BIG-IP Controller for Kubernetes and OpenShift + (k8s-bigip-ctlr). + digest: e1ca3b6715ee8610be992c379173c8aeac2b7585189889003b2a8ef889c3b3e5 + home: https://www.f5.com/products/automation-and-orchestration/container-ingress-services + icon: https://avatars.githubusercontent.com/u/8935905?s=200&v=4 + keywords: + - F5 + - BIG-IP + - Containers + - Kubernetes + - OpenShift + maintainers: + - email: f5_cis_operators@f5.com + name: F5CISSupport + name: f5-bigip-ctlr + sources: + - https://github.com/F5Networks/k8s-bigip-ctlr + - https://github.com/F5Networks/charts + urls: + - assets/f5/f5-bigip-ctlr-0.0.2901.tgz + version: 0.0.2901 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes @@ -27245,6 +27619,111 @@ entries: - assets/inaccel/fpga-operator-2.5.201.tgz version: 2.5.201 gluu: + - annotations: + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.1.0-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.1.0-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.1.0-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.1.0-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.1.0-1 + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.1.0-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.1.0-1 + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.1.0-1 + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:5.1.0-1 + - name: link + image: ghcr.io/janssenproject/jans/link:1.1.0-1 + - name: saml + image: ghcr.io/janssenproject/jans/saml:1.1.0-1 + artifacthub.io/license: Apache-2.0 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/featured: "4" + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu + apiVersion: v2 + appVersion: 5.1.0 + created: "2024-03-25T14:58:48.172914728-06:00" + dependencies: + - condition: global.config.enabled + name: config + repository: file://./charts/config + version: 1.1.0 + - condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 1.1.0 + - condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.1.0 + - condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 1.1.0 + - condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.1.0 + - condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 1.1.0 + - condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 1.1.0 + - condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.1.0 + - condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 1.1.0 + - condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 1.1.0 + - condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 1.1.0 + - condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.1.0 + - condition: global.link.enabled + name: link + repository: file://./charts/link + version: 1.1.0 + - condition: global.saml.enabled + name: saml + repository: file://./charts/saml + version: 1.1.0 + description: Gluu Access and Identity Management + digest: 54e4dd8c42eda2ecf5b14334d53a94f2255b96f75c4dd3c17d0d76cb4cbacae7 + home: https://www.gluu.org + icon: https://gluu.org/docs/gluu-server/favicon.ico + kubeVersion: '>=v1.21.0-0' + maintainers: + - email: team@gluu.org + name: moabu + name: gluu + sources: + - https://docs.gluu.org + urls: + - assets/gluu/gluu-5.1.0.tgz + version: 5.1.0 - annotations: artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/images: | @@ -27273,12 +27752,11 @@ entries: artifacthub.io/license: Apache-2.0 catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management - catalog.cattle.io/featured: "4" catalog.cattle.io/kube-version: '>=v1.21.0-0' catalog.cattle.io/release-name: gluu apiVersion: v2 appVersion: 5.0.22 - created: "2024-02-21T10:02:42.783088908Z" + created: "2024-03-25T14:58:32.79463795-06:00" dependencies: - condition: global.config.enabled name: config @@ -27337,7 +27815,7 @@ entries: repository: file://./charts/saml version: 5.0.25 description: Gluu Access and Identity Management - digest: 356a93210cd461d714860049813562ce98eecaa20ed0b371da4e5fbdf617b51b + digest: 273b15cb756445872bd962acec2d80e06dfc643c4bc7aff39a940f26e1241b3f home: https://www.gluu.org icon: https://gluu.org/docs/gluu-server/favicon.ico kubeVersion: '>=v1.21.0-0' @@ -29002,6 +29480,34 @@ entries: - assets/gopaddle/gopaddle-4.2.5.tgz version: 4.2.5 haproxy: + - annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.11.2 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy + apiVersion: v2 + appVersion: 1.11.2 + created: "2024-03-25T14:58:48.267392467-06:00" + description: A Helm chart for HAProxy Kubernetes Ingress Controller + digest: e96f6daccee97047c71b89f8d3031c0b74508d71c9c485a6a9d1c4b0a622f0c0 + home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png + keywords: + - ingress + - haproxy + kubeVersion: '>=1.22.0-0' + maintainers: + - email: dkorunic@haproxy.com + name: Dinko Korunic + name: haproxy + sources: + - https://github.com/haproxytech/kubernetes-ingress + type: application + urls: + - assets/haproxy/haproxy-1.38.5.tgz + version: 1.38.5 - annotations: artifacthub.io/changes: | - Use Ingress Controller 1.11.0 version for base image @@ -30081,6 +30587,37 @@ entries: - assets/haproxy/haproxy-1.4.300.tgz version: 1.4.300 harbor: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor + apiVersion: v1 + appVersion: 2.10.1 + created: "2024-03-25T14:58:48.30730098-06:00" + description: An open source trusted cloud native registry that stores, signs, + and scans content + digest: 41f03baea13a8dea1580e139ee1c4d84d287ebcf8a428eaee6db03d6c5dc8465 + home: https://goharbor.io + icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png + keywords: + - docker + - registry + - harbor + maintainers: + - email: yinw@vmware.com + name: Wenkai Yin + - email: hweiwei@vmware.com + name: Weiwei He + - email: yshengwen@vmware.com + name: Shengwen Yu + name: harbor + sources: + - https://github.com/goharbor/harbor + - https://github.com/goharbor/harbor-helm + urls: + - assets/harbor/harbor-1.14.1.tgz + version: 1.14.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Harbor @@ -32256,6 +32793,63 @@ entries: - assets/jaeger/jaeger-operator-2.36.0.tgz version: 2.36.0 jenkins: + - annotations: + artifacthub.io/category: integration-delivery + artifacthub.io/changes: | + - Update `docker.io/bats/bats` to version `1.11.0` + artifacthub.io/images: | + - name: jenkins + image: docker.io/jenkins/jenkins:2.440.2-jdk17 + - name: k8s-sidecar + image: docker.io/kiwigrid/k8s-sidecar:1.26.1 + - name: inbound-agent + image: jenkins/inbound-agent:3206.vb_15dcf73f6a_9-3 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins + - name: Jenkins + url: https://www.jenkins.io/ + - name: support + url: https://github.com/jenkinsci/helm-charts/issues + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Jenkins + catalog.cattle.io/kube-version: '>=1.14-0' + catalog.cattle.io/release-name: jenkins + apiVersion: v2 + appVersion: 2.440.2 + created: "2024-03-25T14:58:48.709017905-06:00" + description: 'Jenkins - Build great things at any scale! As the leading open source + automation server, Jenkins provides over 1800 plugins to support building, deploying + and automating any project. ' + digest: 94e410553a0409e60d9664ae710c0ea8f71b7e3dfcb733f7d646ff95d74808a9 + home: https://www.jenkins.io/ + icon: https://get.jenkins.io/art/jenkins-logo/logo.svg + keywords: + - jenkins + - ci + - devops + maintainers: + - email: maor.friedman@redhat.com + name: maorfr + - email: mail@torstenwalter.de + name: torstenwalter + - email: garridomota@gmail.com + name: mogaal + - email: wmcdona89@gmail.com + name: wmcdona89 + - email: timjacomb1@gmail.com + name: timja + name: jenkins + sources: + - https://github.com/jenkinsci/jenkins + - https://github.com/jenkinsci/docker-inbound-agent + - https://github.com/maorfr/kube-tasks + - https://github.com/jenkinsci/configuration-as-code-plugin + type: application + urls: + - assets/jenkins/jenkins-5.1.4.tgz + version: 5.1.4 - annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | @@ -35652,6 +36246,34 @@ entries: - assets/trilio/k8s-triliovault-operator-v2.0.200.tgz version: v2.0.200 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.9 + created: "2024-03-25T14:58:49.950758504-06:00" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.3.2 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.12.0 + description: Kasten’s K10 Data Management Platform + digest: e77e57e1a035ff62e5aef6ed7afcf4a0a420b53b7370654aa4cad28812892bb3 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.901.tgz + version: 6.5.901 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -41987,6 +42609,35 @@ entries: - assets/kubemq/kubemq-crds-2.3.7.tgz version: 2.3.7 kubernetes-ingress-controller: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: ngrok Ingress Controller + catalog.cattle.io/release-name: kubernetes-ingress-controller + apiVersion: v2 + appVersion: 0.10.3 + created: "2024-03-25T14:59:07.966919174-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: A Kubernetes ingress controller built using ngrok. + digest: 3db9f6ac12acc8776b6eb19070ca3d29625b8d93e1353b806f69d72c93cda4dc + home: https://ngrok.com + icon: https://assets-global.website-files.com/63ed4bc7a4b189da942a6b8c/6411ffa0b395a44345ed2b1a_Frame%201.svg + keywords: + - ngrok + - networking + - ingress + - edge + - api gateway + name: kubernetes-ingress-controller + sources: + - https://github.com/ngrok/kubernetes-ingress-controller + urls: + - assets/ngrok/kubernetes-ingress-controller-0.12.3.tgz + version: 0.12.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: ngrok Ingress Controller @@ -43427,15 +44078,47 @@ entries: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 + appVersion: edge-24.3.4 + created: "2024-03-25T14:59:07.296582648-06:00" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 15cef9e1f22b15540dfa4aaafef2c315ebfccf236c9f441c1c0179ff78ed429f + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-2024.3.4.tgz + version: 2024.3.4 + - annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 appVersion: edge-24.3.3 - created: "2024-03-15T00:32:46.910361969Z" + created: "2024-03-25T14:58:50.659885952-06:00" dependencies: - name: partials repository: file://./charts/partials version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: ec36bcf3bbf5c190652ed9117608256832c17703b726a4eb274171d9ee68ffa0 + digest: f5eddbe6dfcdb37ac4f9fd0e676e4aee14a9ea51e1f3d7602ca1959bb315ed02 home: https://linkerd.io icon: https://linkerd.io/images/logo-only-200h.png keywords: @@ -43794,6 +44477,36 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 linkerd-crds: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds + apiVersion: v2 + created: "2024-03-25T14:59:07.302355939-06:00" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 62223f96dbc3bf715fa2247d6303bf2741cd293a8fff3610e84919df64b81772 + home: https://linkerd.io + icon: https://linkerd.io/images/logo-only-200h.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-crds + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-crds-2024.3.4.tgz + version: 2024.3.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd CRDs @@ -43825,6 +44538,41 @@ entries: - assets/linkerd/linkerd-crds-2024.3.3.tgz version: 2024.3.3 loft: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Loft + catalog.cattle.io/kube-version: '>=1.22-0' + catalog.cattle.io/release-name: loft + apiVersion: v2 + created: "2024-03-25T14:59:07.327939966-06:00" + description: Secure Cluster Sharing, Self-Service Namespace Provisioning and Virtual + Clusters + digest: c7b5b0733594dba851ef95e93dbb1637ffd906cd473fbe8c65902c56fcdb5d92 + home: https://loft.sh + icon: https://static.loft.sh/loft/logo/loft-logo.svg + keywords: + - developer + - development + - sharing + - share + - multi-tenancy + - tenancy + - cluster + - space + - namespace + - vcluster + - vclusters + maintainers: + - email: info@loft.sh + name: Loft Labs, Inc. + url: https://twitter.com/loft_sh + name: loft + sources: + - https://github.com/loft-sh/loft + type: application + urls: + - assets/loft/loft-3.4.2.tgz + version: 3.4.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Loft @@ -44499,6 +45247,50 @@ entries: - assets/elastic/logstash-7.17.3.tgz version: 7.17.3 mariadb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MariaDB + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mariadb + category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.2.3-debian-12-r4 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r8 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 11.2.3 + created: "2024-03-25T14:58:29.923882689-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MariaDB is an open source, community-developed SQL database server + that is widely in use around the world due to its enterprise features, flexibility, + and collaboration with leading tech firms. + digest: 2171b2cbc65a11f1016954a86f446f253f098189b13e8d03de7d18a4357d1c21 + home: https://bitnami.com + icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo-vert_black-transparent.png + keywords: + - mariadb + - mysql + - database + - sql + - prometheus + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mariadb + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mariadb + urls: + - assets/bitnami/mariadb-17.0.1.tgz + version: 17.0.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MariaDB @@ -46654,6 +47446,32 @@ entries: - assets/metallb/metallb-0.13.7.tgz version: 0.13.7 minio-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Minio Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: minio-operator + apiVersion: v2 + appVersion: v5.0.14 + created: "2024-03-25T14:59:07.350671108-06:00" + description: A Helm chart for MinIO Operator + digest: 653034cd3fb6e31b6ea80448f11b6e7503bf07d7b45557597fbb095457e22b6c + home: https://min.io + icon: https://min.io/resources/img/logo/MINIO_wordmark.png + keywords: + - storage + - object-storage + - S3 + maintainers: + - email: dev@minio.io + name: MinIO, Inc + name: minio-operator + sources: + - https://github.com/minio/operator + type: application + urls: + - assets/minio/minio-operator-5.0.14.tgz + version: 5.0.14 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Minio Operator @@ -47149,6 +47967,50 @@ entries: - assets/minio/minio-operator-4.4.1700.tgz version: 4.4.1700 mysql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MySQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mysql + category: Database + images: | + - name: mysql + image: docker.io/bitnami/mysql:8.0.36-debian-12-r8 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-12-r8 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 8.0.36 + created: "2024-03-25T14:58:29.926872481-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MySQL is a fast, reliable, scalable, and easy to use open source + relational database system. Designed to handle mission-critical, heavy-load + production applications. + digest: 9da6a68dd40e2abe8eeae6a940190070e14185e61157c794eb02fb1310487d71 + home: https://bitnami.com + icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png + keywords: + - mysql + - database + - sql + - cluster + - high availability + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mysql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mysql + urls: + - assets/bitnami/mysql-10.1.0.tgz + version: 10.1.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MySQL @@ -55456,6 +56318,51 @@ entries: - assets/portshift-operator/portshift-operator-0.1.000.tgz version: 0.1.000 postgresql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: PostgreSQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: postgresql + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r17 + - name: postgres-exporter + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-12-r14 + - name: postgresql + image: docker.io/bitnami/postgresql:16.2.0-debian-12-r10 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 16.2.0 + created: "2024-03-25T14:58:30.276080719-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: PostgreSQL (Postgres) is an open source object-relational database + known for reliability and data integrity. ACID-compliant, it supports foreign + keys, joins, views, triggers and stored procedures. + digest: 303965ccff8b9701e923c1c84262e2989cb4a2aa7cc5fde11e0ddb3fa5bfd8b8 + home: https://bitnami.com + icon: https://wiki.postgresql.org/images/a/a4/PostgreSQL_logo.3colors.svg + keywords: + - postgresql + - postgres + - database + - sql + - replication + - cluster + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: postgresql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/postgresql + urls: + - assets/bitnami/postgresql-15.1.4.tgz + version: 15.1.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: PostgreSQL @@ -58701,6 +59608,29 @@ entries: - assets/percona/psmdb-db-1.13.0.tgz version: 1.13.0 psmdb-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-operator + apiVersion: v2 + appVersion: 1.15.0 + created: "2024-03-25T14:59:08.272084872-06:00" + description: A Helm chart for deploying the Percona Operator for MongoDB + digest: 27bebb11bc3c76612aad749963a4d74e6095a42c516010649e460c5328784163 + home: https://docs.percona.com/percona-operator-for-mongodb/ + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: psmdb-operator + urls: + - assets/percona/psmdb-operator-1.15.4.tgz + version: 1.15.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator for MongoDB @@ -58931,6 +59861,30 @@ entries: - assets/percona/psmdb-operator-1.13.1.tgz version: 1.13.1 pxc-db: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-db + apiVersion: v2 + appVersion: 1.14.0 + created: "2024-03-25T14:59:08.28641792-06:00" + description: A Helm chart for installing Percona XtraDB Cluster Databases using + the PXC Operator. + digest: b79fecfb986d50a91fc5cb9ba140f708fd191245e092f567dec818c5ac982171 + home: https://www.percona.com/doc/kubernetes-operator-for-pxc/kubernetes.html + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: sergey.pronin@percona.com + name: spron-in + - email: natalia.marukovich@percona.com + name: nmarukovich + name: pxc-db + urls: + - assets/percona/pxc-db-1.14.1.tgz + version: 1.14.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona XtraDB Cluster @@ -59546,6 +60500,52 @@ entries: - assets/quobyte/quobyte-cluster-0.1.5.tgz version: 0.1.5 redis: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redis + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: redis + category: Database + images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.2-debian-12-r3 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: redis + image: docker.io/bitnami/redis:7.2.4-debian-12-r9 + - name: redis-exporter + image: docker.io/bitnami/redis-exporter:1.58.0-debian-12-r4 + - name: redis-sentinel + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-12-r7 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 7.2.4 + created: "2024-03-25T14:58:30.561048041-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Redis(R) is an open source, advanced key-value store. It is often + referred to as a data structure server since keys can contain strings, hashes, + lists, sets and sorted sets. + digest: 9c12e3b3c8ddcb14a743afe0acc54841b8760e93514ea76c36bd6e5e98fd04c0 + home: https://bitnami.com + icon: https://redis.com/wp-content/uploads/2021/08/redis-logo.png + keywords: + - redis + - keyvalue + - database + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: redis + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/redis + urls: + - assets/bitnami/redis-19.0.1.tgz + version: 19.0.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Redis @@ -62176,6 +63176,50 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v23.3.9 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.8.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v23.3.9 + created: "2024-03-25T14:59:08.702804827-06:00" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: a58334b399a884923c66489f42847f662760c49f44979745a9629c2e07d81988 + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.7.35.tgz + version: 5.7.35 - annotations: artifacthub.io/images: | - name: redpanda @@ -66693,6 +67737,43 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 spark: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Spark + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: spark + category: Infrastructure + images: | + - name: spark + image: docker.io/bitnami/spark:3.5.1-debian-12-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.5.1 + created: "2024-03-25T14:58:30.661463688-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Spark is a high-performance engine for large-scale computing + tasks, such as data processing, machine learning and real-time data streaming. + It includes APIs for Java, Python, Scala and R. + digest: ad51250f56f3063a5dff2218538478c3076b20bc264bd42b711851f0ee2b12d5 + home: https://bitnami.com + icon: https://www.apache.org/logos/res/spark/default.png + keywords: + - apache + - spark + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: spark + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/spark + urls: + - assets/bitnami/spark-9.0.0.tgz + version: 9.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Spark @@ -68254,6 +69335,37 @@ entries: - assets/bitnami/spark-6.3.8.tgz version: 6.3.8 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.1.136 + created: "2024-03-25T14:59:08.796377739-06:00" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 60c5f85e2f1ae61994445a0d9493f65c0fcf633aba4f60850f47622aa2f50be7 + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.1.12.tgz + version: 2.1.12 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -72813,6 +73925,51 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 tomcat: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Tomcat + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: tomcat + category: ApplicationServer + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-12-r11 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: tomcat + image: docker.io/bitnami/tomcat:10.1.19-debian-12-r2 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 10.1.19 + created: "2024-03-25T14:58:30.696914073-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Tomcat is an open-source web server designed to host and run + Java-based web applications. It is a lightweight server with a good performance + for applications running in production environments. + digest: 23190fb6bb98982c4921694e8710e89aa04c197a2bb101785412a08118fc3615 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/tomcat.svg + keywords: + - tomcat + - java + - http + - web + - application server + - jsp + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: tomcat + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/tomcat + urls: + - assets/bitnami/tomcat-10.17.1.tgz + version: 10.17.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Tomcat @@ -76634,6 +77791,60 @@ entries: - assets/hashicorp/vault-0.22.0.tgz version: 0.22.0 wordpress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WordPress + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: wordpress + category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.7-debian-12-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r17 + - name: wordpress + image: docker.io/bitnami/wordpress:6.4.3-debian-12-r28 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 6.4.3 + created: "2024-03-25T14:58:31.489966079-06:00" + dependencies: + - condition: memcached.enabled + name: memcached + repository: file://./charts/memcached + version: 7.x.x + - condition: mariadb.enabled + name: mariadb + repository: file://./charts/mariadb + version: 17.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: WordPress is the world's most popular blogging and content management + platform. Powerful yet simple, everyone from students to global corporations + use it to build beautiful, functional websites. + digest: 5c805ac5e7f9d6894ba8c06e9230467061f091fd1a4b7ae79d487acbc21cba23 + home: https://bitnami.com + icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png + keywords: + - application + - blog + - cms + - http + - php + - web + - wordpress + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: wordpress + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/wordpress + urls: + - assets/bitnami/wordpress-21.0.6.tgz + version: 21.0.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WordPress @@ -83233,6 +84444,43 @@ entries: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 zookeeper: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Zookeeper + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: zookeeper + category: Infrastructure + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r16 + - name: zookeeper + image: docker.io/bitnami/zookeeper:3.9.2-debian-12-r0 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.9.2 + created: "2024-03-25T14:58:31.578188996-06:00" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache ZooKeeper provides a reliable, centralized register of configuration + data and services for distributed applications. + digest: 1c9a59d72c7c4eedbdcbdff8b354b6f93c6ae0a9ff5dd17af5d3b4c13499b98b + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/zookeeper.svg + keywords: + - zookeeper + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: zookeeper + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper + urls: + - assets/bitnami/zookeeper-13.0.1.tgz + version: 13.0.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Zookeeper