diff --git a/ct.yaml b/.github/configs/ct-install.yaml similarity index 61% rename from ct.yaml rename to .github/configs/ct-install.yaml index 26b0ccf7..67dcbf65 100644 --- a/ct.yaml +++ b/.github/configs/ct-install.yaml @@ -1,7 +1,13 @@ +--- +remote: origin target-branch: main +chart-dirs: + - charts chart-repos: - - bitnami=https://charts.bitnami.com/bitnami - authentik=https://charts.goauthentik.io helm-extra-args: --timeout 180s check-version-increment: false validate-maintainers: false +validate-yaml: true +exclude-deprecated: true +excluded-charts: [] diff --git a/.github/configs/ct-lint.yaml b/.github/configs/ct-lint.yaml new file mode 100644 index 00000000..fafa324d --- /dev/null +++ b/.github/configs/ct-lint.yaml @@ -0,0 +1,11 @@ +--- +remote: origin +target-branch: main +chart-dirs: + - charts +chart-repos: + - authentik=https://charts.goauthentik.io +check-version-increment: false +validate-maintainers: false +exclude-deprecated: true +excluded-charts: [] diff --git a/.github/configs/lintconf.yaml b/.github/configs/lintconf.yaml new file mode 100644 index 00000000..dbefbcc6 --- /dev/null +++ b/.github/configs/lintconf.yaml @@ -0,0 +1,42 @@ +--- +rules: + braces: + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: -1 + max-spaces-inside-empty: -1 + brackets: + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: -1 + max-spaces-inside-empty: -1 + colons: + max-spaces-before: 0 + max-spaces-after: 1 + commas: + max-spaces-before: 0 + min-spaces-after: 1 + max-spaces-after: 1 + comments: + require-starting-space: true + min-spaces-from-content: 1 + document-end: disable + document-start: disable # No --- to start a file + empty-lines: + max: 2 + max-start: 0 + max-end: 0 + hyphens: + max-spaces-after: 1 + indentation: + spaces: consistent + indent-sequences: whatever # - list indentation will handle both indentation and without + check-multi-line-strings: false + key-duplicates: enable + line-length: disable # Lines can be any length + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + level: warning diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 9da23c90..66b6318c 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -1,3 +1,4 @@ +--- name: "Lint and Test Chart" on: @@ -7,36 +8,71 @@ on: pull_request: jobs: + linter-artifacthub: + runs-on: ubuntu-latest + container: + image: public.ecr.aws/artifacthub/ah:v1.14.0 + options: --user 1001 + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run ah lint + working-directory: ./charts + run: ah lint + lint-and-test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: - fetch-depth: "0" + fetch-depth: 0 + - name: Set up Helm - uses: azure/setup-helm@v3.5 - - uses: actions/setup-python@v5 + uses: azure/setup-helm@v3 + + - name: Set up python + uses: actions/setup-python@v5 with: - python-version: 3.9.2 - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.6.1 - - name: Run chart-testing (list-changed) + python-version: "3.9" + + - name: Setup Chart Linting + id: lint + uses: helm/chart-testing-action@v2 + + - name: List changed charts id: list-changed run: | - changed=$(ct list-changed --config ct.yaml) + changed=$(ct --config ./.github/configs/ct-lint.yaml list-changed) + charts=$(echo "$changed" | tr '\n' ' ' | xargs) if [[ -n "$changed" ]]; then echo "changed=true" >> $GITHUB_OUTPUT + echo "changed_charts=$charts" >> $GITHUB_OUTPUT fi + - name: Run chart-testing (lint) - run: ct lint --config ct.yaml + run: ct lint --debug --config ./.github/configs/ct-lint.yaml --lint-conf ./.github/configs/lintconf.yaml + + - name: Run docs-testing (helm-docs) + id: helm-docs + run: | + ./scripts/helm-docs.sh + if [[ $(git diff --stat) != '' ]]; then + echo -e '\033[0;31mDocumentation outdated!\033[0m ❌' + git diff --color + exit 1 + else + echo -e '\033[0;32mDocumentation up to date\033[0m ✔' + fi + - name: Create kind cluster uses: helm/kind-action@v1.9.0 if: steps.list-changed.outputs.changed == 'true' + - name: Run chart-testing (install) - if: steps.list-changed.outputs.changed == 'true' run: | namespace=authentik-$(uuidgen) kubectl create ns $namespace kubectl apply -n $namespace -f charts/authentik/ci/manifests/ - ct install --namespace=$namespace --config ct.yaml + ct install --namespace=$namespace --config ./.github/configs/ct-install.yaml + if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/authentik-remote-cluster/README.md b/charts/authentik-remote-cluster/README.md index c4b927df..5f787856 100644 --- a/charts/authentik-remote-cluster/README.md +++ b/charts/authentik-remote-cluster/README.md @@ -14,25 +14,25 @@ RBAC required for a remote cluster to be connected to authentik. ## Maintainers -| Name | Email | Url | -| -------------- | ---------------------- | ------------------------ | +| Name | Email | Url | +| ---- | ------ | --- | | authentik Team | | | ## Source Code -- -- +* +* ## Values -| Key | Type | Default | Description | -| ---------------------------- | ------ | ------- | ------------------------------------------------------------------------------------------------- | -| annotations | object | `{}` | Annotations to apply to all resources | -| clusterRole.enabled | bool | `true` | Create a clusterole in addition to a namespaced role. | -| fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible | -| global.additionalLabels | object | `{}` | Common labels for all resources. | -| global.fullnameOverride | string | `""` | String to fully override `"authentik.fullname"` | -| global.nameOverride | string | `""` | Provide a name in place of `authentik` | -| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | -| nameOverride | string | `""` | Provide a name in place of `authentik`. Prefer using global.nameOverride if possible | -| serviceAccountSecret.enabled | bool | `true` | Create a secret with the service account credentials | +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| annotations | object | `{}` | Annotations to apply to all resources | +| clusterRole.enabled | bool | `true` | Create a clusterole in addition to a namespaced role. | +| fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible | +| global.additionalLabels | object | `{}` | Common labels for all resources. | +| global.fullnameOverride | string | `""` | String to fully override `"authentik.fullname"` | +| global.nameOverride | string | `""` | Provide a name in place of `authentik` | +| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | +| nameOverride | string | `""` | Provide a name in place of `authentik`. Prefer using global.nameOverride if possible | +| serviceAccountSecret.enabled | bool | `true` | Create a secret with the service account credentials | diff --git a/charts/authentik/Chart.yaml b/charts/authentik/Chart.yaml index 0a4ad5ee..e43b1ab7 100644 --- a/charts/authentik/Chart.yaml +++ b/charts/authentik/Chart.yaml @@ -1,6 +1,7 @@ +--- apiVersion: v2 -version: 2023.10.7 -appVersion: 2023.10.7 +version: 2024.2.0-rc1 +appVersion: 2024.2.0-rc1 name: authentik description: authentik is an open-source Identity Provider focused on flexibility and versatility type: application @@ -29,22 +30,22 @@ maintainers: url: https://goauthentik.io dependencies: - name: postgresql - version: 10.16.2 - repository: https://charts.goauthentik.io + version: 12.12.10 + repository: oci://registry-1.docker.io/bitnamicharts condition: postgresql.enabled - name: redis - version: 15.7.6 - repository: https://charts.goauthentik.io + version: 18.6.1 + repository: oci://registry-1.docker.io/bitnamicharts condition: redis.enabled - name: authentik-remote-cluster repository: https://charts.goauthentik.io - version: 1.2.2 + version: 2.0.0 condition: serviceAccount.create alias: serviceAccount annotations: artifacthub.io/changes: | - kind: changed - description: upgrade to authentik 2023.10.7 + description: upgrade to authentik 2024.2.0-rc1 artifacthub.io/license: GPL artifacthub.io/links: | - name: GitHub @@ -57,16 +58,16 @@ annotations: url: https://goauthentik.io artifacthub.io/images: | - name: authentik - image: ghcr.io/goauthentik/server:2023.10.7 + image: ghcr.io/goauthentik/server:2024.2.0-rc1 whitelisted: true - name: authentik-outpost-proxy - image: ghcr.io/goauthentik/proxy:2023.10.7 + image: ghcr.io/goauthentik/proxy:2024.2.0-rc1 whitelisted: true - name: authentik-outpost-ldap - image: ghcr.io/goauthentik/ldap:2023.10.7 + image: ghcr.io/goauthentik/ldap:2024.2.0-rc1 whitelisted: true - name: authentik-outpost-radius - image: ghcr.io/goauthentik/radius:2023.10.7 + image: ghcr.io/goauthentik/radius:2024.2.0-rc1 whitelisted: true artifacthub.io/screenshots: | - title: User interface diff --git a/charts/authentik/README.md b/charts/authentik/README.md index 67052af9..a0883a1b 100644 --- a/charts/authentik/README.md +++ b/charts/authentik/README.md @@ -6,8 +6,8 @@ [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord) [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/helm/lint-test.yaml?branch=main&label=ci&style=for-the-badge)](https://github.com/goauthentik/helm/actions/workflows/lint-test.yaml) -![Version: 2023.10.7](https://img.shields.io/badge/Version-2023.10.7-informational?style=for-the-badge) -![AppVersion: 2023.10.7](https://img.shields.io/badge/AppVersion-2023.10.7-informational?style=for-the-badge) +![Version: 2024.2.0-rc1](https://img.shields.io/badge/Version-2024.2.0-rc1-informational?style=for-the-badge) +![AppVersion: 2024.2.0-rc1](https://img.shields.io/badge/AppVersion-2024.2.0-rc1-informational?style=for-the-badge) authentik is an open-source Identity Provider focused on flexibility and versatility @@ -19,27 +19,63 @@ authentik is an open-source Identity Provider focused on flexibility and versati authentik: secret_key: "PleaseGenerateA50CharKey" # This sends anonymous usage-data, stack traces on errors and - # performance data to sentry.beryju.org, and is fully opt-in + # performance data to authentik.error-reporting.a7k.io, and is fully opt-in error_reporting: enabled: true postgresql: password: "ThisIsNotASecurePassword" -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix +server: + ingress: + enabled: true + hosts: + - authentik.domain.tld postgresql: enabled: true - postgresqlPassword: "ThisIsNotASecurePassword" + auth: + password: "ThisIsNotASecurePassword" + redis: enabled: true ``` +## Advanced values examples + +
+External PostgreSQL and Redis + +```yaml +authentik: + postgresql: + host: postgres.domain.tld + user: file:///postgres-creds/username + password: file:///postgres-creds/password + redis: + host: redis.domain.tld +server: + volumes: + - name: postgres-creds + secret: + secretName: authentik-postgres-credentials + volumeMounts: + - name: postgres-creds + mountPath: /postgres-creds + readOnly: true +worker: + volumes: + - name: postgres-creds + secret: + secretName: authentik-postgres-credentials + volumeMounts: + - name: postgres-creds + mountPath: /postgres-creds + readOnly: true +``` + +The secret `authentik-postgres-credentials` must have `username` and `password` keys. +
+ ## Maintainers | Name | Email | Url | @@ -55,29 +91,28 @@ redis: | Repository | Name | Version | |------------|------|---------| -| https://charts.goauthentik.io | serviceAccount(authentik-remote-cluster) | 1.2.2 | -| https://charts.goauthentik.io | postgresql | 10.16.2 | -| https://charts.goauthentik.io | redis | 15.7.6 | +| https://charts.goauthentik.io | serviceAccount(authentik-remote-cluster) | 2.0.0 | +| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.12.10 | +| oci://registry-1.docker.io/bitnamicharts | redis | 18.6.1 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| additionalContainers | object | `{}` | Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used. | -| affinity | object | `{}` | affinity applied to the deployments | -| annotations | object | `{}` | Annotations to add to the server and worker deployments | +| additionalObjects | list | `[]` | additional resources to deploy. Those objects are templated. | | authentik.email.from | string | `""` | Email from address, can either be in the format "foo@bar.baz" or "authentik " | | authentik.email.host | string | `""` | SMTP Server emails are sent from, fully optional | -| authentik.email.password | string | `""` | SMTP credentials, when left empty, not authentication will be done | -| authentik.email.port | int | `587` | | +| authentik.email.password | string | `""` | SMTP credentials, when left empty, no authentication will be done | +| authentik.email.port | int | `587` | SMTP server port | | authentik.email.timeout | int | `30` | Connection timeout | | authentik.email.use_ssl | bool | `false` | Enable either use_tls or use_ssl, they can't be enabled at the same time. | | authentik.email.use_tls | bool | `false` | Enable either use_tls or use_ssl, they can't be enabled at the same time. | -| authentik.email.username | string | `""` | SMTP credentials, when left empty, not authentication will be done | +| authentik.email.username | string | `""` | SMTP credentials, when left empty, no authentication will be done | | authentik.error_reporting.enabled | bool | `false` | This sends anonymous usage-data, stack traces on errors and performance data to sentry.beryju.org, and is fully opt-in | | authentik.error_reporting.environment | string | `"k8s"` | This is a string that is sent to sentry with your error reports | | authentik.error_reporting.send_pii | bool | `false` | Send PII (Personally identifiable information) data to sentry | -| authentik.geoip | string | `"/geoip/GeoLite2-City.mmdb"` | Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. | +| authentik.events.context_processors.asn | string | `"/geoip/GeoLite2-ASN.mmdb"` | Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. | +| authentik.events.context_processors.geoip | string | `"/geoip/GeoLite2-City.mmdb"` | Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. | | authentik.log_level | string | `"info"` | Log level for server and worker | | authentik.outposts.container_image_base | string | `"ghcr.io/goauthentik/%(type)s:%(version)s"` | Template used for managed outposts. The following placeholders can be used %(type)s - the type of the outpost %(version)s - version of your authentik install %(build_hash)s - only for beta versions, the build hash of the image | | authentik.postgresql.host | string | `{{ .Release.Name }}-postgresql` | set the postgresql hostname to talk to if unset and .Values.postgresql.enabled == true, will generate the default | @@ -88,104 +123,232 @@ redis: | authentik.redis.host | string | `{{ .Release.Name }}-redis-master` | set the redis hostname to talk to | | authentik.redis.password | string | `""` | | | authentik.secret_key | string | `""` | Secret key used for cookie singing and unique user IDs, don't change this after the first install | -| autoscaling.server.enabled | bool | `false` | Create a HPA for the server deployment | -| autoscaling.server.maxReplicas | int | `5` | | -| autoscaling.server.minReplicas | int | `1` | | -| autoscaling.server.targetCPUUtilizationPercentage | int | `50` | | -| autoscaling.worker.enabled | bool | `false` | Create a HPA for the worker deployment | -| autoscaling.worker.maxReplicas | int | `5` | | -| autoscaling.worker.minReplicas | int | `1` | | -| autoscaling.worker.targetCPUUtilizationPercentage | int | `80` | | -| blueprints | list | `[]` | List of config maps to mount blueprints from. Only keys in the configmap ending with ".yaml" wil be discovered and applied | -| containerSecurityContext | object | `{}` | server containerSecurityContext | -| env | object | `{}` | see configuration options at https://goauthentik.io/docs/installation/configuration/ | -| envFrom | list | `[]` | | -| envValueFrom | object | `{}` | | +| blueprints.configMaps | list | `[]` | List of config maps to mount blueprints from. Only keys in the configMap ending with `.yaml` will be discovered and applied. | +| blueprints.secrets | list | `[]` | List of secrets to mount blueprints from. Only keys in the secret ending with `.yaml` will be discovered and applied. | +| fullnameOverride | string | `""` | String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible | | geoip.accountId | string | `""` | sign up under https://www.maxmind.com/en/geolite2/signup | -| geoip.containerSecurityContext | object | `{}` | server containerSecurityContext | -| geoip.editionIds | string | `"GeoLite2-City"` | | -| geoip.enabled | bool | `false` | optional GeoIP, deploys a cronjob to download the maxmind database | -| geoip.image | string | `"maxmindinc/geoipupdate:v4.8"` | | +| geoip.containerSecurityContext | object | See [values.yaml] | GeoIP container-level security context | +| geoip.editionIds | string | `"GeoLite2-City GeoLite2-ASN"` | | +| geoip.enabled | bool | `false` | enable GeoIP sidecars for the authentik server and worker pods | +| geoip.env | list | `[]` (See [values.yaml]) | Environment variables to pass to the GeoIP containers | +| geoip.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the GeoIP containers | +| geoip.existingSecret.accountId | string | `"account_id"` | key in the secret containing the account ID | +| geoip.existingSecret.licenseKey | string | `"license_key"` | key in the secret containing the license key | +| geoip.existingSecret.secretName | string | `""` | name of an existing secret to use instead of values above | +| geoip.image.digest | string | `""` | If defined, an image digest for GeoIP images | +| geoip.image.pullPolicy | string | `"IfNotPresent"` | If defined, an imagePullPolicy for GeoIP images | +| geoip.image.repository | string | `"ghcr.io/maxmind/geoipupdate"` | If defined, a repository for GeoIP images | +| geoip.image.tag | string | `"v6.0.0"` | If defined, a tag for GeoIP images | | geoip.licenseKey | string | `""` | sign up under https://www.maxmind.com/en/geolite2/signup | -| geoip.updateInterval | int | `8` | number of hours between update runs | -| image.digest | string | `""` | optional container image digest | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.pullSecrets | list | `[]` | | -| image.repository | string | `"ghcr.io/goauthentik/server"` | | -| image.tag | string | `"2023.10.2"` | | -| ingress.annotations | object | `{}` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"authentik.domain.tld"` | | -| ingress.hosts[0].paths[0].path | string | `"/"` | | -| ingress.hosts[0].paths[0].pathType | string | `"Prefix"` | | -| ingress.ingressClassName | string | `""` | | -| ingress.labels | object | `{}` | | -| ingress.tls | list | `[]` | | -| initContainers | object | `{}` | Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used | -| livenessProbe.enabled | bool | `true` | enables or disables the livenessProbe | -| livenessProbe.httpGet.path | string | `"/-/health/live/"` | liveness probe url path | -| livenessProbe.httpGet.port | string | `"http"` | | -| livenessProbe.initialDelaySeconds | int | `5` | | -| livenessProbe.periodSeconds | int | `10` | | -| nodeSelector | object | `{}` | nodeSelector applied to the deployments | -| pdb.server.annotations | object | `{}` | Annotations to be added to the server pdb | -| pdb.server.enabled | bool | `false` | Deploy a PodDistrubtionBudget for the server | -| pdb.server.labels | object | `{}` | Labels to be added to the server pdb | -| pdb.server.maxUnavailable | string | `""` | Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) # Has higher precedence over `pdb.server.minAvailable` | -| pdb.server.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | -| pdb.worker.annotations | object | `{}` | Annotations to be added to the worker pdb | -| pdb.worker.enabled | bool | `false` | Deploy a PodDistrubtionBudget for the worker | -| pdb.worker.labels | object | `{}` | Labels to be added to the worker pdb | -| pdb.worker.maxUnavailable | string | `""` | Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) # Has higher precedence over `pdb.worker.minAvailable` | -| pdb.worker.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | -| podAnnotations | object | `{}` | Annotations to add to the server and worker pods | -| postgresql.enabled | bool | `false` | enable the bundled bitnami postgresql chart | -| postgresql.image.tag | string | `"15.4.0-debian-11-r0"` | | -| postgresql.postgresqlDatabase | string | `"authentik"` | | -| postgresql.postgresqlMaxConnections | int | `500` | | -| postgresql.postgresqlUsername | string | `"authentik"` | | -| priorityClassName | string | `nil` | Custom priority class for different treatment by the scheduler | -| prometheus.rules.create | bool | `false` | | -| prometheus.rules.labels | object | `{}` | labels additional on PrometheusRule | -| prometheus.serviceMonitor.create | bool | `false` | | -| prometheus.serviceMonitor.interval | string | `"30s"` | | -| prometheus.serviceMonitor.labels | object | `{}` | labels additional on ServiceMonitor | -| prometheus.serviceMonitor.scrapeTimeout | string | `"3s"` | | -| readinessProbe.enabled | bool | `true` | | -| readinessProbe.httpGet.path | string | `"/-/health/ready/"` | | -| readinessProbe.httpGet.port | string | `"http"` | | -| readinessProbe.periodSeconds | int | `10` | | +| geoip.resources | object | `{}` | Resource limits and requests for GeoIP containers | +| geoip.updateInterval | int | `8` | GeoIP update frequency, in hours | +| geoip.volumeMounts | list | `[]` | Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker. | +| global.addPrometheusAnnotations | bool | `false` | Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors. | +| global.additionalLabels | object | `{}` | Common labels for all resources. | +| global.affinity.nodeAffinity.matchExpressions | list | `[]` | Default match expressions for node affinity | +| global.affinity.nodeAffinity.type | string | `"hard"` | Default node affinity rules. Either `none`, `soft` or `hard` | +| global.affinity.podAntiAffinity | string | `"soft"` | Default pod anti-affinity rules. Either: `none`, `soft` or `hard` | +| global.deploymentAnnotations | object | `{}` | Annotations for all deployed Deployments | +| global.deploymentStrategy | object | `{}` | Deployment strategy for all deployed Deployments | +| global.env | list | `[]` (See [values.yaml]) | Environment variables to pass to all deployed Deployments. Does not apply to GeoIP See configuration options at https://goauthentik.io/docs/installation/configuration/ | +| global.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to all deployed Deployments. Does not apply to GeoIP | +| global.fullnameOverride | string | `""` | String to fully override `"authentik.fullname"` | +| global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | +| global.image.digest | string | `""` | If defined, an image digest applied to all authentik deployments | +| global.image.pullPolicy | string | `"IfNotPresent"` | If defined, an imagePullPolicy applied to all authentik deployments | +| global.image.repository | string | `"ghcr.io/goauthentik/server"` | If defined, a repository applied to all authentik deployments | +| global.image.tag | string | `""` | Overrides the global authentik whose default is the chart appVersion | +| global.imagePullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| global.nameOverride | string | `""` | Provide a name in place of `authentik` | +| global.nodeSelector | object | `{}` | Default node selector for all components | +| global.podAnnotations | object | `{}` | Annotations for all deployed pods | +| global.podLabels | object | `{}` | Labels for all deployed pods | +| global.priorityClassName | string | `""` | Default priority class for all components | +| global.revisionHistoryLimit | int | `3` | | +| global.securityContext | object | `{}` (See [values.yaml]) | Toggle and define pod-level security context. | +| global.tolerations | list | `[]` | Default tolerations for all components | +| global.topologySpreadConstraints | list | `[]` | Default [TopologySpreadConstraints] rules for all components # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | +| global.volumeMounts | list | `[]` (See [values.yaml]) | Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP | +| global.volumes | list | `[]` (See [values.yaml]) | Additional volumes to all deployed Deployments. | +| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | +| nameOverride | string | `""` | Provide a name in place of `authentik`. Prefer using global.nameOverride if possible | +| postgresql.auth.database | string | `"authentik"` | | +| postgresql.auth.username | string | `"authentik"` | | +| postgresql.enabled | bool | `false` | enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values. | +| postgresql.primary.extendedConfiguration | string | `"max_connections = 500\n"` | | +| prometheus.rules.annotations | object | `{}` | PrometheusRule annotations | +| prometheus.rules.enabled | bool | `false` | | +| prometheus.rules.labels | object | `{}` | PrometheusRule labels | +| prometheus.rules.namespace | string | `""` | PrometheusRule namespace | +| prometheus.rules.selector | object | `{}` | PrometheusRule selector | | redis.architecture | string | `"standalone"` | | | redis.auth.enabled | bool | `false` | | -| redis.enabled | bool | `false` | enable the bundled bitnami redis chart | -| redis.image.tag | string | `"6.2.10-debian-11-r13"` | | -| replicas | int | `1` | Server replicas | -| resources.server | object | `{}` | | -| resources.worker | object | `{}` | | -| securityContext | object | `{}` | server securityContext | -| service.annotations | object | `{}` | | -| service.enabled | bool | `true` | Service that is created to access authentik | -| service.labels | object | `{}` | | -| service.name | string | `"http"` | | -| service.port | int | `80` | | -| service.protocol | string | `"TCP"` | | -| service.type | string | `"ClusterIP"` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | Service account is needed for managed outposts | +| redis.enabled | bool | `false` | enable the Bitnami Redis chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/redis/ for possible values. | +| server.affinity | object | `{}` (defaults to the global.affinity preset) | Assign custom [affinity] rules to the deployment | +| server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. | +| server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server | +| server.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the authentik server [HPA] | +| server.autoscaling.metrics | list | `[]` | Configures custom HPA metrics for the authentik server Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | +| server.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the authentik server [HPA] | +| server.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the authentik server [HPA] | +| server.autoscaling.targetMemoryUtilizationPercentage | string | `nil` | Average memory utilization percentage for the authentik server [HPA] | +| server.containerPorts.http | int | `9000` | http container port | +| server.containerPorts.https | int | `9443` | https container port | +| server.containerPorts.metrics | int | `9300` | metrics container port | +| server.containerSecurityContext | object | See [values.yaml] | authentik server container-level security context | +| server.deploymentAnnotations | object | `{}` | Annotations to be added to the authentik server Deployment | +| server.deploymentStrategy | object | `{}` (defaults to global.deploymentStrategy) | Deployment strategy to be added to the authentik server Deployment | +| server.dnsConfig | object | `{}` | [DNS configuration] | +| server.dnsPolicy | string | `""` | Alternative DNS policy for authentik server pods | +| server.env | list | `[]` (See [values.yaml]) | Environment variables to pass to the authentik server. Does not apply to GeoIP See configuration options at https://goauthentik.io/docs/installation/configuration/ | +| server.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the authentik server. Does not apply to GeoIP | +| server.extraContainers | list | `[]` | Additional containers to be added to the authentik server pod # Note: Supports use of custom Helm templates | +| server.hostNetwork | bool | `false` | Host Network for authentik server pods | +| server.image.digest | string | `""` (defaults to global.image.digest) | Digest to use to the authentik server | +| server.image.pullPolicy | string | `""` (defaults to global.image.pullPolicy) | Image pull policy to use to the authentik server | +| server.image.repository | string | `""` (defaults to global.image.repository) | Repository to use to the authentik server | +| server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use to the authentik server | +| server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | +| server.ingress.annotations | object | `{}` | additional ingress annotations | +| server.ingress.enabled | bool | `false` | enable an ingress resource for the authentik server | +| server.ingress.extraPaths | list | `[]` | additional ingress paths | +| server.ingress.hosts | list | `[]` | List of ingress hosts | +| server.ingress.https | bool | `false` | uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp` | +| server.ingress.ingressClassName | string | `""` | defines which ingress controller will implement the resource | +| server.ingress.labels | object | `{}` | additional ingress labels | +| server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | +| server.ingress.paths | list | `["/"]` | List of ingress paths | +| server.ingress.tls | list | `[]` | ingress TLS configuration | +| server.initContainers | list | `[]` | Init containers to add to the authentik server pod # Note: Supports use of custom Helm templates | +| server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for you authentik server container | +| server.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| server.livenessProbe.httpGet.path | string | `"/-/health/live/"` | | +| server.livenessProbe.httpGet.port | string | `"http"` | | +| server.livenessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before [probe] is initiated | +| server.livenessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | +| server.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| server.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | +| server.metrics.enabled | bool | `false` | deploy metrics service | +| server.metrics.service.annotations | object | `{}` | metrics service annotations | +| server.metrics.service.clusterIP | string | `""` | metrics service clusterIP. `None` makes a "headless service" (no virtual IP) | +| server.metrics.service.labels | object | `{}` | metrics service labels | +| server.metrics.service.portName | string | `"metrics"` | metrics service port name | +| server.metrics.service.servicePort | int | `9300` | metrics service port | +| server.metrics.service.type | string | `"ClusterIP"` | metrics service type | +| server.metrics.serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | +| server.metrics.serviceMonitor.enabled | bool | `false` | enable a prometheus ServiceMonitor | +| server.metrics.serviceMonitor.interval | string | `"30s"` | Prometheus ServiceMonitor interval | +| server.metrics.serviceMonitor.labels | object | `{}` | Prometheus ServiceMonitor labels | +| server.metrics.serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion | +| server.metrics.serviceMonitor.namespace | string | `""` | Prometheus ServiceMonitor namespace | +| server.metrics.serviceMonitor.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping | +| server.metrics.serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme | +| server.metrics.serviceMonitor.scrapeTimeout | string | `"3s"` | Prometheus ServiceMonitor scrape timeout | +| server.metrics.serviceMonitor.selector | object | `{}` | Prometheus ServiceMonitor selector | +| server.metrics.serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | +| server.name | string | `"server"` | authentik server name | +| server.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | +| server.pdb.annotations | object | `{}` | Annotations to be added to the authentik server pdb | +| server.pdb.enabled | bool | `false` | Deploy a [PodDistrubtionBudget] for the authentik server | +| server.pdb.labels | object | `{}` | Labels to be added to the authentik server pdb | +| server.pdb.maxUnavailable | string | `""` | Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) # Has higher precedence over `server.pdb.minAvailable` | +| server.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | +| server.podAnnotations | object | `{}` | Annotations to be added to the authentik server pods | +| server.podLabels | object | `{}` | Labels to be added to the authentik server pods | +| server.priorityClassName | string | `""` (defaults to global.priorityClassName) | Prority class for the authentik server pods | +| server.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| server.readinessProbe.httpGet.path | string | `"/-/health/ready/"` | | +| server.readinessProbe.httpGet.port | string | `"http"` | | +| server.readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before [probe] is initiated | +| server.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | +| server.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| server.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | +| server.replicas | int | `1` | The number of server pods to run | +| server.resources | object | `{}` | Resource limits and requests for the authentik server | +| server.securityContext | object | `{}` (See [values.yaml]) | authentik server pod-level security context | +| server.service.annotations | object | `{}` | authentik server service annotations | +| server.service.externalIPs | list | `[]` | authentik server service external IPs | +| server.service.externalTrafficPolicy | string | `""` | Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints | +| server.service.labels | object | `{}` | authentik server service labels | +| server.service.loadBalancerIP | string | `""` | LoadBalancer will get created with the IP specified in this field | +| server.service.loadBalancerSourceRanges | list | `[]` | Source IP ranges to allow access to service from | +| server.service.nodePortHttp | int | `30080` | authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`) | +| server.service.nodePortHttps | int | `30443` | authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`) | +| server.service.servicePortHttp | int | `80` | authentik server service http port | +| server.service.servicePortHttpName | string | `"http"` | authentik server service http port name | +| server.service.servicePortHttps | int | `443` | authentik server service https port | +| server.service.servicePortHttpsName | string | `"https"` | authentik server service https port name | +| server.service.sessionAffinity | string | `""` | Used to maintain session affinity. Supports `ClientIP` and `None` | +| server.service.sessionAffinityConfig | object | `{}` | Session affinity configuration | +| server.service.type | string | `"ClusterIP"` | authentik server service type | +| server.startupProbe.failureThreshold | int | `60` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| server.startupProbe.httpGet.path | string | `"/-/health/live/"` | | +| server.startupProbe.httpGet.port | string | `"http"` | | +| server.startupProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before [probe] is initiated | +| server.startupProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] | +| server.startupProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| server.startupProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | +| server.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | +| server.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | +| server.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the authentik server # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # If labelSelector is left out, it will default to the labelSelector configuration of the deployment | +| server.volumeMounts | list | `[]` | Additional volumeMounts to the authentik server main container | +| server.volumes | list | `[]` | Additional volumes to the authentik server pod | +| serviceAccount.annotations | object | `{}` | additional service account annotations | +| serviceAccount.create | bool | `true` | Create service account. Needed for managed outposts | | serviceAccount.fullnameOverride | string | `"authentik"` | | -| serviceAccount.nameOverride | string | `"authentik"` | | -| serviceAccount.serviceAccountSecret.enabled | bool | `false` | As we use the authentik-remote-cluster chart as subchart, and that chart creates a service account secret by default which we don't need here, disable its creation | -| startupProbe.enabled | bool | `true` | enables or disables the livenessProbe | -| startupProbe.failureThreshold | int | `60` | | -| startupProbe.httpGet.path | string | `"/-/health/live/"` | liveness probe url path | -| startupProbe.httpGet.port | string | `"http"` | | -| startupProbe.periodSeconds | int | `5` | | -| strategy | object | `{}` | server deployment strategy | -| tolerations | list | `[]` | | -| volumeMounts | list | `[]` | | -| volumes | list | `[]` | | -| worker.containerSecurityContext | object | `{}` | worker containerSecurityContext | -| worker.priorityClassName | string | `nil` | Custom priority class for different treatment by the scheduler | -| worker.replicas | int | `1` | worker replicas | -| worker.securityContext | object | `{}` | worker securityContext | -| worker.strategy | object | `{}` | worker strategy | +| serviceAccount.serviceAccountSecret.enabled | bool | `false` | | +| worker.affinity | object | `{}` (defaults to the global.affinity preset) | Assign custom [affinity] rules to the deployment | +| worker.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. | +| worker.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker | +| worker.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the authentik worker [HPA] | +| worker.autoscaling.metrics | list | `[]` | Configures custom HPA metrics for the authentik worker Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | +| worker.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the authentik worker [HPA] | +| worker.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the authentik worker [HPA] | +| worker.autoscaling.targetMemoryUtilizationPercentage | string | `nil` | Average memory utilization percentage for the authentik worker [HPA] | +| worker.containerSecurityContext | object | See [values.yaml] | authentik worker container-level security context | +| worker.deploymentAnnotations | object | `{}` | Annotations to be added to the authentik worker Deployment | +| worker.deploymentStrategy | object | `{}` (defaults to global.deploymentStrategy) | Deployment strategy to be added to the authentik worker Deployment | +| worker.dnsConfig | object | `{}` | [DNS configuration] | +| worker.dnsPolicy | string | `""` | Alternative DNS policy for authentik worker pods | +| worker.env | list | `[]` (See [values.yaml]) | Environment variables to pass to the authentik worker. Does not apply to GeoIP See configuration options at https://goauthentik.io/docs/installation/configuration/ | +| worker.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the authentik worker. Does not apply to GeoIP | +| worker.extraContainers | list | `[]` | Additional containers to be added to the authentik worker pod # Note: Supports use of custom Helm templates | +| worker.hostNetwork | bool | `false` | Host Network for authentik worker pods | +| worker.image.digest | string | `""` (defaults to global.image.digest) | Digest to use to the authentik worker | +| worker.image.pullPolicy | string | `""` (defaults to global.image.pullPolicy) | Image pull policy to use to the authentik worker | +| worker.image.repository | string | `""` (defaults to global.image.repository) | Repository to use to the authentik worker | +| worker.image.tag | string | `""` (defaults to global.image.tag) | Tag to use to the authentik worker | +| worker.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | +| worker.initContainers | list | `[]` | Init containers to add to the authentik worker pod # Note: Supports use of custom Helm templates | +| worker.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for you authentik worker container | +| worker.name | string | `"worker"` | authentik worker name | +| worker.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] | +| worker.pdb.annotations | object | `{}` | Annotations to be added to the authentik worker pdb | +| worker.pdb.enabled | bool | `false` | Deploy a [PodDistrubtionBudget] for the authentik worker | +| worker.pdb.labels | object | `{}` | Labels to be added to the authentik worker pdb | +| worker.pdb.maxUnavailable | string | `""` | Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) # Has higher precedence over `worker.pdb.minAvailable` | +| worker.pdb.minAvailable | string | `""` (defaults to 0 if not specified) | Number of pods that are available after eviction as number or percentage (eg.: 50%) | +| worker.podAnnotations | object | `{}` | Annotations to be added to the authentik worker pods | +| worker.podLabels | object | `{}` | Labels to be added to the authentik worker pods | +| worker.priorityClassName | string | `""` (defaults to global.priorityClassName) | Prority class for the authentik worker pods | +| worker.replicas | int | `1` | The number of worker pods to run | +| worker.resources | object | `{}` | Resource limits and requests for the authentik worker | +| worker.securityContext | object | `{}` (See [values.yaml]) | authentik worker pod-level security context | +| worker.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | +| worker.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | +| worker.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the authentik worker # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # If labelSelector is left out, it will default to the labelSelector configuration of the deployment | +| worker.volumeMounts | list | `[]` | Additional volumeMounts to the authentik worker main container | +| worker.volumes | list | `[]` | Additional volumes to the authentik worker pod | + +--- +[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +[DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +[HPA]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +[MetricRelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs +[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/ +[PodDisruptionBudget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets +[probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +[RelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config +[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +[values.yaml]: values.yaml diff --git a/charts/authentik/README.md.gotmpl b/charts/authentik/README.md.gotmpl index 7f95b66e..9e7a4dce 100644 --- a/charts/authentik/README.md.gotmpl +++ b/charts/authentik/README.md.gotmpl @@ -6,8 +6,8 @@ [![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord) [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/helm/lint-test.yaml?branch=main&label=ci&style=for-the-badge)](https://github.com/goauthentik/helm/actions/workflows/lint-test.yaml) -![Version: 2023.10.7](https://img.shields.io/badge/Version-2023.10.7-informational?style=for-the-badge) -![AppVersion: 2023.10.7](https://img.shields.io/badge/AppVersion-2023.10.7-informational?style=for-the-badge) +![Version: 2024.2.0-rc1](https://img.shields.io/badge/Version-2024.2.0-rc1-informational?style=for-the-badge) +![AppVersion: 2024.2.0-rc1](https://img.shields.io/badge/AppVersion-2024.2.0-rc1-informational?style=for-the-badge) {{ template "chart.deprecationWarning" . }} @@ -21,27 +21,63 @@ authentik: secret_key: "PleaseGenerateA50CharKey" # This sends anonymous usage-data, stack traces on errors and - # performance data to sentry.beryju.org, and is fully opt-in + # performance data to authentik.error-reporting.a7k.io, and is fully opt-in error_reporting: enabled: true postgresql: password: "ThisIsNotASecurePassword" -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix +server: + ingress: + enabled: true + hosts: + - authentik.domain.tld postgresql: enabled: true - postgresqlPassword: "ThisIsNotASecurePassword" + auth: + password: "ThisIsNotASecurePassword" + redis: enabled: true ``` +## Advanced values examples + +
+External PostgreSQL and Redis + +```yaml +authentik: + postgresql: + host: postgres.domain.tld + user: file:///postgres-creds/username + password: file:///postgres-creds/password + redis: + host: redis.domain.tld +server: + volumes: + - name: postgres-creds + secret: + secretName: authentik-postgres-credentials + volumeMounts: + - name: postgres-creds + mountPath: /postgres-creds + readOnly: true +worker: + volumes: + - name: postgres-creds + secret: + secretName: authentik-postgres-credentials + volumeMounts: + - name: postgres-creds + mountPath: /postgres-creds + readOnly: true +``` + +The secret `authentik-postgres-credentials` must have `username` and `password` keys. +
+ {{ template "chart.maintainersSection" . }} {{ template "chart.sourcesSection" . }} @@ -49,3 +85,16 @@ redis: {{ template "chart.requirementsSection" . }} {{ template "chart.valuesSection" . }} + +--- +[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +[DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +[HPA]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +[MetricRelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs +[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/ +[PodDisruptionBudget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets +[probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +[RelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config +[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +[values.yaml]: values.yaml diff --git a/charts/authentik/ci/ct-values-blueprints.yaml b/charts/authentik/ci/ct-values-blueprints.yaml new file mode 100644 index 00000000..a1bf1d39 --- /dev/null +++ b/charts/authentik/ci/ct-values-blueprints.yaml @@ -0,0 +1,22 @@ +--- +blueprints: + configMaps: + - authentik-ci-blueprint + +### Required values below + +authentik: + log_level: debug + secret_key: 5up3r53cr37K3y + postgresql: + password: au7h3n71k + +postgresql: + enabled: true + auth: + password: au7h3n71k + persistence: + enabled: false + +redis: + enabled: true diff --git a/charts/authentik/ci/ct-values-geoip.yaml b/charts/authentik/ci/ct-values-geoip.yaml new file mode 100644 index 00000000..cc4ad75c --- /dev/null +++ b/charts/authentik/ci/ct-values-geoip.yaml @@ -0,0 +1,23 @@ +--- +geoip: + enabled: true + accountId: "foo-account-id" + licenseKey: "foo-license-key" + +## Required values below + +authentik: + log_level: debug + secret_key: 5up3r53cr37K3y + postgresql: + password: au7h3n71k + +postgresql: + enabled: true + auth: + password: au7h3n71k + persistence: + enabled: false + +redis: + enabled: true diff --git a/charts/authentik/ci/ct-values-hpa.yaml b/charts/authentik/ci/ct-values-hpa.yaml index d83a8233..978d8531 100644 --- a/charts/authentik/ci/ct-values-hpa.yaml +++ b/charts/authentik/ci/ct-values-hpa.yaml @@ -1,48 +1,27 @@ -autoscaling: - server: +--- +server: + autoscaling: enabled: true minReplicas: 2 - worker: +worker: + autoscaling: enabled: true minReplicas: 2 -image: - repository: ghcr.io/goauthentik/server - tag: 2023.10.7 - pullPolicy: IfNotPresent - -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix +### Required values below authentik: log_level: debug secret_key: 5up3r53cr37K3y postgresql: password: au7h3n71k - redis: - password: au7h3n71k postgresql: - enabled: false - postgresqlPassword: au7h3n71k + enabled: true + auth: + password: au7h3n71k persistence: enabled: false redis: - enabled: false - auth: - enabled: true - password: au7h3n71k - -blueprints: - - authentik-ci-blueprint - -geoip: enabled: true - accountId: "foo-account-id" - licenseKey: "foo-license-key" diff --git a/charts/authentik/ci/ct-values-min.yaml b/charts/authentik/ci/ct-values-min.yaml deleted file mode 100644 index 1839b714..00000000 --- a/charts/authentik/ci/ct-values-min.yaml +++ /dev/null @@ -1,45 +0,0 @@ -replicas: 1 - -worker: - replicas: 1 - -image: - repository: ghcr.io/goauthentik/server - tag: 2023.10.7 - pullPolicy: IfNotPresent - -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix - -authentik: - log_level: debug - secret_key: 5up3r53cr37K3y - postgresql: - password: au7h3n71k - redis: - password: au7h3n71k - -postgresql: - enabled: false - postgresqlPassword: au7h3n71k - persistence: - enabled: false - -redis: - enabled: false - auth: - enabled: true - password: au7h3n71k - -blueprints: - - authentik-ci-blueprint - -geoip: - enabled: true - accountId: "foo-account-id" - licenseKey: "foo-license-key" diff --git a/charts/authentik/ci/ct-values-pdb-max.yaml b/charts/authentik/ci/ct-values-pdb-max.yaml index fa60095b..886eafa6 100644 --- a/charts/authentik/ci/ct-values-pdb-max.yaml +++ b/charts/authentik/ci/ct-values-pdb-max.yaml @@ -1,48 +1,27 @@ -pdb: - server: +--- +server: + pdb: enabled: true maxUnavailable: 25% - worker: +worker: + pdb: enabled: true maxUnavailable: 25% -image: - repository: ghcr.io/goauthentik/server - tag: 2023.10.7 - pullPolicy: IfNotPresent - -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix +### Required values below authentik: log_level: debug secret_key: 5up3r53cr37K3y postgresql: password: au7h3n71k - redis: - password: au7h3n71k postgresql: - enabled: false - postgresqlPassword: au7h3n71k + enabled: true + auth: + password: au7h3n71k persistence: enabled: false redis: - enabled: false - auth: - enabled: true - password: au7h3n71k - -blueprints: - - authentik-ci-blueprint - -geoip: enabled: true - accountId: "foo-account-id" - licenseKey: "foo-license-key" diff --git a/charts/authentik/ci/ct-values-pdb-min.yaml b/charts/authentik/ci/ct-values-pdb-min.yaml index 7d9d59d4..64b96201 100644 --- a/charts/authentik/ci/ct-values-pdb-min.yaml +++ b/charts/authentik/ci/ct-values-pdb-min.yaml @@ -1,48 +1,27 @@ -pdb: - server: +--- +server: + pdb: enabled: true minAvailable: 2 - worker: +worker: + pdb: enabled: true minAvailable: 2 -image: - repository: ghcr.io/goauthentik/server - tag: 2023.10.7 - pullPolicy: IfNotPresent - -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix +### Required values below authentik: log_level: debug secret_key: 5up3r53cr37K3y postgresql: password: au7h3n71k - redis: - password: au7h3n71k postgresql: - enabled: false - postgresqlPassword: au7h3n71k + enabled: true + auth: + password: au7h3n71k persistence: enabled: false redis: - enabled: false - auth: - enabled: true - password: au7h3n71k - -blueprints: - - authentik-ci-blueprint - -geoip: enabled: true - accountId: "foo-account-id" - licenseKey: "foo-license-key" diff --git a/charts/authentik/ci/ct-values-pr.yaml b/charts/authentik/ci/ct-values-pr.yaml deleted file mode 100644 index 7597ecf5..00000000 --- a/charts/authentik/ci/ct-values-pr.yaml +++ /dev/null @@ -1,40 +0,0 @@ -replicas: 1 - -worker: - replicas: 1 - -image: - repository: ghcr.io/goauthentik/dev-server - tag: gh-stages-authenticator_validate-fix-regression-1687776866-22f27e4 - pullPolicy: IfNotPresent - -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix - -authentik: - log_level: debug - secret_key: 5up3r53cr37K3y - postgresql: - password: au7h3n71k - redis: - password: au7h3n71k - -postgresql: - enabled: true - postgresqlPassword: au7h3n71k - persistence: - enabled: false - -redis: - enabled: true - auth: - enabled: true - password: au7h3n71k - -blueprints: - - authentik-ci-blueprint diff --git a/charts/authentik/ci/ct-values.yaml b/charts/authentik/ci/ct-values.yaml index 9fc9858c..a0a16208 100644 --- a/charts/authentik/ci/ct-values.yaml +++ b/charts/authentik/ci/ct-values.yaml @@ -1,40 +1,16 @@ -replicas: 1 - -worker: - replicas: 1 - -image: - repository: ghcr.io/goauthentik/server - tag: 2023.10.7 - pullPolicy: IfNotPresent - -ingress: - enabled: true - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix - +--- authentik: log_level: debug secret_key: 5up3r53cr37K3y postgresql: password: au7h3n71k - redis: - password: au7h3n71k postgresql: enabled: true - postgresqlPassword: au7h3n71k + auth: + password: au7h3n71k persistence: enabled: false redis: enabled: true - auth: - enabled: true - password: au7h3n71k - -blueprints: - - authentik-ci-blueprint diff --git a/charts/authentik/templates/_common.tpl b/charts/authentik/templates/_common.tpl new file mode 100644 index 00000000..f63e5fc7 --- /dev/null +++ b/charts/authentik/templates/_common.tpl @@ -0,0 +1,81 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart +*/}} +{{- define "authentik.name" -}} +{{- $globalNameOverride := "" -}} +{{- if hasKey .Values "global" -}} +{{- $globalNameOverride = (default $globalNameOverride .Values.global.nameOverride) -}} +{{- end -}} +{{- default .Chart.Name (default .Values.nameOverride $globalNameOverride) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "authentik.fullname" -}} +{{- $name := include "authentik.name" . -}} +{{- $globalFullNameOverride := "" -}} +{{- if hasKey .Values "global" -}} +{{- $globalFullNameOverride = (default $globalFullNameOverride .Values.global.fullnameOverride) -}} +{{- end -}} +{{- if or .Values.fullnameOverride $globalFullNameOverride -}} +{{- $name = default .Values.fullnameOverride $globalFullNameOverride -}} +{{- else -}} +{{- if contains $name .Release.Name -}} +{{- $name = .Release.Name -}} +{{- else -}} +{{- $name = printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} +{{- trunc 63 $name | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label +*/}} +{{- define "authentik.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create Authentik app version +*/}} +{{- define "authentik.defaultTag" -}} +{{- default .Chart.AppVersion .Values.global.image.tag }} +{{- end -}} + +{{/* +Return valid version label +*/}} +{{- define "authentik.versionLabelValue" -}} +{{ regexReplaceAll "[^-A-Za-z0-9_.]" (include "authentik.defaultTag" .) "-" | trunc 63 | trimAll "-" | trimAll "_" | trimAll "." | quote }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "authentik.labels" -}} +helm.sh/chart: {{ include "authentik.chart" .context | quote }} +{{ include "authentik.selectorLabels" (dict "context" .context "component" .component) }} +app.kubernetes.io/managed-by: {{ .context.Release.Service | quote }} +app.kubernetes.io/part-of: "authentik" +app.kubernetes.io/version: {{ include "authentik.versionLabelValue" .context }} +{{- with .context.Values.global.additionalLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "authentik.selectorLabels" -}} +app.kubernetes.io/name: {{ include "authentik.name" .context | quote }} +app.kubernetes.io/instance: {{ .context.Release.Name | quote }} +{{- if .component }} +app.kubernetes.io/component: {{ .component | quote }} +{{- end }} +{{- end }} diff --git a/charts/authentik/templates/_helpers.tpl b/charts/authentik/templates/_helpers.tpl index fc796af5..28f1c8e7 100644 --- a/charts/authentik/templates/_helpers.tpl +++ b/charts/authentik/templates/_helpers.tpl @@ -1,93 +1,112 @@ -{{/* Allow KubeVersion to be overridden. */}} -{{- define "authentik.capabilities.ingress.kubeVersion" -}} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} -{{- end -}} +{{/* vim: set filetype=mustache: */}} -{{/* Return the appropriate apiVersion for Ingress objects */}} -{{- define "authentik.capabilities.ingress.apiVersion" -}} - {{- print "networking.k8s.io/v1" -}} - {{- if semverCompare "<1.19" (include "authentik.capabilities.ingress.kubeVersion" .) -}} - {{- print "beta1" -}} - {{- end -}} +{{/* +Create authentik server name and version as used by the chart label. +*/}} +{{- define "authentik.server.fullname" -}} +{{- printf "%s-%s" (include "authentik.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{/* Check Ingress stability */}} -{{- define "authentik.capabilities.ingress.isStable" -}} - {{- if eq (include "authentik.capabilities.ingress.apiVersion" .) "networking.k8s.io/v1" -}} - {{- true -}} - {{- end -}} +{{/* +Create authentik server worker and version as used by the chart label. +*/}} +{{- define "authentik.worker.fullname" -}} +{{- printf "%s-%s" (include "authentik.fullname" .) .Values.worker.name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create authentik configuration environment variables. +*/}} {{- define "authentik.env" -}} - {{- range $k, $v := .values -}} - {{- if kindIs "map" $v -}} - {{- range $sk, $sv := $v -}} - {{- include "authentik.env" (dict "root" $.root "values" (dict (printf "%s__%s" (upper $k) (upper $sk)) $sv)) -}} - {{- end -}} - {{- else -}} - {{- $value := $v -}} - {{- if or (kindIs "bool" $v) (kindIs "float64" $v) -}} - {{- $v = $v | toString | b64enc | quote -}} - {{- else -}} - {{- $v = tpl $v $.root | toString | b64enc | quote }} - {{- end -}} - {{- if and ($v) (ne $v "\"\"") }} + {{- range $k, $v := .values -}} + {{- if kindIs "map" $v -}} + {{- range $sk, $sv := $v -}} + {{- include "authentik.env" (dict "root" $.root "values" (dict (printf "%s__%s" (upper $k) (upper $sk)) $sv)) -}} + {{- end -}} + {{- else -}} + {{- $value := $v -}} + {{- if or (kindIs "bool" $v) (kindIs "float64" $v) -}} + {{- $v = $v | toString | b64enc | quote -}} + {{- else -}} + {{- $v = tpl $v $.root | toString | b64enc | quote }} + {{- end -}} + {{- if and ($v) (ne $v "\"\"") }} {{ printf "AUTHENTIK_%s" (upper $k) }}: {{ $v }} - {{- end }} + {{- end }} + {{- end -}} {{- end -}} - {{- end -}} {{- end -}} -{{/* Expand the name of the chart */}} -{{- define "authentik.names.name" -}} - {{- $globalNameOverride := "" -}} - {{- if hasKey .Values "global" -}} - {{- $globalNameOverride = (default $globalNameOverride .Values.global.nameOverride) -}} - {{- end -}} - {{- default .Chart.Name (default .Values.nameOverride $globalNameOverride) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* Create chart name and version as used by the chart label */}} -{{- define "authentik.names.chart" -}} - {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{/* +Common deployment strategy definition +- Recreate doesn't have additional fields, we need to remove them if added by the mergeOverwrite +*/}} +{{- define "authentik.strategy" -}} +{{- $preset := . -}} +{{- if (eq (toString $preset.type) "Recreate") }} +type: Recreate +{{- else if (eq (toString $preset.type) "RollingUpdate") }} +type: RollingUpdate +{{- with $preset.rollingUpdate }} +rollingUpdate: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} {{- end -}} {{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. +Common affinity definition +Pod affinity + - Soft prefers different nodes + - Hard requires different nodes and prefers different availibility zones +Node affinity + - Soft prefers given user expressions + - Hard requires given user expressions */}} -{{- define "authentik.names.fullname" -}} - {{- $name := include "authentik.names.name" . -}} - {{- $globalFullNameOverride := "" -}} - {{- if hasKey .Values "global" -}} - {{- $globalFullNameOverride = (default $globalFullNameOverride .Values.global.fullnameOverride) -}} - {{- end -}} - {{- if or .Values.fullnameOverride $globalFullNameOverride -}} - {{- $name = default .Values.fullnameOverride $globalFullNameOverride -}} - {{- else -}} - {{- if contains $name .Release.Name -}} - {{- $name = .Release.Name -}} - {{- else -}} - {{- $name = printf "%s-%s" .Release.Name $name -}} - {{- end -}} - {{- end -}} - {{- trunc 63 $name | trimSuffix "-" -}} +{{- define "authentik.affinity" -}} +{{- with .component.affinity -}} + {{- toYaml . -}} +{{- else -}} +{{- $preset := .context.Values.global.affinity -}} +{{- if (eq $preset.podAntiAffinity "soft") }} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" .context "component" .component.name) | nindent 12 }} + topologyKey: kubernetes.io/hostname +{{- else if (eq $preset.podAntiAffinity "hard") }} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" .context "component" .component.name) | nindent 12 }} + topologyKey: topology.kubernetes.io/zone + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" .context "component" .component.name) | nindent 10 }} + topologyKey: kubernetes.io/hostname +{{- end }} +{{- with $preset.nodeAffinity.matchExpressions }} +{{- if (eq $preset.nodeAffinity.type "soft") }} +nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + {{- toYaml . | nindent 10 }} +{{- else if (eq $preset.nodeAffinity.type "hard") }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + {{- toYaml . | nindent 8 }} +{{- end }} {{- end -}} - - -{{/* Common labels shared across objects */}} -{{- define "authentik.labels" -}} -helm.sh/chart: {{ include "authentik.names.chart" . }} -{{ include "authentik.labels.selectorLabels" . }} - {{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} - {{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} - -{{/* Selector labels shared across objects */}} -{{- define "authentik.labels.selectorLabels" -}} -app.kubernetes.io/name: {{ include "authentik.names.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} diff --git a/charts/authentik/templates/_versions.tpl b/charts/authentik/templates/_versions.tpl new file mode 100644 index 00000000..65313d68 --- /dev/null +++ b/charts/authentik/templates/_versions.tpl @@ -0,0 +1,8 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* + Return the target Kubernetes version +*/}} +{{- define "authentik.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride -}} +{{- end -}} diff --git a/charts/authentik/templates/additional-objects.yaml b/charts/authentik/templates/additional-objects.yaml new file mode 100644 index 00000000..65cb7e2d --- /dev/null +++ b/charts/authentik/templates/additional-objects.yaml @@ -0,0 +1,4 @@ +{{- range .Values.additionalObjects }} +--- +{{- tpl (toYaml . ) . }} +{{- end }} diff --git a/charts/authentik/templates/deprectations.yaml b/charts/authentik/templates/deprectations.yaml new file mode 100644 index 00000000..a8b1acef --- /dev/null +++ b/charts/authentik/templates/deprectations.yaml @@ -0,0 +1,87 @@ +{{ if .Values.image }} +{{ required "`image` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.global.image.pullSecrets }} +{{ required "`global.image.pullSecrets` does not exist. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.annotations }} +{{ required "`annotations` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.podAnnotations }} +{{ required "`podAnnotations` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.nodeSelector }} +{{ required "`nodeSelector` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.tolerations }} +{{ required "`tolerations` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.affinity }} +{{ required "`affinity` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if or .Values.env .Values.envValueFrom .Values.envFrom }} +{{ required "`env`, `envValueFrom` and `envFrom` are deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if or .Values.additionalContainers .Values.initContainers }} +{{ required "`additionalContainers` and `initContainers` are deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if or .Values.volumes .Values.volumeMounts }} +{{ required "`volumes` and `volumeMounts` are deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.replicas }} +{{ required "`replicas` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.strategy }} +{{ required "`strategy` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.priorityClassName }} +{{ required "`priorityClassName` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.containerSecurityContext }} +{{ required "`containerSecurityContext` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if or .Values.livenessProbe .Values.readinessProbe .Values.startupProbe }} +{{ required "`livenessProbe`, `readinessProbe` and `startupProbe` are deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.autoscaling }} +{{ required "`autoscaling` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.pdb }} +{{ required "`pdb` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.resources }} +{{ required "`resources` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.service }} +{{ required "`service` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.prometheus.serviceMonitor }} +{{ required "`prometheus.serviceMonitor` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.prometheus.rules.create }} +{{ required "`prometheus.rules.create` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} + +{{ if .Values.ingress }} +{{ required "`ingress` is deprecated. See the release notes for a list of changes." .Values.undefined }} +{{ end }} diff --git a/charts/authentik/templates/ingress.yaml b/charts/authentik/templates/ingress.yaml deleted file mode 100644 index 86f76dfc..00000000 --- a/charts/authentik/templates/ingress.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if .Values.ingress.enabled -}} - {{- $apiIsStable := include "authentik.capabilities.ingress.isStable" . -}} -apiVersion: {{ include "authentik.capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - name: {{ include "authentik.names.fullname" . }} - labels: - {{- include "authentik.labels" . | nindent 4 }} - {{- with .Values.ingress.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and $apiIsStable .Values.ingress.ingressClassName }} - ingressClassName: {{ $.Values.ingress.ingressClassName }} - {{- end }} - {{- with .Values.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path | quote }} - {{- if $apiIsStable }} - pathType: {{ default "Prefix" .pathType }} - {{- end }} - backend: - {{- if $apiIsStable }} - service: - name: {{ include "authentik.names.fullname" $ }} - port: - name: {{ $.Values.service.name }} - {{- else }} - serviceName: {{ include "authentik.names.fullname" $ }} - servicePort: {{ $.Values.service.port }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/authentik/templates/prom-service-monitor.yaml b/charts/authentik/templates/prom-service-monitor.yaml deleted file mode 100644 index 23ace4ef..00000000 --- a/charts/authentik/templates/prom-service-monitor.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- with .Values.prometheus.serviceMonitor }} -{{- if .create -}} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "authentik.names.fullname" $ }} - labels: - {{- include "authentik.labels" $ | nindent 4 }} - {{- with .labels }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - endpoints: - - port: http-metrics - scrapeTimeout: {{ .scrapeTimeout }} - interval: {{ .interval }} - selector: - matchLabels: - {{- include "authentik.labels.selectorLabels" $ | nindent 6 }} -{{- end }} -{{- end }} diff --git a/charts/authentik/templates/prom-rules.yaml b/charts/authentik/templates/prometheusrule.yaml similarity index 93% rename from charts/authentik/templates/prom-rules.yaml rename to charts/authentik/templates/prometheusrule.yaml index 260a15f1..1059fa6c 100644 --- a/charts/authentik/templates/prom-rules.yaml +++ b/charts/authentik/templates/prometheusrule.yaml @@ -1,14 +1,21 @@ -{{- with .Values.prometheus.rules }} -{{- if .create -}} +{{- if .Values.prometheus.rules.enabled }} apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: - name: {{ include "authentik.names.fullname" $ }} + name: {{ template "authentik.fullname" . }} + namespace: {{ default .Release.Namespace .Values.prometheus.rules.namespace | quote }} labels: - {{- include "authentik.labels" $ | nindent 4 }} - {{- with .labels }} - {{- toYaml . | nindent 4 }} + {{- include "authentik.labels" (dict "context" .) | nindent 4 }} + {{- if .Values.prometheus.rules.selector }} + {{- toYaml .Values.prometheus.rules.selector | nindent 4 }} + {{- end }} + {{- if .Values.prometheus.rules.labels }} + {{- toYaml .Values.prometheus.rules.labels | nindent 4 }} {{- end }} + {{- with .Values.prometheus.rules.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: groups: - name: authentik Aggregate request counters @@ -162,4 +169,3 @@ spec: message: Outpost {{ $labels.outpost }} has at least 1 disconnected instance `}} {{- end }} -{{- end }} diff --git a/charts/authentik/templates/secret.yaml b/charts/authentik/templates/secret.yaml index 0239eb9d..ad8718bf 100644 --- a/charts/authentik/templates/secret.yaml +++ b/charts/authentik/templates/secret.yaml @@ -1,16 +1,17 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "authentik.names.fullname" $ }} + name: {{ template "authentik.fullname" . }} + namespace: {{ .Release.Namespace | quote }} labels: - {{- include "authentik.labels" $ | nindent 4 }} - {{- if $.Values.annotations }} + {{- include "authentik.labels" (dict "context" .) | nindent 4 }} + {{- if .Values.annotations }} annotations: - {{- toYaml $.Values.annotations | nindent 4 }} + {{- toYaml .Values.annotations | nindent 4 }} {{- end }} data: - {{- include "authentik.env" (dict "root" $ "values" $.Values.authentik) | indent 2 }} - {{- if $.Values.geoip.enabled }} - GEOIPUPDATE_ACCOUNT_ID: {{ required "geoip account id required" $.Values.geoip.accountId | b64enc | quote }} - GEOIPUPDATE_LICENSE_KEY: {{ required "geoip license key required" $.Values.geoip.licenseKey | b64enc | quote }} + {{- include "authentik.env" (dict "root" . "values" .Values.authentik) | indent 2 }} + {{- if and .Values.geoip.enabled (not .Values.geoip.existingSecret.secretName) }} + GEOIPUPDATE_ACCOUNT_ID: {{ required "geoip account id required" .Values.geoip.accountId | b64enc | quote }} + GEOIPUPDATE_LICENSE_KEY: {{ required "geoip license key required" .Values.geoip.licenseKey | b64enc | quote }} {{- end }} diff --git a/charts/authentik/templates/server-deployment.yaml b/charts/authentik/templates/server-deployment.yaml deleted file mode 100644 index ccb5afc4..00000000 --- a/charts/authentik/templates/server-deployment.yaml +++ /dev/null @@ -1,175 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "server" }} - labels: - {{- include "authentik.labels" $ | nindent 4 }} - app.kubernetes.io/component: "server" - {{- if $.Values.annotations }} - annotations: - {{- toYaml $.Values.annotations | nindent 4 }} - {{- end }} -spec: - {{- if not $.Values.autoscaling.server.enabled }} - replicas: {{ $.Values.replicas }} - {{- end }} - strategy: - {{- toYaml $.Values.strategy | nindent 4 }} - selector: - matchLabels: - {{- include "authentik.labels.selectorLabels" $ | nindent 6 }} - app.kubernetes.io/component: "server" - template: - metadata: - labels: - {{- include "authentik.labels.selectorLabels" $ | nindent 8 }} - app.kubernetes.io/component: "server" - app.kubernetes.io/version: "{{ trunc 63 $.Values.image.tag }}" - annotations: - goauthentik.io/config-checksum: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if $.Values.podAnnotations }} - {{- toYaml $.Values.podAnnotations | nindent 8 }} - {{- end }} - spec: - {{- if $.Values.image.pullSecrets }} - imagePullSecrets: - {{- toYaml $.Values.image.pullSecrets | nindent 8 }} - {{- end }} - {{- with $.Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - enableServiceLinks: true - {{- if $.Values.initContainers }} - initContainers: - {{- $initContainers := list }} - {{- range $index, $key := (keys $.Values.initContainers | uniq | sortAlpha) }} - {{- $container := get $.Values.initContainers $key }} - {{- if not $container.name -}} - {{- $_ := set $container "name" $key }} - {{- end }} - {{- $initContainers = append $initContainers $container }} - {{- end }} - {{- tpl (toYaml $initContainers) $ | nindent 8 }} - {{- end }} - {{- if $.Values.priorityClassName }} - priorityClassName: {{ $.Values.priorityClassName }} - {{- end }} - securityContext: - {{- toYaml $.Values.securityContext | nindent 8 }} - containers: - - name: {{ $.Chart.Name }} - image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}{{- if $.Values.image.digest -}}@{{ $.Values.image.digest }}{{- end -}}" - imagePullPolicy: "{{ $.Values.image.pullPolicy }}" - args: ["server"] - env: - {{- range $k, $v := $.Values.env }} - - name: {{ quote $k }} - value: {{ quote $v }} - {{- end }} - {{- range $name, $val := $.Values.envValueFrom }} - - name: {{ $name }} - valueFrom: - {{- toYaml $val | nindent 16 }} - {{- end }} - envFrom: - - secretRef: - name: {{ include "authentik.names.fullname" $ }} - {{- with $.Values.envFrom }} - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - {{- if $.Values.geoip.enabled }} - - name: geoip-db - mountPath: /geoip - {{- end }} - {{- with $.Values.volumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: 9000 - protocol: TCP - - name: http-metrics - containerPort: 9300 - protocol: TCP - - name: https - containerPort: 9443 - protocol: TCP - {{- if $.Values.livenessProbe.enabled }} - {{- with omit $.Values.livenessProbe "enabled" }} - livenessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - {{- if $.Values.startupProbe.enabled }} - {{- with omit $.Values.startupProbe "enabled" }} - startupProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - {{- if $.Values.readinessProbe.enabled }} - {{- with omit $.Values.readinessProbe "enabled" }} - readinessProbe: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - {{- with index $.Values.resources.server }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - securityContext: - {{- toYaml $.Values.containerSecurityContext | nindent 12 }} - {{- if $.Values.geoip.enabled }} - - name: geoip-sidecar - image: "{{ $.Values.geoip.image }}" - env: - - name: GEOIPUPDATE_FREQUENCY - value: {{ $.Values.geoip.updateInterval | quote }} - - name: GEOIPUPDATE_PRESERVE_FILE_TIMES - value: "1" - - name: GEOIPUPDATE_ACCOUNT_ID - valueFrom: - secretKeyRef: - name: {{ include "authentik.names.fullname" $ }} - key: GEOIPUPDATE_ACCOUNT_ID - - name: GEOIPUPDATE_LICENSE_KEY - valueFrom: - secretKeyRef: - name: {{ include "authentik.names.fullname" $ }} - key: GEOIPUPDATE_LICENSE_KEY - - name: GEOIPUPDATE_EDITION_IDS - value: {{ required "geoip edition id required" $.Values.geoip.editionIds | quote }} - volumeMounts: - - name: geoip-db - mountPath: /usr/share/GeoIP - securityContext: - {{- toYaml $.Values.geoip.containerSecurityContext | nindent 12 }} - {{- end }} - {{- with $.Values.additionalContainers }} - {{- $additionalContainers := list }} - {{- range $name, $container := . }} - {{- if not $container.name -}} - {{- $_ := set $container "name" $name }} - {{- end }} - {{- $additionalContainers = append $additionalContainers $container }} - {{- end }} - {{- tpl (toYaml $additionalContainers) $ | nindent 8 }} - {{- end }} - volumes: - {{- if $.Values.geoip.enabled }} - - name: geoip-db - emptyDir: {} - {{- end }} - {{- with $.Values.volumes }} - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/authentik/templates/server-hpa.yaml b/charts/authentik/templates/server-hpa.yaml deleted file mode 100644 index f57a4035..00000000 --- a/charts/authentik/templates/server-hpa.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- with .Values.autoscaling.server }} -{{- if .enabled -}} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "server" }} - labels: - {{- include "authentik.labels" $ | nindent 4 }} - app.kubernetes.io/component: "server" - {{- if $.Values.annotations }} - annotations: - {{- toYaml $.Values.annotations | nindent 4 }} - {{- end }} -spec: - minReplicas: {{ .minReplicas }} - maxReplicas: {{ .maxReplicas }} - metrics: - - resource: - name: cpu - target: - averageUtilization: {{ .targetCPUUtilizationPercentage }} - type: Utilization - type: Resource - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "server" }} -{{- end }} -{{- end }} diff --git a/charts/authentik/templates/server-pdb.yaml b/charts/authentik/templates/server-pdb.yaml deleted file mode 100644 index d9b817e4..00000000 --- a/charts/authentik/templates/server-pdb.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.pdb.server.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "server" }} - labels: - {{- include "authentik.labels" $ | nindent 4 }} - app.kubernetes.io/component: "server" - {{- with $.Values.pdb.server.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - annotations: - {{- toYaml $.Values.pdb.server.annotations | nindent 4 }} -spec: - {{- with $.Values.pdb.server.maxUnavailable }} - maxUnavailable: {{ . }} - {{- else }} - minAvailable: {{ $.Values.pdb.server.minAvailable | default 0 }} - {{- end }} - selector: - matchLabels: - {{- include "authentik.labels" $ | nindent 6 }} - app.kubernetes.io/component: server -{{- end }} diff --git a/charts/authentik/templates/server/deployment.yaml b/charts/authentik/templates/server/deployment.yaml new file mode 100644 index 00000000..8f416ef5 --- /dev/null +++ b/charts/authentik/templates/server/deployment.yaml @@ -0,0 +1,233 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "authentik.server.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }} + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.server.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key}}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with include "authentik.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.server.deploymentStrategy) }} + strategy: + {{- trim . | nindent 4 }} + {{- end }} + {{- if not .Values.server.autoscaling.enabled }} + replicas: {{ .Values.server.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 8 }} + {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.server.podLabels) }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + spec: + {{- with .Values.server.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.global.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.server.securityContext) }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.priorityClassName | default .Values.global.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- if .Values.server.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + {{- end }} + {{- with .Values.server.initContainers }} + initContainers: + {{- tpl (toYaml . ) $ | nindent 6 }} + {{- end }} + containers: + - name: {{ .Values.server.name }} + image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "authentik.defaultTag" .) .Values.server.image.tag }}{{- if (default .Values.global.image.digest .Values.server.image.digest) -}}@{{ default .Values.global.image.digest .Values.server.image.digest }}{{- end }} + imagePullPolicy: {{ default .Values.global.image.pullPolicy .Values.server.image.pullPolicy }} + args: + - server + env: + {{- with (concat .Values.global.env .Values.server.env) }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: AUTHENTIK_LISTEN__HTTP + value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.http | quote }} + - name: AUTHENTIK_LISTEN__HTTPS + value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.https | quote }} + - name: AUTHENTIK_LISTEN__METRICS + value: {{ printf "0.0.0.0:%v" .Values.server.containerPorts.metrics | quote }} + envFrom: + - secretRef: + name: {{ template "authentik.fullname" . }} + {{- with (concat .Values.global.envFrom .Values.server.envFrom) }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if or .Values.geoip.enabled .Values.global.volumeMounts .Values.server.volumeMounts }} + volumeMounts: + {{- with .Values.global.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.server.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.geoip.enabled }} + - name: geoip-db + mountPath: /geoip + {{- end }} + {{- end }} + ports: + - name: http + containerPort: {{ .Values.server.containerPorts.http }} + protocol: TCP + - name: https + containerPort: {{ .Values.server.containerPorts.https }} + protocol: TCP + - name: metrics + containerPort: {{ .Values.server.containerPorts.metrics }} + protocol: TCP + {{- with .Values.server.livenessProbe }} + livenessProbe: + {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.server.readinessProbe }} + readinessProbe: + {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.server.startupProbe }} + startupProbe: + {{ toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.server.resources | nindent 12 }} + {{- with .Values.server.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.server.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.geoip.enabled }} + - name: geoip + image: {{ .Values.geoip.image.repository }}:{{ .Values.geoip.image.tag }}{{- if .Values.geoip.image.digest -}}@{{ .Values.geoip.image.digest }}{{- end -}} + imagePullPolicy: {{ .Values.geoip.image.pullPolicy }} + env: + {{- with .Values.geoip.env }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: GEOIPUPDATE_FREQUENCY + value: {{ .Values.geoip.updateInterval | quote }} + - name: GEOIPUPDATE_PRESERVE_FILE_TIMES + value: "1" + {{- if not .Values.geoip.existingSecret.secretName }} + - name: GEOIPUPDATE_ACCOUNT_ID + valueFrom: + secretKeyRef: + name: {{ template "authentik.fullname" . }} + key: GEOIPUPDATE_ACCOUNT_ID + - name: GEOIPUPDATE_LICENSE_KEY + valueFrom: + secretKeyRef: + name: {{ template "authentik.fullname" . }} + key: GEOIPUPDATE_LICENSE_KEY + {{- else }} + - name: GEOIPUPDATE_ACCOUNT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.geoip.existingSecret.secretName }} + key: {{ .Values.geoip.existingSecret.accountId }} + - name: GEOIPUPDATE_LICENSE_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.geoip.existingSecret.secretName }} + key: {{ .Values.geoip.existingSecret.licenseKey }} + {{- end }} + - name: GEOIPUPDATE_EDITION_IDS + value: {{ required "geoip edition id required" .Values.geoip.editionIds | quote }} + {{- with .Values.geoip.envFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- with .Values.geoip.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + - name: geoip-db + mountPath: /usr/share/GeoIP + resources: + {{- toYaml .Values.geoip.resources | nindent 10 }} + {{- with .Values.geoip.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.server.extraContainers }} + {{- tpl (toYaml . ) $ | nindent 6 }} + {{- end }} + {{- with include "authentik.affinity" (dict "context" . "component" .Values.server) }} + affinity: + {{- trim . | nindent 8 }} + {{- end }} + {{- with .Values.server.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.tolerations | default .Values.global.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" $ "component" $.Values.server.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.geoip.enabled .Values.global.volumes .Values.server.volumes }} + volumes: + {{- with .Values.global.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.geoip.enabled }} + - name: geoip-db + emptyDir: {} + {{- end }} + {{- end }} + enableServiceLinks: true + {{- if .Values.server.hostNetwork }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- end }} + {{- with .Values.server.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} diff --git a/charts/authentik/templates/server/hpa.yaml b/charts/authentik/templates/server/hpa.yaml new file mode 100644 index 00000000..9a7f4be9 --- /dev/null +++ b/charts/authentik/templates/server/hpa.yaml @@ -0,0 +1,44 @@ +{{- if .Values.server.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "authentik.server.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }} + {{- with .Values.server.autoscaling.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "authentik.server.fullname" . }} + minReplicas: {{ .Values.server.autoscaling.minReplicas }} + maxReplicas: {{ .Values.server.autoscaling.maxReplicas }} + metrics: + {{- with .Values.server.autoscaling.metrics }} + {{- toYaml . | nindent 4 }} + {{- else }} + {{- with .Values.server.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.server.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.server.autoscaling.behavior }} + behavior: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/authentik/templates/server/ingress.yaml b/charts/authentik/templates/server/ingress.yaml new file mode 100644 index 00000000..a7626485 --- /dev/null +++ b/charts/authentik/templates/server/ingress.yaml @@ -0,0 +1,71 @@ +{{- if .Values.server.ingress.enabled -}} +{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}} +{{- $paths := .Values.server.ingress.paths -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +{{- $pathType := .Values.server.ingress.pathType -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "authentik.server.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }} + {{- with .Values.server.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.server.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + rules: + {{- if .Values.server.ingress.hosts }} + {{- range $host := .Values.server.ingress.hosts }} + - host: {{ $host | quote }} + http: + paths: + {{- with $extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- range $p := $paths }} + - path: {{ $p }} + pathType: {{ $pathType }} + backend: + service: + name: {{ include "authentik.server.fullname" $ }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- else }} + - http: + paths: + {{- with $extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- range $p := $paths }} + - path: {{ $p }} + pathType: {{ $pathType }} + backend: + service: + name: {{ include "authentik.server.fullname" $ }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- with .Values.server.ingress.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/authentik/templates/server/metrics.yaml b/charts/authentik/templates/server/metrics.yaml new file mode 100644 index 00000000..60898618 --- /dev/null +++ b/charts/authentik/templates/server/metrics.yaml @@ -0,0 +1,34 @@ +{{- if .Values.server.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "authentik.server.fullname" . }}-metrics + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 4 }} + {{- with .Values.server.metrics.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.server.metrics.service.annotations .Values.global.addPrometheusAnnotations }} + annotations: + {{- if .Values.global.addPrometheusAnnotations }} + prometheus.io/port: {{ .Values.server.metrics.service.servicePort | quote }} + prometheus.io/scrape: "true" + {{- end }} + {{- range $key, $value := .Values.server.metrics.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.server.metrics.service.type }} + {{- if and .Values.server.metrics.service.clusterIP (eq .Values.server.metrics.service.type "ClusterIP") }} + clusterIP: {{ .Values.server.metrics.service.clusterIP }} + {{- end }} + ports: + - name: {{ .Values.server.metrics.service.portName }} + protocol: TCP + port: {{ .Values.server.metrics.service.servicePort }} + targetPort: metrics + selector: + {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 4 }} +{{- end }} diff --git a/charts/authentik/templates/server/pdb.yaml b/charts/authentik/templates/server/pdb.yaml new file mode 100644 index 00000000..194ab5fd --- /dev/null +++ b/charts/authentik/templates/server/pdb.yaml @@ -0,0 +1,25 @@ +{{- if .Values.server.pdb.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "authentik.server.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }} + {{- with .Values.server.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{ with .Values.server.pdb.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.server.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.server.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 6 }} +{{- end }} diff --git a/charts/authentik/templates/server/service.yaml b/charts/authentik/templates/server/service.yaml new file mode 100644 index 00000000..d3ad5656 --- /dev/null +++ b/charts/authentik/templates/server/service.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "authentik.server.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.server.name) | nindent 4 }} + {{- with .Values.server.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.server.service.type }} + ports: + - name: {{ .Values.server.service.servicePortHttpName }} + protocol: TCP + port: {{ .Values.server.service.servicePortHttp }} + targetPort: {{ .Values.server.containerPorts.http }} + {{- if eq .Values.server.service.type "NodePort" }} + nodePort: {{ .Values.server.service.nodePortHttp }} + {{- end }} + {{- with .Values.server.service.servicePortHttpAppProtocol }} + appProtocol: {{ . }} + {{- end }} + - name: {{ .Values.server.service.servicePortHttpsName }} + protocol: TCP + port: {{ .Values.server.service.servicePortHttps }} + targetPort: {{ .Values.server.containerPorts.https }} + {{- if eq .Values.server.service.type "NodePort" }} + nodePort: {{ .Values.server.service.nodePortHttps }} + {{- end }} + {{- with .Values.server.service.servicePortHttpsAppProtocol }} + appProtocol: {{ . }} + {{- end }} + selector: + {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.server.name) | nindent 4 }} + {{- if eq .Values.server.service.type "LoadBalancer" }} + {{- if .Values.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP | quote }} + {{- end }} + {{- if .Values.server.service.externalIPs }} + externalIPs: {{ .Values.server.service.externalIPs }} + {{- end }} + {{- if .Values.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{ toYaml .Values.server.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} + {{- end -}} + {{- if eq .Values.server.service.type "ClusterIP" }} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP | quote }} + {{- end }} + {{- end -}} + {{- with .Values.server.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} + {{- end }} + {{- with .Values.server.service.sessionAffinity }} + sessionAffinity: {{ . }} + {{- end }} + {{- with .Values.server.service.sessionAffinityConfig }} + sessionAffinityConfig: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.service.publishNotReadyAddresses }} + publishNotReadyAddresses: {{ . }} + {{- end }} diff --git a/charts/authentik/templates/server/servicemonitor.yaml b/charts/authentik/templates/server/servicemonitor.yaml new file mode 100644 index 00000000..4f8507ae --- /dev/null +++ b/charts/authentik/templates/server/servicemonitor.yaml @@ -0,0 +1,50 @@ +{{- if and .Values.server.metrics.enabled .Values.server.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "authentik.server.fullname" . }} + namespace: {{ default .Release.Namespace .Values.server.metrics.serviceMonitor.namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 4 }} + {{- with .Values.server.metrics.serviceMonitor.selector }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.metrics.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.server.metrics.service.portName }} + {{- with .Values.server.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.server.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.server.metrics.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.metrics.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.server.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" . "component" (printf "%s-metrics" .Values.server.name)) | nindent 6 }} +{{- end }} diff --git a/charts/authentik/templates/service.yaml b/charts/authentik/templates/service.yaml deleted file mode 100644 index 17d569f2..00000000 --- a/charts/authentik/templates/service.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "authentik.names.fullname" . }} - labels: - {{- include "authentik.labels" . | nindent 4 }} - {{- with .Values.service.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- $type := default "ClusterIP" .Values.service.type }} - {{- if eq $type "ClusterIP" }} - {{- with .Values.service.clusterIP }} - clusterIP: {{ . }} - {{ end }} - {{- else if eq $type "LoadBalancer" }} - {{- with .Values.service.loadBalancerIP }} - loadBalancerIP: {{ . }} - {{- end }} - {{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ . }} - {{- end }} - {{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - type: {{ $type }} - {{- if .Values.service.sessionAffinity }} - sessionAffinity: {{ .Values.service.sessionAffinity }} - {{- with .Values.service.sessionAffinityConfig }} - sessionAffinityConfig: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - {{- with .Values.service.externalIPs }} - externalIPs: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.service.publishNotReadyAddresses }} - publishNotReadyAddresses: {{ . }} - {{- end }} - ports: - - port: 9300 - name: http-metrics - protocol: TCP - targetPort: http-metrics - - port: {{ .Values.service.port }} - targetPort: http - protocol: {{ .Values.service.protocol }} - name: {{ .Values.service.name }} - {{- if and (eq $type "NodePort") .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - selector: - {{- include "authentik.labels.selectorLabels" . | nindent 4 }} - app.kubernetes.io/component: "server" diff --git a/charts/authentik/templates/worker-deployment.yaml b/charts/authentik/templates/worker-deployment.yaml deleted file mode 100644 index 30b885e8..00000000 --- a/charts/authentik/templates/worker-deployment.yaml +++ /dev/null @@ -1,163 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "worker" }} - labels: - {{- include "authentik.labels" $ | nindent 4 }} - app.kubernetes.io/component: "worker" - {{- if $.Values.annotations }} - annotations: - {{- toYaml $.Values.annotations | nindent 4 }} - {{- end }} -spec: - {{- if not $.Values.autoscaling.worker.enabled }} - replicas: {{ $.Values.worker.replicas }} - {{- end }} - strategy: - {{- toYaml $.Values.worker.strategy | nindent 4 }} - selector: - matchLabels: - {{- include "authentik.labels.selectorLabels" $ | nindent 6 }} - app.kubernetes.io/component: "worker" - template: - metadata: - labels: - {{- include "authentik.labels.selectorLabels" $ | nindent 8 }} - app.kubernetes.io/component: "worker" - app.kubernetes.io/version: "{{ trunc 63 $.Values.image.tag }}" - annotations: - goauthentik.io/config-checksum: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if $.Values.podAnnotations }} - {{- toYaml $.Values.podAnnotations | nindent 8 }} - {{- end }} - spec: - {{- if $.Values.image.pullSecrets }} - imagePullSecrets: - {{- toYaml $.Values.image.pullSecrets | nindent 8 }} - {{- end }} - {{- if $.Values.serviceAccount.create }} - serviceAccountName: {{ include "authentik-remote-cluster.fullname" .Subcharts.serviceAccount }} - {{- end }} - {{- with $.Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - enableServiceLinks: true - {{- if $.Values.initContainers }} - initContainers: - {{- $initContainers := list }} - {{- range $index, $key := (keys $.Values.initContainers | uniq | sortAlpha) }} - {{- $container := get $.Values.initContainers $key }} - {{- if not $container.name -}} - {{- $_ := set $container "name" $key }} - {{- end }} - {{- $initContainers = append $initContainers $container }} - {{- end }} - {{- tpl (toYaml $initContainers) $ | nindent 8 }} - {{- end }} - {{- if $.Values.worker.priorityClassName }} - priorityClassName: {{ $.Values.worker.priorityClassName }} - {{- end }} - securityContext: - {{- toYaml $.Values.worker.securityContext | nindent 8 }} - containers: - - name: {{ $.Chart.Name }} - image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}{{- if $.Values.image.digest -}}@{{ $.Values.image.digest }}{{- end -}}" - imagePullPolicy: "{{ $.Values.image.pullPolicy }}" - args: ["worker"] - env: - {{- range $k, $v := $.Values.env }} - - name: {{ quote $k }} - value: {{ quote $v }} - {{- end }} - {{- range $name, $val := $.Values.envValueFrom }} - - name: {{ $name }} - valueFrom: - {{- toYaml $val | nindent 16 }} - {{- end }} - envFrom: - - secretRef: - name: {{ include "authentik.names.fullname" $ }} - {{- with $.Values.envFrom }} - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - {{- if $.Values.geoip.enabled }} - - name: geoip-db - mountPath: /geoip - {{- end }} - {{- with $.Values.volumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with $.Values.blueprints }} - {{- range $name := . }} - - name: blueprints-{{ $name }} - mountPath: /blueprints/mounted/{{ $name }} - {{- end }} - {{- end }} - {{- with index $.Values.resources "worker" }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - securityContext: - {{- toYaml $.Values.worker.containerSecurityContext | nindent 12 }} - {{- if $.Values.geoip.enabled }} - - name: geoip-sidecar - image: "{{ $.Values.geoip.image }}" - env: - - name: GEOIPUPDATE_FREQUENCY - value: {{ $.Values.geoip.updateInterval | quote }} - - name: GEOIPUPDATE_PRESERVE_FILE_TIMES - value: "1" - - name: GEOIPUPDATE_ACCOUNT_ID - valueFrom: - secretKeyRef: - name: {{ include "authentik.names.fullname" $ }} - key: GEOIPUPDATE_ACCOUNT_ID - - name: GEOIPUPDATE_LICENSE_KEY - valueFrom: - secretKeyRef: - name: {{ include "authentik.names.fullname" $ }} - key: GEOIPUPDATE_LICENSE_KEY - - name: GEOIPUPDATE_EDITION_IDS - value: {{ required "geoip edition id required" $.Values.geoip.editionIds | quote }} - volumeMounts: - - name: geoip-db - mountPath: /usr/share/GeoIP - securityContext: - {{- toYaml $.Values.geoip.containerSecurityContext | nindent 12 }} - {{- end }} - {{- with $.Values.additionalContainers }} - {{- $additionalContainers := list }} - {{- range $name, $container := . }} - {{- if not $container.name -}} - {{- $_ := set $container "name" $name }} - {{- end }} - {{- $additionalContainers = append $additionalContainers $container }} - {{- end }} - {{- tpl (toYaml $additionalContainers) $ | nindent 8 }} - {{- end }} - volumes: - {{- if $.Values.geoip.enabled }} - - name: geoip-db - emptyDir: {} - {{- end }} - {{- with $.Values.volumes }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.blueprints }} - {{- range $name := . }} - - name: blueprints-{{ $name }} - configMap: - name: {{ $name }} - {{- end }} - {{- end }} diff --git a/charts/authentik/templates/worker-hpa.yaml b/charts/authentik/templates/worker-hpa.yaml deleted file mode 100644 index 6a0fdf8b..00000000 --- a/charts/authentik/templates/worker-hpa.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- with .Values.autoscaling.worker }} -{{- if .enabled -}} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "worker" }} - labels: - {{- include "authentik.labels" $ | nindent 4 }} - app.kubernetes.io/component: "worker" - {{- if $.Values.annotations }} - annotations: - {{- toYaml $.Values.annotations | nindent 4 }} - {{- end }} -spec: - minReplicas: {{ .minReplicas }} - maxReplicas: {{ .maxReplicas }} - metrics: - - resource: - name: cpu - target: - averageUtilization: {{ .targetCPUUtilizationPercentage }} - type: Utilization - type: Resource - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "worker" }} -{{- end }} -{{- end }} diff --git a/charts/authentik/templates/worker-pdb.yaml b/charts/authentik/templates/worker-pdb.yaml deleted file mode 100644 index f31b2554..00000000 --- a/charts/authentik/templates/worker-pdb.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Values.pdb.worker.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ printf "%s-%s" (include "authentik.names.fullname" $) "worker" }} - labels: - {{- include "authentik.labels" $ | nindent 4 }} - app.kubernetes.io/component: "worker" - {{- with $.Values.pdb.worker.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - annotations: - {{- toYaml $.Values.pdb.worker.annotations | nindent 4 }} -spec: - {{- with $.Values.pdb.worker.maxUnavailable }} - maxUnavailable: {{ . }} - {{- else }} - minAvailable: {{ $.Values.pdb.worker.minAvailable | default 0 }} - {{- end }} - selector: - matchLabels: - {{- include "authentik.labels" $ | nindent 6 }} - app.kubernetes.io/component: worker -{{- end }} diff --git a/charts/authentik/templates/worker/deployment.yaml b/charts/authentik/templates/worker/deployment.yaml new file mode 100644 index 00000000..f47eb6d3 --- /dev/null +++ b/charts/authentik/templates/worker/deployment.yaml @@ -0,0 +1,226 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "authentik.worker.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }} + {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.worker.deploymentAnnotations) }} + annotations: + {{- range $key, $value := . }} + {{ $key}}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with include "authentik.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.worker.deploymentStrategy) }} + strategy: + {{- trim . | nindent 4 }} + {{- end }} + {{- if not .Values.worker.autoscaling.enabled }} + replicas: {{ .Values.worker.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.worker.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 8 }} + {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.worker.podLabels) }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.worker.podAnnotations) }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + spec: + {{- with .Values.worker.imagePullSecrets | default .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "authentik-remote-cluster.fullname" .Subcharts.serviceAccount }} + {{- end }} + {{- with .Values.global.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (mergeOverwrite (deepCopy .Values.global.securityContext) .Values.worker.securityContext) }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.priorityClassName | default .Values.global.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- if .Values.worker.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.worker.terminationGracePeriodSeconds }} + {{- end }} + {{- with .Values.worker.initContainers }} + initContainers: + {{- tpl (toYaml . ) $ | nindent 6 }} + {{- end }} + containers: + - name: {{ .Values.worker.name }} + image: {{ default .Values.global.image.repository .Values.worker.image.repository }}:{{ default (include "authentik.defaultTag" .) .Values.worker.image.tag }}{{- if (default .Values.global.image.digest .Values.worker.image.digest) -}}@{{ default .Values.global.image.digest .Values.worker.image.digest }}{{- end }} + imagePullPolicy: {{ default .Values.global.image.pullPolicy .Values.worker.image.pullPolicy }} + args: + - worker + env: + {{- with (concat .Values.global.env .Values.worker.env) }} + {{- toYaml . | nindent 10 }} + {{- end }} + envFrom: + - secretRef: + name: {{ template "authentik.fullname" . }} + {{- with (concat .Values.global.envFrom .Values.worker.envFrom) }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if or .Values.geoip.enabled .Values.global.volumeMounts .Values.worker.volumeMounts .Values.blueprints.configMaps .Values.blueprints.secrets }} + volumeMounts: + {{- with .Values.global.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.worker.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.geoip.enabled }} + - name: geoip-db + mountPath: /geoip + {{- end }} + {{- range $name := .Values.blueprints.configMaps }} + - name: blueprints-cm-{{ $name }} + mountPath: /blueprints/mounted/cm-{{ $name }} + {{- end }} + {{- range $name := .Values.blueprints.secrets }} + - name: blueprints-secret-{{ $name }} + mountPath: /blueprints/mounted/secret-{{ $name }} + {{- end }} + {{- end }} + resources: + {{- toYaml .Values.worker.resources | nindent 12 }} + {{- with .Values.worker.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.worker.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.geoip.enabled }} + - name: geoip + image: {{ .Values.geoip.image.repository }}:{{ .Values.geoip.image.tag }}{{- if .Values.geoip.image.digest -}}@{{ .Values.geoip.image.digest }}{{- end -}} + imagePullPolicy: {{ .Values.geoip.image.pullPolicy }} + env: + {{- with .Values.geoip.env }} + {{- toYaml . | nindent 10 }} + {{- end }} + - name: GEOIPUPDATE_FREQUENCY + value: {{ .Values.geoip.updateInterval | quote }} + - name: GEOIPUPDATE_PRESERVE_FILE_TIMES + value: "1" + {{- if not .Values.geoip.existingSecret.secretName }} + - name: GEOIPUPDATE_ACCOUNT_ID + valueFrom: + secretKeyRef: + name: {{ template "authentik.fullname" . }} + key: GEOIPUPDATE_ACCOUNT_ID + - name: GEOIPUPDATE_LICENSE_KEY + valueFrom: + secretKeyRef: + name: {{ template "authentik.fullname" . }} + key: GEOIPUPDATE_LICENSE_KEY + {{- else }} + - name: GEOIPUPDATE_ACCOUNT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.geoip.existingSecret.secretName }} + key: {{ .Values.geoip.existingSecret.accountId }} + - name: GEOIPUPDATE_LICENSE_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.geoip.existingSecret.secretName }} + key: {{ .Values.geoip.existingSecret.licenseKey }} + {{- end }} + - name: GEOIPUPDATE_EDITION_IDS + value: {{ required "geoip edition id required" .Values.geoip.editionIds | quote }} + {{- with .Values.geoip.envFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- with .Values.geoip.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + - name: geoip-db + mountPath: /usr/share/GeoIP + resources: + {{- toYaml .Values.geoip.resources | nindent 10 }} + {{- with .Values.geoip.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- with .Values.worker.extraContainers }} + {{- tpl (toYaml . ) $ | nindent 6 }} + {{- end }} + {{- with include "authentik.affinity" (dict "context" . "component" .Values.worker) }} + affinity: + {{- trim . | nindent 8 }} + {{- end }} + {{- with .Values.worker.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.tolerations | default .Values.global.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" $ "component" $.Values.worker.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if or .Values.geoip.enabled .Values.global.volumes .Values.worker.volumes .Values.blueprints.configMaps .Values.blueprints.secrets }} + volumes: + {{- with .Values.global.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.geoip.enabled }} + - name: geoip-db + emptyDir: {} + {{- end }} + {{- range $name := .Values.blueprints.configMaps }} + - name: blueprints-cm-{{ $name }} + configMap: + name: {{ $name }} + {{- end }} + {{- range $name := .Values.blueprints.secrets }} + - name: blueprints-secret-{{ $name }} + configMap: + name: {{ $name }} + {{- end }} + {{- end }} + enableServiceLinks: true + {{- if .Values.worker.hostNetwork }} + hostNetwork: {{ .Values.worker.hostNetwork }} + {{- end }} + {{- with .Values.worker.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.worker.dnsPolicy }} + dnsPolicy: {{ .Values.worker.dnsPolicy }} + {{- end }} diff --git a/charts/authentik/templates/worker/hpa.yaml b/charts/authentik/templates/worker/hpa.yaml new file mode 100644 index 00000000..7575880b --- /dev/null +++ b/charts/authentik/templates/worker/hpa.yaml @@ -0,0 +1,44 @@ +{{- if .Values.worker.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "authentik.worker.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }} + {{- with .Values.worker.autoscaling.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "authentik.worker.fullname" . }} + minReplicas: {{ .Values.worker.autoscaling.minReplicas }} + maxReplicas: {{ .Values.worker.autoscaling.maxReplicas }} + metrics: + {{- with .Values.worker.autoscaling.metrics }} + {{- toYaml . | nindent 4 }} + {{- else }} + {{- with .Values.worker.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.worker.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- end }} + {{- with .Values.worker.autoscaling.behavior }} + behavior: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/authentik/templates/worker/pdb.yaml b/charts/authentik/templates/worker/pdb.yaml new file mode 100644 index 00000000..8c60d4b5 --- /dev/null +++ b/charts/authentik/templates/worker/pdb.yaml @@ -0,0 +1,25 @@ +{{- if .Values.worker.pdb.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "authentik.worker.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "authentik.labels" (dict "context" . "component" .Values.worker.name) | nindent 4 }} + {{- with .Values.worker.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{ with .Values.worker.pdb.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.worker.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.worker.pdb.minAvailable | default 0 }} + {{- end }} + selector: + matchLabels: + {{- include "authentik.selectorLabels" (dict "context" . "component" .Values.worker.name) | nindent 6 }} +{{- end }} diff --git a/charts/authentik/values.yaml b/charts/authentik/values.yaml index 5d78890a..05c96a75 100644 --- a/charts/authentik/values.yaml +++ b/charts/authentik/values.yaml @@ -1,81 +1,162 @@ -# -- Server replicas -replicas: 1 -# -- Custom priority class for different treatment by the scheduler -priorityClassName: -# -- server securityContext -securityContext: {} -# -- server containerSecurityContext -containerSecurityContext: {} -# -- server deployment strategy -strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% +--- +# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible +nameOverride: "" +# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible +fullnameOverride: "" +# -- Override the Kubernetes version, which is used to evaluate certain manifests +kubeVersionOverride: "" -worker: - # -- worker replicas - replicas: 1 - # -- Custom priority class for different treatment by the scheduler - priorityClassName: - # -- worker securityContext + +## Globally shared configuration for authentik components. +global: + # -- Provide a name in place of `authentik` + nameOverride: "" + # -- String to fully override `"authentik.fullname"` + fullnameOverride: "" + # -- Common labels for all resources. + additionalLabels: {} + # app: authentik + + # Number of old deployment ReplicaSets to retain. The rest will be garbage collected. + revisionHistoryLimit: 3 + + # Default image used by all authentik components. For GeoIP configuration, see the geoip values below. + image: + # -- If defined, a repository applied to all authentik deployments + repository: ghcr.io/goauthentik/server + # -- Overrides the global authentik whose default is the chart appVersion + tag: "" + # -- If defined, an image digest applied to all authentik deployments + digest: "" + # -- If defined, an imagePullPolicy applied to all authentik deployments + pullPolicy: IfNotPresent + + # -- Secrets with credentials to pull images from a private registry + imagePullSecrets: [] + + # -- Annotations for all deployed Deployments + deploymentAnnotations: {} + + # -- Annotations for all deployed pods + podAnnotations: {} + + # -- Labels for all deployed pods + podLabels: {} + + # -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors. + addPrometheusAnnotations: false + + # -- Toggle and define pod-level security context. + # @default -- `{}` (See [values.yaml]) securityContext: {} - # -- worker containerSecurityContext - containerSecurityContext: {} - # -- worker strategy - strategy: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files + hostAliases: [] + # - ip: 10.20.30.40 + # hostnames: + # - my.hostname + + # -- Default priority class for all components + priorityClassName: "" + + # -- Default node selector for all components + nodeSelector: {} + + # -- Default tolerations for all components + tolerations: [] + + # Default affinity preset for all components + affinity: + # -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard` + podAntiAffinity: soft + # Node affinity rules + nodeAffinity: + # -- Default node affinity rules. Either `none`, `soft` or `hard` + type: hard + # -- Default match expressions for node affinity + matchExpressions: [] + # - key: topology.kubernetes.io/zone + # operator: In + # values: + # - zonea + # - zoneb + + # -- Default [TopologySpreadConstraints] rules for all components + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy for all deployed Deployments + deploymentStrategy: {} # type: RollingUpdate # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% + # maxSurge: 25% + # maxUnavailable: 25% -image: - repository: ghcr.io/goauthentik/server - tag: 2023.10.7 - # -- optional container image digest - digest: "" - pullPolicy: IfNotPresent - pullSecrets: [] + # -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key -# -- Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used -initContainers: {} + # -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name -# -- Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used. -additionalContainers: {} + # -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + volumeMounts: [] + # - name: custom + # mountPath: /custom -ingress: - enabled: false - ingressClassName: "" - annotations: {} - labels: {} - hosts: - - host: authentik.domain.tld - paths: - - path: "/" - pathType: Prefix - tls: [] + # -- Additional volumes to all deployed Deployments. + # @default -- `[]` (See [values.yaml]) + volumes: [] + # - name: custom + # emptyDir: {} -# -- Annotations to add to the server and worker deployments -annotations: {} - -# -- Annotations to add to the server and worker pods -podAnnotations: {} +## Authentik configuration authentik: # -- Log level for server and worker log_level: info # -- Secret key used for cookie singing and unique user IDs, # don't change this after the first install secret_key: "" - # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. - geoip: /geoip/GeoLite2-City.mmdb + events: + context_processors: + # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. + asn: /geoip/GeoLite2-ASN.mmdb email: # -- SMTP Server emails are sent from, fully optional host: "" + # -- SMTP server port port: 587 - # -- SMTP credentials, when left empty, not authentication will be done + # -- SMTP credentials, when left empty, no authentication will be done username: "" - # -- SMTP credentials, when left empty, not authentication will be done + # -- SMTP credentials, when left empty, no authentication will be done password: "" # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. use_tls: false @@ -118,175 +199,743 @@ authentik: host: "{{ .Release.Name }}-redis-master" password: "" -# -- List of config maps to mount blueprints from. Only keys in the -# configmap ending with ".yaml" wil be discovered and applied -blueprints: [] - -# -- see configuration options at https://goauthentik.io/docs/installation/configuration/ -env: {} -# AUTHENTIK_VAR_NAME: VALUE - -envFrom: [] -# - configMapRef: -# name: special-config - -envValueFrom: {} -# AUTHENTIK_VAR_NAME: -# secretKeyRef: -# key: password -# name: my-secret - -service: - # -- Service that is created to access authentik - enabled: true - type: ClusterIP - port: 80 - name: http - protocol: TCP - labels: {} - annotations: {} -volumes: [] +blueprints: + # -- List of config maps to mount blueprints from. + # Only keys in the configMap ending with `.yaml` will be discovered and applied. + configMaps: [] + # -- List of secrets to mount blueprints from. + # Only keys in the secret ending with `.yaml` will be discovered and applied. + secrets: [] -volumeMounts: [] -# -- affinity applied to the deployments -affinity: {} +## authentik server +server: + # -- authentik server name + name: server -# -- tolerations applied to the deployments -tolerations: [] - -# -- nodeSelector applied to the deployments -nodeSelector: {} - -resources: - server: {} - worker: {} + # -- The number of server pods to run + replicas: 1 -autoscaling: - server: - # -- Create a HPA for the server deployment + ## authentik server Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server enabled: false + # -- Minimum number of replicas for the authentik server [HPA] minReplicas: 1 + # -- Maximum number of replicas for the authentik server [HPA] maxReplicas: 5 + # -- Average CPU utilization percentage for the authentik server [HPA] targetCPUUtilizationPercentage: 50 - worker: - # -- Create a HPA for the worker deployment - enabled: false - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 + # -- Average memory utilization percentage for the authentik server [HPA] + targetMemoryUtilizationPercentage: ~ + # -- Configures the scaling behavior of the target in both Up and Down directions. + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + # -- Configures custom HPA metrics for the authentik server + # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + metrics: [] -pdb: - server: - # -- Deploy a PodDistrubtionBudget for the server + ## authentik server Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDistrubtionBudget] for the authentik server enabled: false - # -- Labels to be added to the server pdb + # -- Labels to be added to the authentik server pdb labels: {} - # -- Annotations to be added to the server pdb + # -- Annotations to be added to the authentik server pdb annotations: {} # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) # @default -- `""` (defaults to 0 if not specified) minAvailable: "" # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) - ## Has higher precedence over `pdb.server.minAvailable` + ## Has higher precedence over `server.pdb.minAvailable` maxUnavailable: "" - worker: - # -- Deploy a PodDistrubtionBudget for the worker + + ## authentik server image + ## This should match what is deployed in the worker. Prefer using global.image + image: + # -- Repository to use to the authentik server + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use to the authentik server + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Digest to use to the authentik server + # @default -- `""` (defaults to global.image.digest) + digest: "" # defaults to global.image.digest + # -- Image pull policy to use to the authentik server + # @default -- `""` (defaults to global.image.pullPolicy) + pullPolicy: "" # defaults to global.image.pullPolicy + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Environment variables to pass to the authentik server. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the authentik server. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Specify postStart and preStop lifecycle hooks for you authentik server container + lifecycle: {} + + # -- Additional containers to be added to the authentik server pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + + # -- Init containers to add to the authentik server pod + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - echo init + + # -- Additional volumeMounts to the authentik server main container + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to the authentik server pod + volumes: [] + # - name: custom + # emptyDir: {} + + # -- Annotations to be added to the authentik server Deployment + deploymentAnnotations: {} + + # -- Annotations to be added to the authentik server pods + podAnnotations: {} + + # -- Labels to be added to the authentik server pods + podLabels: {} + + # -- Resource limits and requests for the authentik server + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # memory: 512Mi + + # authentik server container ports + containerPorts: + # -- http container port + http: 9000 + # -- https container port + https: 9443 + # -- metrics container port + metrics: 9300 + + # -- Host Network for authentik server pods + hostNetwork: false + + # -- [DNS configuration] + dnsConfig: {} + # -- Alternative DNS policy for authentik server pods + dnsPolicy: "" + + # -- authentik server pod-level security context + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- authentik server container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + ## Liveness, readiness and startup probes for authentik server + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + livenessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/live/ + port: http + + readinessProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 3 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/ready/ + port: http + + startupProbe: + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 60 + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 5 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 10 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 1 + ## Probe configuration + httpGet: + path: /-/health/live/ + port: http + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + + # -- Prority class for the authentik server pods + # @default -- `""` (defaults to global.priorityClassName) + priorityClassName: "" + + # -- [Node selector] + # @default -- `{}` (defaults to global.nodeSelector) + nodeSelector: {} + + # -- [Tolerations] for use with node taints + # @default -- `[]` (defaults to global.tolerations) + tolerations: [] + + # -- Assign custom [affinity] rules to the deployment + # @default -- `{}` (defaults to the global.affinity preset) + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the authentik server + # @default -- `[]` (defaults to global.topologySpreadConstraints) + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy to be added to the authentik server Deployment + # @default -- `{}` (defaults to global.deploymentStrategy) + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + ## authentik server service configuration + service: + # -- authentik server service annotations + annotations: {} + # -- authentik server service labels + labels: {} + # -- authentik server service type + type: ClusterIP + # -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`) + nodePortHttp: 30080 + # -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`) + nodePortHttps: 30443 + # -- authentik server service http port + servicePortHttp: 80 + # -- authentik server service https port + servicePortHttps: 443 + # -- authentik server service http port name + servicePortHttpName: http + # -- authentik server service https port name + servicePortHttpsName: https + # -- authentik server service http port appProtocol + # servicePortHttpAppProtocol: HTTP + # -- authentik server service https port appProtocol + # servicePortHttpsAppProtocol: HTTPS + # -- LoadBalancer will get created with the IP specified in this field + loadBalancerIP: "" + # -- Source IP ranges to allow access to service from + loadBalancerSourceRanges: [] + # -- authentik server service external IPs + externalIPs: [] + # -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints + externalTrafficPolicy: "" + # -- Used to maintain session affinity. Supports `ClientIP` and `None` + sessionAffinity: "" + # -- Session affinity configuration + sessionAffinityConfig: {} + + ## authentik server metrics service configuration + metrics: + # -- deploy metrics service + enabled: false + service: + # -- metrics service type + type: ClusterIP + # -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP) + clusterIP: "" + # -- metrics service annotations + annotations: {} + # -- metrics service labels + labels: {} + # -- metrics service port + servicePort: 9300 + # -- metrics service port name + portName: metrics + serviceMonitor: + # -- enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor interval + interval: 30s + # -- Prometheus ServiceMonitor scrape timeout + scrapeTimeout: 3s + # -- Prometheus [RelabelConfigs] to apply to samples before scraping + relabelings: [] + # -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion + metricRelabelings: [] + # -- Prometheus ServiceMonitor selector + selector: {} + # prometheus: kube-prometheus + + # -- Prometheus ServiceMonitor scheme + scheme: "" + # -- Prometheus ServiceMonitor tlsConfig + tlsConfig: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" + # -- Prometheus ServiceMonitor labels + labels: {} + # -- Prometheus ServiceMonitor annotations + annotations: {} + + ingress: + # -- enable an ingress resource for the authentik server enabled: false - # -- Labels to be added to the worker pdb + # -- additional ingress annotations + annotations: {} + # -- additional ingress labels labels: {} - # -- Annotations to be added to the worker pdb + # -- defines which ingress controller will implement the resource + ingressClassName: "" + # -- List of ingress hosts + hosts: [] + # - authentik.domain.tld + + # -- List of ingress paths + paths: + - / + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + # -- additional ingress paths + extraPaths: [] + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + # -- ingress TLS configuration + tls: [] + # - secretName: authentik-tls + # hosts: + # - authentik.domain.tld + + # -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp` + https: false + + +## authentik worker +worker: + # -- authentik worker name + name: worker + + # -- The number of worker pods to run + replicas: 1 + + ## authentik worker Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker + enabled: false + # -- Minimum number of replicas for the authentik worker [HPA] + minReplicas: 1 + # -- Maximum number of replicas for the authentik worker [HPA] + maxReplicas: 5 + # -- Average CPU utilization percentage for the authentik worker [HPA] + targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the authentik worker [HPA] + targetMemoryUtilizationPercentage: ~ + # -- Configures the scaling behavior of the target in both Up and Down directions. + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + # -- Configures custom HPA metrics for the authentik worker + # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + metrics: [] + + ## authentik worker Pod Disruption Budget + ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + pdb: + # -- Deploy a [PodDistrubtionBudget] for the authentik worker + enabled: false + # -- Labels to be added to the authentik worker pdb + labels: {} + # -- Annotations to be added to the authentik worker pdb annotations: {} # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) # @default -- `""` (defaults to 0 if not specified) minAvailable: "" # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) - ## Has higher precedence over `pdb.worker.minAvailable` + ## Has higher precedence over `worker.pdb.minAvailable` maxUnavailable: "" -livenessProbe: - # -- enables or disables the livenessProbe - enabled: true - httpGet: - # -- liveness probe url path - path: /-/health/live/ - port: http - initialDelaySeconds: 5 - periodSeconds: 10 - -startupProbe: - # -- enables or disables the livenessProbe - enabled: true - httpGet: - # -- liveness probe url path - path: /-/health/live/ - port: http - failureThreshold: 60 - periodSeconds: 5 - -readinessProbe: - enabled: true - httpGet: - path: /-/health/ready/ - port: http - periodSeconds: 10 + ## authentik worker image + ## This should match what is deployed in the server. Prefer using global.image + image: + # -- Repository to use to the authentik worker + # @default -- `""` (defaults to global.image.repository) + repository: "" # defaults to global.image.repository + # -- Tag to use to the authentik worker + # @default -- `""` (defaults to global.image.tag) + tag: "" # defaults to global.image.tag + # -- Digest to use to the authentik worker + # @default -- `""` (defaults to global.image.digest) + digest: "" # defaults to global.image.digest + # -- Image pull policy to use to the authentik worker + # @default -- `""` (defaults to global.image.pullPolicy) + pullPolicy: "" # defaults to global.image.pullPolicy + + # -- Secrets with credentials to pull images from a private registry + # @default -- `[]` (defaults to global.imagePullSecrets) + imagePullSecrets: [] + + # -- Environment variables to pass to the authentik worker. Does not apply to GeoIP + # See configuration options at https://goauthentik.io/docs/installation/configuration/ + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: AUTHENTIK_VAR_NAME + # value: VALUE + # - name: AUTHENTIK_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: AUTHENTIK_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the authentik worker. Does not apply to GeoIP + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Specify postStart and preStop lifecycle hooks for you authentik worker container + lifecycle: {} + + # -- Additional containers to be added to the authentik worker pod + ## Note: Supports use of custom Helm templates + extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + + # -- Init containers to add to the authentik worker pod + ## Note: Supports use of custom Helm templates + initContainers: [] + # - name: download-tools + # image: alpine:3 + # command: [sh, -c] + # args: + # - echo init + + # -- Additional volumeMounts to the authentik worker main container + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Additional volumes to the authentik worker pod + volumes: [] + # - name: custom + # emptyDir: {} + + # -- Annotations to be added to the authentik worker Deployment + deploymentAnnotations: {} + + # -- Annotations to be added to the authentik worker pods + podAnnotations: {} + + # -- Labels to be added to the authentik worker pods + podLabels: {} + + # -- Resource limits and requests for the authentik worker + resources: {} + # requests: + # cpu: 100m + # memory: 512Mi + # limits: + # memory: 512Mi + + # -- Host Network for authentik worker pods + hostNetwork: false + + # -- [DNS configuration] + dnsConfig: {} + # -- Alternative DNS policy for authentik worker pods + dnsPolicy: "" + + # -- authentik worker pod-level security context + # @default -- `{}` (See [values.yaml]) + securityContext: {} + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + + # -- authentik worker container-level security context + # @default -- See [values.yaml] + containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + + # -- Prority class for the authentik worker pods + # @default -- `""` (defaults to global.priorityClassName) + priorityClassName: "" + + # -- [Node selector] + # @default -- `{}` (defaults to global.nodeSelector) + nodeSelector: {} + + # -- [Tolerations] for use with node taints + # @default -- `[]` (defaults to global.tolerations) + tolerations: [] + + # -- Assign custom [affinity] rules to the deployment + # @default -- `{}` (defaults to the global.affinity preset) + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the authentik worker + # @default -- `[]` (defaults to global.topologySpreadConstraints) + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Deployment strategy to be added to the authentik worker Deployment + # @default -- `{}` (defaults to global.deploymentStrategy) + deploymentStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + serviceAccount: - # -- Service account is needed for managed outposts + # -- Create service account. Needed for managed outposts create: true + # -- additional service account annotations annotations: {} serviceAccountSecret: - # -- As we use the authentik-remote-cluster chart as subchart, and that chart - # creates a service account secret by default which we don't need here, disable its creation + # As we use the authentik-remote-cluster chart as subchart, and that chart + # creates a service account secret by default which we don't need here, + # disable its creation enabled: false fullnameOverride: authentik - nameOverride: authentik -prometheus: - serviceMonitor: - create: false - interval: 30s - scrapeTimeout: 3s - # -- labels additional on ServiceMonitor - labels: {} - rules: - create: false - # -- labels additional on PrometheusRule - labels: {} geoip: - # -- optional GeoIP, deploys a cronjob to download the maxmind database + # -- enable GeoIP sidecars for the authentik server and worker pods enabled: false + + editionIds: "GeoLite2-City GeoLite2-ASN" + # -- GeoIP update frequency, in hours + updateInterval: 8 # -- sign up under https://www.maxmind.com/en/geolite2/signup accountId: "" # -- sign up under https://www.maxmind.com/en/geolite2/signup licenseKey: "" - editionIds: "GeoLite2-City" - image: maxmindinc/geoipupdate:v4.8 - # -- number of hours between update runs - updateInterval: 8 - # -- server containerSecurityContext + ## use existing secret instead of values above + existingSecret: + # -- name of an existing secret to use instead of values above + secretName: "" + # -- key in the secret containing the account ID + accountId: "account_id" + # -- key in the secret containing the license key + licenseKey: "license_key" + + image: + # -- If defined, a repository for GeoIP images + repository: ghcr.io/maxmind/geoipupdate + # -- If defined, a tag for GeoIP images + tag: v6.0.0 + # -- If defined, an image digest for GeoIP images + digest: "" + # -- If defined, an imagePullPolicy for GeoIP images + pullPolicy: IfNotPresent + + # -- Environment variables to pass to the GeoIP containers + # @default -- `[]` (See [values.yaml]) + env: [] + # - name: GEOIPUPDATE_VAR_NAME + # value: VALUE + # - name: GEOIPUPDATE_VAR_OTHER + # valueFrom: + # secretKeyRef: + # name: secret-name + # key: secret-key + # - name: GEOIPUPDATE_VAR_ANOTHER + # valueFrom: + # configMapKeyRef: + # name: config-map-name + # key: config-map-key + + # -- envFrom to pass to the GeoIP containers + # @default -- `[]` (See [values.yaml]) + envFrom: [] + # - configMapRef: + # name: config-map-name + # - secretRef: + # name: secret-name + + # -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker. + volumeMounts: [] + # - name: custom + # mountPath: /custom + + # -- Resource limits and requests for GeoIP containers + resources: {} + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # memory: 128Mi + + # -- GeoIP container-level security context + # @default -- See [values.yaml] containerSecurityContext: {} + # Not all of the following has been tested. Use at your own risk. + # runAsNonRoot: true + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # seccomProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + + +prometheus: + rules: + enabled: false + # -- PrometheusRule namespace + namespace: "" + # -- PrometheusRule selector + selector: {} + # prometheus: kube-prometheus + + # -- PrometheusRule labels + labels: {} + # -- PrometheusRule annotations + annotations: {} + + postgresql: - # -- enable the bundled bitnami postgresql chart + # -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values. enabled: false - postgresqlMaxConnections: 500 - postgresqlUsername: "authentik" - # postgresqlPassword: "" - postgresqlDatabase: "authentik" - # persistence: - # enabled: true - # storageClass: - # accessModes: - # - ReadWriteOnce - image: - tag: 15.4.0-debian-11-r0 + auth: + username: authentik + database: authentik + # password: "" + primary: + extendedConfiguration: | + max_connections = 500 + # persistence: + # enabled: true + # storageClass: + # accessModes: + # - ReadWriteOnce + + redis: - # -- enable the bundled bitnami redis chart + # -- enable the Bitnami Redis chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/redis/ for possible values. enabled: false architecture: standalone auth: enabled: false - image: - tag: 6.2.10-debian-11-r13 + + +# -- additional resources to deploy. Those objects are templated. +additionalObjects: [] diff --git a/charts/postgresql/Chart.yaml b/charts/postgresql/Chart.yaml deleted file mode 100644 index 9d61b6ad..00000000 --- a/charts/postgresql/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -annotations: - category: Database - images: | - - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r34 - - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.13.2-debian-11-r15 - - name: postgresql - image: docker.io/bitnami/postgresql:15.4.0-debian-11-r0 - licenses: Apache-2.0 -apiVersion: v2 -appVersion: 15.4.0 -dependencies: -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - tags: - - bitnami-common - version: 2.x.x -description: PostgreSQL (Postgres) is an open source object-relational database known - for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, - views, triggers and stored procedures. -home: https://bitnami.com -icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png -keywords: -- postgresql -- postgres -- database -- sql -- replication -- cluster -maintainers: -- name: VMware, Inc. - url: https://github.com/bitnami/charts -name: postgresql -sources: -- https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 12.8.2 diff --git a/charts/postgresql/README.md b/charts/postgresql/README.md deleted file mode 100644 index 31c0232a..00000000 --- a/charts/postgresql/README.md +++ /dev/null @@ -1,734 +0,0 @@ - - -# PostgreSQL packaged by Bitnami - -PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures. - -[Overview of PostgreSQL](http://www.postgresql.org) - -Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. - -## TL;DR - -```console -helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql -``` - -## Introduction - -This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha) - -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - -Looking to use PostgreSQL in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - -## Prerequisites - -- Kubernetes 1.19+ -- Helm 3.2.0+ -- PV provisioner support in the underlying infrastructure - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -helm install my-release oci://registry-1.docker.io/bitnamicharts/postgresql -``` - -The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -helm delete my-release -``` - -The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. - -To delete the PVC's associated with `my-release`: - -```console -kubectl delete pvc -l release=my-release -``` - -> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. - -## Parameters - -### Global parameters - -| Name | Description | Value | -| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | -| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | -| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | -| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | -| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | -| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | -| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | -| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | - -### Common parameters - -| Name | Description | Value | -| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- | -| `kubeVersion` | Override Kubernetes version | `""` | -| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | -| `fullnameOverride` | String to fully override common.names.fullname template | `""` | -| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | -| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | -| `commonLabels` | Add labels to all the deployed resources | `{}` | -| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | -| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | -| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` | -| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` | - -### PostgreSQL common parameters - -| Name | Description | Value | -| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `image.registry` | PostgreSQL image registry | `docker.io` | -| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | -| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `15.4.0-debian-11-r0` | -| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify image pull secrets | `[]` | -| `image.debug` | Specify if debug values should be set | `false` | -| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | -| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided | `""` | -| `auth.username` | Name for a custom user to create | `""` | -| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` is provided | `""` | -| `auth.database` | Name for a custom database to create | `""` | -| `auth.replicationUsername` | Name of the replication user | `repl_user` | -| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` | -| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` | -| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` | -| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` | -| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` | -| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` | -| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | -| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | -| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` | -| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | -| `containerPorts.postgresql` | PostgreSQL container port | `5432` | -| `audit.logHostname` | Log client hostnames | `false` | -| `audit.logConnections` | Add client log-in operations to the log file | `false` | -| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | -| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` | -| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` | -| `audit.clientMinMessages` | Message log level to share with the user | `error` | -| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` | -| `audit.logTimezone` | Timezone for the log timestamps | `""` | -| `ldap.enabled` | Enable LDAP support | `false` | -| `ldap.server` | IP address or name of the LDAP server. | `""` | -| `ldap.port` | Port number on the LDAP server to connect to | `""` | -| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` | -| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` | -| `ldap.basedn` | Root DN to begin the search for the user in | `""` | -| `ldap.binddn` | DN of user to bind to LDAP | `""` | -| `ldap.bindpw` | Password for the user to bind to LDAP | `""` | -| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` | -| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` | -| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` | -| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` | -| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` | -| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` | -| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | -| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` | -| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` | -| `tls.enabled` | Enable TLS traffic support | `false` | -| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | -| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | -| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` | -| `tls.certFilename` | Certificate filename | `""` | -| `tls.certKeyFilename` | Certificate key filename | `""` | -| `tls.certCAFilename` | CA Certificate filename | `""` | -| `tls.crlFilename` | File containing a Certificate Revocation List | `""` | - -### PostgreSQL Primary parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | -| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | -| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | -| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | -| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | -| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | -| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | -| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | -| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | -| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | -| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | -| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | -| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | -| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | -| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | -| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | -| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | -| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | -| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | -| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | -| `primary.command` | Override default container command (useful when using custom images) | `[]` | -| `primary.args` | Override default container args (useful when using custom images) | `[]` | -| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | -| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | -| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | -| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | -| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` | -| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | -| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` | -| `primary.podSecurityContext.enabled` | Enable security context | `true` | -| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | -| `primary.containerSecurityContext.enabled` | Enable container security context | `true` | -| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` | -| `primary.containerSecurityContext.runAsGroup` | Group ID for the container | `0` | -| `primary.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot for the container | `true` | -| `primary.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation for the container | `false` | -| `primary.containerSecurityContext.seccompProfile.type` | Set seccompProfile.type for the container | `RuntimeDefault` | -| `primary.containerSecurityContext.capabilities.drop` | Set capabilities.drop for the container | `["ALL"]` | -| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | -| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | -| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | -| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | -| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | -| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | -| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | -| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | -| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | -| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | -| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | -| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | -| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | -| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | -| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | -| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | -| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | -| `primary.service.type` | Kubernetes Service type | `ClusterIP` | -| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | -| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | -| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | -| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | -| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | -| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `primary.service.headless.annotations` | Additional custom annotations for headless PostgreSQL primary service | `{}` | -| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | -| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | -| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | -| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | -| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | -| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | -| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `primary.persistence.annotations` | Annotations for the PVC | `{}` | -| `primary.persistence.labels` | Labels for the PVC | `{}` | -| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | -| `primary.persistence.dataSource` | Custom PVC data source | `{}` | - -### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) - -| Name | Description | Value | -| ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | -| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | -| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | -| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | -| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | -| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | -| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | -| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | -| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | -| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | -| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | -| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | -| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | -| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | -| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | -| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` | -| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | -| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` | -| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | -| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | -| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` | -| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` | -| `readReplicas.containerSecurityContext.runAsGroup` | Group ID for the container | `0` | -| `readReplicas.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot for the container | `true` | -| `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation for the container | `false` | -| `readReplicas.containerSecurityContext.seccompProfile.type` | Set seccompProfile.type for the container | `RuntimeDefault` | -| `readReplicas.containerSecurityContext.capabilities.drop` | Set capabilities.drop for the container | `["ALL"]` | -| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | -| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | -| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | -| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | -| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | -| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | -| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | -| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | -| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | -| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | -| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | -| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | -| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | -| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | -| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | -| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | -| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | -| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | -| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | -| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | -| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | -| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | -| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | -| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | -| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | -| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | -| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | -| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `readReplicas.service.headless.annotations` | Additional custom annotations for headless PostgreSQL read only service | `{}` | -| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | -| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` | -| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | -| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | -| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | -| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | -| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | -| `readReplicas.persistence.labels` | Labels for the PVC | `{}` | -| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | -| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | - -### Backup parameters - -| Name | Description | Value | -| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | -| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | -| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | -| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | -| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | -| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | -| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | -| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | -| `backup.cronjob.containerSecurityContext.runAsUser` | User ID for the backup container | `1001` | -| `backup.cronjob.containerSecurityContext.runAsGroup` | Group ID for the backup container | `0` | -| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set backup container's Security Context runAsNonRoot | `true` | -| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Is the container itself readonly | `true` | -| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Is it possible to escalate backup pod(s) privileges | `false` | -| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set backup container's Security Context seccompProfile type | `RuntimeDefault` | -| `backup.cronjob.containerSecurityContext.capabilities.drop` | Set backup container's Security Context capabilities to drop | `["ALL"]` | -| `backup.cronjob.command` | Set backup container's command to run | `["/bin/sh","-c","pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]` | -| `backup.cronjob.labels` | Set the cronjob labels | `{}` | -| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | -| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | -| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | -| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | -| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | -| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | -| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | -| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/pgdump` | -| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | -| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | - -### NetworkPolicy parameters - -| Name | Description | Value | -| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `[]` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `[]` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `[]` | - -### Volume Permissions parameters - -| Name | Description | Value | -| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/os-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r34` | -| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | -| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | -| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | -| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | -| `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | -| `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | -| `volumePermissions.containerSecurityContext.seccompProfile.type` | seccompProfile.type for the init container | `RuntimeDefault` | - -### Other Parameters - -| Name | Description | Value | -| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | -| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | -| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | -| `rbac.rules` | Custom RBAC rules to set | `[]` | -| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | - -### Metrics Parameters - -| Name | Description | Value | -| ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- | -| `metrics.enabled` | Start a prometheus exporter | `false` | -| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | -| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.13.2-debian-11-r15` | -| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | -| `metrics.customMetrics` | Define additional custom metrics | `{}` | -| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set PostgreSQL Prometheus exporter containers' Security Context runAsGroup | `0` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set PostgreSQL Prometheus exporter containers' Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set PostgreSQL Prometheus exporter containers' Security Context seccompProfile.type | `RuntimeDefault` | -| `metrics.containerSecurityContext.capabilities.drop` | Set PostgreSQL Prometheus exporter containers' Security Context capabilities.drop | `["ALL"]` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | -| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` | -| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | -| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | -| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | -| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | -| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | -| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | -| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | -| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | -| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -helm install my-release \ - --set auth.postgresPassword=secretpassword - oci://registry-1.docker.io/bitnamicharts/postgresql -``` - -The above command sets the PostgreSQL `postgres` account password to `secretpassword`. - -> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. -> **Warning** Setting a password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -helm install my-release -f values.yaml oci://registry-1.docker.io/bitnamicharts/postgresql -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Customizing primary and read replica services in a replicated configuration - -At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. - -### Use a different PostgreSQL version - -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/). - -### postgresql.conf / pg_hba.conf files as configMap - -This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. - -You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. - -In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. - -### Initialize a fresh instance - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. - -In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -### Securing traffic using TLS - -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: - -- `tls.enabled`: Enable TLS support. Defaults to `false` -- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. -- `tls.certFilename`: Certificate filename. No defaults. -- `tls.certKeyFilename`: Certificate key filename. No defaults. - -For example: - -- First, create the secret with the cetificates files: - - ```console - kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt - ``` - -- Then, use the following parameters: - - ```console - volumePermissions.enabled=true - tls.enabled=true - tls.certificatesSecret="certificates-tls-secret" - tls.certFilename="cert.crt" - tls.certKeyFilename="cert.key" - ``` - - > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. - -### Sidecars - -If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. - -```yaml -# For the PostgreSQL primary -primary: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -# For the PostgreSQL replicas -readReplicas: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). - -The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. - -### Use of global variables - -In more complex scenarios, we may have the following tree of dependencies - -```text - +--------------+ - | | - +------------+ Chart 1 +-----------+ - | | | | - | --------+------+ | - | | | - | | | - | | | - | | | - v v v -+-------+------+ +--------+------+ +--------+------+ -| | | | | | -| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | -| | | | | | -+--------------+ +---------------+ +---------------+ -``` - -The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: - -```text -postgresql.auth.username=testuser -subchart1.postgresql.auth.username=testuser -subchart2.postgresql.auth.username=testuser -postgresql.auth.password=testpass -subchart1.postgresql.auth.password=testpass -subchart2.postgresql.auth.password=testpass -postgresql.auth.database=testdb -subchart1.postgresql.auth.database=testdb -subchart2.postgresql.auth.database=testdb -``` - -If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: - -```text -global.postgresql.auth.username=testuser -global.postgresql.auth.password=testpass -global.postgresql.auth.database=testdb -``` - -This way, the credentials will be available in all of the subcharts. - -## Persistence - -The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. - -## NetworkPolicy - -To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 5432. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. -This label will be displayed in the output of a successful install. - -## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - -- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. -- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. -- For OpenShift up to 4.10, let set the volume permissions, security context, runAsUser and fsGroup automatically by OpenShift and disable the predefined settings of the helm chart: primary.securityContext.enabled=false,primary.containerSecurityContext.enabled=false,volumePermissions.enabled=false,shmVolume.enabled=false -- For OpenShift 4.11 and higher, let set OpenShift the runAsUser and fsGroup automatically. Configure the pod and container security context to restrictive defaults and disable the volume permissions setup: primary. - podSecurityContext.fsGroup=null,primary.podSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.runAsUser=null,primary.containerSecurityContext.allowPrivilegeEscalation=false,primary.containerSecurityContext.runAsNonRoot=true,primary.containerSecurityContext.seccompProfile.type=RuntimeDefault,primary.containerSecurityContext.capabilities.drop=['ALL'],volumePermissions.enabled=false,shmVolume.enabled=false - -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. - -## Troubleshooting - -Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). - -## Upgrading - -### To 12.0.0 - -This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x. - -### To any previous version - -Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/). - -## License - -Copyright © 2023 VMware, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file diff --git a/charts/postgresql/charts/common/.helmignore b/charts/postgresql/charts/common/.helmignore deleted file mode 100644 index 50af0317..00000000 --- a/charts/postgresql/charts/common/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/postgresql/charts/common/Chart.yaml b/charts/postgresql/charts/common/Chart.yaml deleted file mode 100644 index ae71747b..00000000 --- a/charts/postgresql/charts/common/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - category: Infrastructure - licenses: Apache-2.0 -apiVersion: v2 -appVersion: 2.8.0 -description: A Library Helm Chart for grouping common logic between bitnami charts. - This chart is not deployable by itself. -home: https://bitnami.com -icon: https://bitnami.com/downloads/logos/bitnami-mark.png -keywords: -- common -- helper -- template -- function -- bitnami -maintainers: -- name: VMware, Inc. - url: https://github.com/bitnami/charts -name: common -sources: -- https://github.com/bitnami/charts -type: library -version: 2.8.0 diff --git a/charts/postgresql/charts/common/README.md b/charts/postgresql/charts/common/README.md deleted file mode 100644 index b48bb7a2..00000000 --- a/charts/postgresql/charts/common/README.md +++ /dev/null @@ -1,235 +0,0 @@ -# Bitnami Common Library Chart - -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. - -## TL;DR - -```yaml -dependencies: - - name: common - version: 1.x.x - repository: oci://registry-1.docker.io/bitnamicharts -``` - -```console -helm dependency update -``` - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }} -data: - myvalue: "Hello World" -``` - -## Introduction - -This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - -Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog. - -## Prerequisites - -- Kubernetes 1.19+ -- Helm 3.2.0+ - -## Parameters - -## Special input schemas - -### ImageRoot - -```yaml -registry: - type: string - description: Docker registry where the image is located - example: docker.io - -repository: - type: string - description: Repository and image name - example: bitnami/nginx - -tag: - type: string - description: image tag - example: 1.16.1-debian-10-r63 - -pullPolicy: - type: string - description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - -pullSecrets: - type: array - items: - type: string - description: Optionally specify an array of imagePullSecrets (evaluated as templates). - -debug: - type: boolean - description: Set to true if you would like to see extra information on logs - example: false - -## An instance would be: -# registry: docker.io -# repository: bitnami/nginx -# tag: 1.16.1-debian-10-r63 -# pullPolicy: IfNotPresent -# debug: false -``` - -### Persistence - -```yaml -enabled: - type: boolean - description: Whether enable persistence. - example: true - -storageClass: - type: string - description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. - example: "-" - -accessMode: - type: string - description: Access mode for the Persistent Volume Storage. - example: ReadWriteOnce - -size: - type: string - description: Size the Persistent Volume Storage. - example: 8Gi - -path: - type: string - description: Path to be persisted. - example: /bitnami - -## An instance would be: -# enabled: true -# storageClass: "-" -# accessMode: ReadWriteOnce -# size: 8Gi -# path: /bitnami -``` - -### ExistingSecret - -```yaml -name: - type: string - description: Name of the existing secret. - example: mySecret -keyMapping: - description: Mapping between the expected key name and the name of the key in the existing secret. - type: object - -## An instance would be: -# name: mySecret -# keyMapping: -# password: myPasswordKey -``` - -#### Example of use - -When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. - -```yaml -# templates/secret.yaml ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - labels: - app: {{ include "common.names.fullname" . }} -type: Opaque -data: - password: {{ .Values.password | b64enc | quote }} - -# templates/dpl.yaml ---- -... - env: - - name: PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} - key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} -... - -# values.yaml ---- -name: mySecret -keyMapping: - password: myPasswordKey -``` - -### ValidateValue - -#### NOTES.txt - -```console -{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} - -{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} -``` - -If we force those values to be empty we will see some alerts - -```console -helm install test mychart --set path.to.value00="",path.to.value01="" - 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: - - export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) - - 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: - - export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) -``` - -## Upgrading - -### To 1.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -#### What changes were introduced in this major version? - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts - -#### Considerations when upgrading to this version - -- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 - -#### Useful links - -- -- -- - -## License - -Copyright © 2023 VMware, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/charts/postgresql/charts/common/templates/_affinities.tpl b/charts/postgresql/charts/common/templates/_affinities.tpl deleted file mode 100644 index 0e571028..00000000 --- a/charts/postgresql/charts/common/templates/_affinities.tpl +++ /dev/null @@ -1,111 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a soft nodeAffinity definition -{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.soft" -}} -preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} - weight: 1 -{{- end -}} - -{{/* -Return a hard nodeAffinity definition -{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.hard" -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} -{{- end -}} - -{{/* -Return a nodeAffinity definition -{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.nodes.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.nodes.hard" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return a topologyKey definition -{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} -*/}} -{{- define "common.affinities.topologyKey" -}} -{{ .topologyKey | default "kubernetes.io/hostname" -}} -{{- end -}} - -{{/* -Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} -*/}} -{{- define "common.affinities.pods.soft" -}} -{{- $component := default "" .component -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} - weight: 1 -{{- end -}} - -{{/* -Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "context" $) -}} -*/}} -{{- define "common.affinities.pods.hard" -}} -{{- $component := default "" .component -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} -{{- end -}} - -{{/* -Return a podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.pods" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.pods.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.pods.hard" . -}} - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/postgresql/charts/common/templates/_capabilities.tpl deleted file mode 100644 index c6d115fe..00000000 --- a/charts/postgresql/charts/common/templates/_capabilities.tpl +++ /dev/null @@ -1,185 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the target Kubernetes version -*/}} -{{- define "common.capabilities.kubeVersion" -}} -{{- if .Values.global }} - {{- if .Values.global.kubeVersion }} - {{- .Values.global.kubeVersion -}} - {{- else }} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} - {{- end -}} -{{- else }} -{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for poddisruptionbudget. -*/}} -{{- define "common.capabilities.policy.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "policy/v1beta1" -}} -{{- else -}} -{{- print "policy/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for cronjob. -*/}} -{{- define "common.capabilities.cronjob.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "batch/v1beta1" -}} -{{- else -}} -{{- print "batch/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for daemonset. -*/}} -{{- define "common.capabilities.daemonset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "apps/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress. -*/}} -{{- define "common.capabilities.ingress.apiVersion" -}} -{{- if .Values.ingress -}} -{{- if .Values.ingress.apiVersion -}} -{{- .Values.ingress.apiVersion -}} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end }} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for RBAC resources. -*/}} -{{- define "common.capabilities.rbac.apiVersion" -}} -{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "rbac.authorization.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "rbac.authorization.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for CRDs. -*/}} -{{- define "common.capabilities.crd.apiVersion" -}} -{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "apiextensions.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiextensions.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for APIService. -*/}} -{{- define "common.capabilities.apiService.apiVersion" -}} -{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "apiregistration.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiregistration.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for Horizontal Pod Autoscaler. -*/}} -{{- define "common.capabilities.hpa.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} -{{- if .beta2 -}} -{{- print "autoscaling/v2beta2" -}} -{{- else -}} -{{- print "autoscaling/v2beta1" -}} -{{- end -}} -{{- else -}} -{{- print "autoscaling/v2" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for Vertical Pod Autoscaler. -*/}} -{{- define "common.capabilities.vpa.apiVersion" -}} -{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} -{{- if .beta2 -}} -{{- print "autoscaling/v2beta2" -}} -{{- else -}} -{{- print "autoscaling/v2beta1" -}} -{{- end -}} -{{- else -}} -{{- print "autoscaling/v2" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the used Helm version is 3.3+. -A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. -This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. -**To be removed when the catalog's minimun Helm version is 3.3** -*/}} -{{- define "common.capabilities.supportsHelmVersion" -}} -{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_errors.tpl b/charts/postgresql/charts/common/templates/_errors.tpl deleted file mode 100644 index 07ded6f6..00000000 --- a/charts/postgresql/charts/common/templates/_errors.tpl +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Through error when upgrading using empty passwords values that must not be empty. - -Usage: -{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} -{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} -{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} - -Required password params: - - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. - - context - Context - Required. Parent context. -*/}} -{{- define "common.errors.upgrade.passwords.empty" -}} - {{- $validationErrors := join "" .validationErrors -}} - {{- if and $validationErrors .context.Release.IsUpgrade -}} - {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} - {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} - {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} - {{- $errorString = print $errorString "\n%s" -}} - {{- printf $errorString $validationErrors | fail -}} - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_images.tpl b/charts/postgresql/charts/common/templates/_images.tpl deleted file mode 100644 index 2181f322..00000000 --- a/charts/postgresql/charts/common/templates/_images.tpl +++ /dev/null @@ -1,85 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} -*/}} -{{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} -{{- $repositoryName := .imageRoot.repository -}} -{{- $separator := ":" -}} -{{- $termination := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} -{{- end -}} -{{- if .imageRoot.digest }} - {{- $separator = "@" -}} - {{- $termination = .imageRoot.digest | toString -}} -{{- end -}} -{{- if $registryName }} - {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} -{{- else -}} - {{- printf "%s%s%s" $repositoryName $separator $termination -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) -{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} -*/}} -{{- define "common.images.pullSecrets" -}} - {{- $pullSecrets := list }} - - {{- if .global }} - {{- range .global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) }} -imagePullSecrets: - {{- range $pullSecrets | uniq }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names evaluating values as templates -{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} -*/}} -{{- define "common.images.renderPullSecrets" -}} - {{- $pullSecrets := list }} - {{- $context := .context }} - - {{- if $context.Values.global }} - {{- range $context.Values.global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) }} -imagePullSecrets: - {{- range $pullSecrets | uniq }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_ingress.tpl b/charts/postgresql/charts/common/templates/_ingress.tpl deleted file mode 100644 index efa5b85c..00000000 --- a/charts/postgresql/charts/common/templates/_ingress.tpl +++ /dev/null @@ -1,73 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Generate backend entry that is compatible with all Kubernetes API versions. - -Usage: -{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} - -Params: - - serviceName - String. Name of an existing service backend - - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.ingress.backend" -}} -{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} -{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} -serviceName: {{ .serviceName }} -servicePort: {{ .servicePort }} -{{- else -}} -service: - name: {{ .serviceName }} - port: - {{- if typeIs "string" .servicePort }} - name: {{ .servicePort }} - {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} - number: {{ .servicePort | int }} - {{- end }} -{{- end -}} -{{- end -}} - -{{/* -Print "true" if the API pathType field is supported -Usage: -{{ include "common.ingress.supportsPathType" . }} -*/}} -{{- define "common.ingress.supportsPathType" -}} -{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the ingressClassname field is supported -Usage: -{{ include "common.ingress.supportsIngressClassname" . }} -*/}} -{{- define "common.ingress.supportsIngressClassname" -}} -{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if cert-manager required annotations for TLS signed -certificates are set in the Ingress annotations -Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations -Usage: -{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} -*/}} -{{- define "common.ingress.certManagerRequest" -}} -{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_labels.tpl b/charts/postgresql/charts/common/templates/_labels.tpl deleted file mode 100644 index a1d7a95b..00000000 --- a/charts/postgresql/charts/common/templates/_labels.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Kubernetes standard labels -*/}} -{{- define "common.labels.standard" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -helm.sh/chart: {{ include "common.names.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector -*/}} -{{- define "common.labels.matchLabels" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_names.tpl b/charts/postgresql/charts/common/templates/_names.tpl deleted file mode 100644 index a222924f..00000000 --- a/charts/postgresql/charts/common/templates/_names.tpl +++ /dev/null @@ -1,71 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "common.names.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "common.names.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "common.names.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified dependency name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -Usage: -{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} -*/}} -{{- define "common.names.dependency.fullname" -}} -{{- if .chartValues.fullnameOverride -}} -{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .chartName .chartValues.nameOverride -}} -{{- if contains $name .context.Release.Name -}} -{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Allow the release namespace to be overridden for multi-namespace deployments in combined charts. -*/}} -{{- define "common.names.namespace" -}} -{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a fully qualified app name adding the installation's namespace. -*/}} -{{- define "common.names.fullname.namespace" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/postgresql/charts/common/templates/_secrets.tpl deleted file mode 100644 index a193c46b..00000000 --- a/charts/postgresql/charts/common/templates/_secrets.tpl +++ /dev/null @@ -1,172 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Generate secret name. - -Usage: -{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.secrets.name" -}} -{{- $name := (include "common.names.fullname" .context) -}} - -{{- if .defaultNameSuffix -}} -{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- with .existingSecret -}} -{{- if not (typeIs "string" .) -}} -{{- with .name -}} -{{- $name = . -}} -{{- end -}} -{{- else -}} -{{- $name = . -}} -{{- end -}} -{{- end -}} - -{{- printf "%s" $name -}} -{{- end -}} - -{{/* -Generate secret key. - -Usage: -{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret - - key - String - Required. Name of the key in the secret. -*/}} -{{- define "common.secrets.key" -}} -{{- $key := .key -}} - -{{- if .existingSecret -}} - {{- if not (typeIs "string" .existingSecret) -}} - {{- if .existingSecret.keyMapping -}} - {{- $key = index .existingSecret.keyMapping $.key -}} - {{- end -}} - {{- end }} -{{- end -}} - -{{- printf "%s" $key -}} -{{- end -}} - -{{/* -Generate secret password or retrieve one if already created. - -Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - length - int - Optional - Length of the generated random password. - - strong - Boolean - Optional - Whether to add symbols to the generated random password. - - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - - context - Context - Required - Parent context. - - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. -The order in which this function returns a secret password: - 1. Already existing 'Secret' resource - (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) - 2. Password provided via the values.yaml - (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) - 3. Randomly generated secret password - (A new random secret password with the length specified in the 'length' parameter will be generated and returned) - -*/}} -{{- define "common.secrets.passwords.manage" -}} - -{{- $password := "" }} -{{- $subchart := "" }} -{{- $failOnNew := default true .failOnNew }} -{{- $chartName := default "" .chartName }} -{{- $passwordLength := default 10 .length }} -{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} -{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} -{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} -{{- if $secretData }} - {{- if hasKey $secretData .key }} - {{- $password = index $secretData .key | quote }} - {{- else if $failOnNew }} - {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} - {{- end -}} -{{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} -{{- else }} - - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} - - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} - - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} - {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} - {{- end }} -{{- end -}} -{{- printf "%s" $password -}} -{{- end -}} - -{{/* -Reuses the value from an existing secret, otherwise sets its value to a default value. - -Usage: -{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - context - Context - Required - Parent context. - -*/}} -{{- define "common.secrets.lookup" -}} -{{- $value := "" -}} -{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} -{{- if and $secretData (hasKey $secretData .key) -}} - {{- $value = index $secretData .key -}} -{{- else if .defaultValue -}} - {{- $value = .defaultValue | toString | b64enc -}} -{{- end -}} -{{- if $value -}} -{{- printf "%s" $value -}} -{{- end -}} -{{- end -}} - -{{/* -Returns whether a previous generated secret already exists - -Usage: -{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - context - Context - Required - Parent context. -*/}} -{{- define "common.secrets.exists" -}} -{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} -{{- if $secret }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_storage.tpl b/charts/postgresql/charts/common/templates/_storage.tpl deleted file mode 100644 index 16405a0f..00000000 --- a/charts/postgresql/charts/common/templates/_storage.tpl +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper Storage Class -{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} -*/}} -{{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} - -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/postgresql/charts/common/templates/_tplvalues.tpl deleted file mode 100644 index dc15f7fd..00000000 --- a/charts/postgresql/charts/common/templates/_tplvalues.tpl +++ /dev/null @@ -1,27 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Renders a value that contains template perhaps with scope if the scope is present. -Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} -*/}} -{{- define "common.tplvalues.render" -}} -{{- if .scope }} - {{- if typeIs "string" .value }} - {{- tpl (cat "{{- with $.RelativeScope -}}" .value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} - {{- else }} - {{- tpl (cat "{{- with $.RelativeScope -}}" (.value | toYaml) "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} - {{- end }} -{{- else }} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_utils.tpl b/charts/postgresql/charts/common/templates/_utils.tpl deleted file mode 100644 index c87040cd..00000000 --- a/charts/postgresql/charts/common/templates/_utils.tpl +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Print instructions to get a secret value. -Usage: -{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} -*/}} -{{- define "common.utils.secret.getvalue" -}} -{{- $varname := include "common.utils.fieldToEnvVar" . -}} -export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) -{{- end -}} - -{{/* -Build env var name given a field -Usage: -{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} -*/}} -{{- define "common.utils.fieldToEnvVar" -}} - {{- $fieldNameSplit := splitList "-" .field -}} - {{- $upperCaseFieldNameSplit := list -}} - - {{- range $fieldNameSplit -}} - {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} - {{- end -}} - - {{ join "_" $upperCaseFieldNameSplit }} -{{- end -}} - -{{/* -Gets a value from .Values given -Usage: -{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} -*/}} -{{- define "common.utils.getValueFromKey" -}} -{{- $splitKey := splitList "." .key -}} -{{- $value := "" -}} -{{- $latestObj := $.context.Values -}} -{{- range $splitKey -}} - {{- if not $latestObj -}} - {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} - {{- end -}} - {{- $value = ( index $latestObj . ) -}} - {{- $latestObj = $value -}} -{{- end -}} -{{- printf "%v" (default "" $value) -}} -{{- end -}} - -{{/* -Returns first .Values key with a defined value or first of the list if all non-defined -Usage: -{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} -*/}} -{{- define "common.utils.getKeyFromList" -}} -{{- $key := first .keys -}} -{{- $reverseKeys := reverse .keys }} -{{- range $reverseKeys }} - {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} - {{- if $value -}} - {{- $key = . }} - {{- end -}} -{{- end -}} -{{- printf "%s" $key -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/postgresql/charts/common/templates/_warnings.tpl deleted file mode 100644 index 66dffc1f..00000000 --- a/charts/postgresql/charts/common/templates/_warnings.tpl +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Warning about using rolling tag. -Usage: -{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} -*/}} -{{- define "common.warnings.rollingTag" -}} - -{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ -{{- end }} - -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/charts/postgresql/charts/common/templates/validations/_cassandra.tpl deleted file mode 100644 index eda9aada..00000000 --- a/charts/postgresql/charts/common/templates/validations/_cassandra.tpl +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Cassandra required passwords are not empty. - -Usage: -{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.cassandra.passwords" -}} - {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} - {{- $enabled := include "common.cassandra.values.enabled" . -}} - {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} - {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.dbUser.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled cassandra. - -Usage: -{{ include "common.cassandra.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.cassandra.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.cassandra.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key dbUser - -Usage: -{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.key.dbUser" -}} - {{- if .subchart -}} - cassandra.dbUser - {{- else -}} - dbUser - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/charts/postgresql/charts/common/templates/validations/_mariadb.tpl deleted file mode 100644 index 17d83a2f..00000000 --- a/charts/postgresql/charts/common/templates/validations/_mariadb.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MariaDB required passwords are not empty. - -Usage: -{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mariadb.passwords" -}} - {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mariadb.values.enabled" . -}} - {{- $architecture := include "common.mariadb.values.architecture" . -}} - {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mariadb. - -Usage: -{{ include "common.mariadb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mariadb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mariadb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.key.auth" -}} - {{- if .subchart -}} - mariadb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/charts/postgresql/charts/common/templates/validations/_mongodb.tpl deleted file mode 100644 index bbb445b8..00000000 --- a/charts/postgresql/charts/common/templates/validations/_mongodb.tpl +++ /dev/null @@ -1,113 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MongoDB® required passwords are not empty. - -Usage: -{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mongodb.passwords" -}} - {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mongodb.values.enabled" . -}} - {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} - {{- $architecture := include "common.mongodb.values.architecture" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} - {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} - - {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} - {{- if and $valueUsername $valueDatabase -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replicaset") -}} - {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mongodb. - -Usage: -{{ include "common.mongodb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mongodb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mongodb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.key.auth" -}} - {{- if .subchart -}} - mongodb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/validations/_mysql.tpl b/charts/postgresql/charts/common/templates/validations/_mysql.tpl deleted file mode 100644 index ca3953f8..00000000 --- a/charts/postgresql/charts/common/templates/validations/_mysql.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MySQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mysql.passwords" -}} - {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mysql.values.enabled" . -}} - {{- $architecture := include "common.mysql.values.architecture" . -}} - {{- $authPrefix := include "common.mysql.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mysql.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mysql. - -Usage: -{{ include "common.mysql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mysql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mysql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mysql.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false -*/}} -{{- define "common.mysql.values.key.auth" -}} - {{- if .subchart -}} - mysql.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/charts/postgresql/charts/common/templates/validations/_postgresql.tpl deleted file mode 100644 index 8c9aa570..00000000 --- a/charts/postgresql/charts/common/templates/validations/_postgresql.tpl +++ /dev/null @@ -1,134 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate PostgreSQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.postgresql.passwords" -}} - {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} - {{- $enabled := include "common.postgresql.values.enabled" . -}} - {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} - {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} - - {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} - {{- if (eq $enabledReplication "true") -}} - {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to decide whether evaluate global values. - -Usage: -{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} -Params: - - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" -*/}} -{{- define "common.postgresql.values.use.global" -}} - {{- if .context.Values.global -}} - {{- if .context.Values.global.postgresql -}} - {{- index .context.Values.global.postgresql .key | quote -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.existingSecret" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} - - {{- if .subchart -}} - {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} - {{- else -}} - {{- default (.context.Values.existingSecret | quote) $globalValue -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled postgresql. - -Usage: -{{ include "common.postgresql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key postgressPassword. - -Usage: -{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.postgressPassword" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} - - {{- if not $globalValue -}} - {{- if .subchart -}} - postgresql.postgresqlPassword - {{- else -}} - postgresqlPassword - {{- end -}} - {{- else -}} - global.postgresql.postgresqlPassword - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled.replication. - -Usage: -{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.enabled.replication" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.replication.enabled -}} - {{- else -}} - {{- printf "%v" .context.Values.replication.enabled -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key replication.password. - -Usage: -{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.replicationPassword" -}} - {{- if .subchart -}} - postgresql.replication.password - {{- else -}} - replication.password - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/validations/_redis.tpl b/charts/postgresql/charts/common/templates/validations/_redis.tpl deleted file mode 100644 index fc0d208d..00000000 --- a/charts/postgresql/charts/common/templates/validations/_redis.tpl +++ /dev/null @@ -1,81 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Redis® required passwords are not empty. - -Usage: -{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.redis.passwords" -}} - {{- $enabled := include "common.redis.values.enabled" . -}} - {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} - - {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} - {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} - - {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} - {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} - {{- if eq $useAuth "true" -}} - {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled redis. - -Usage: -{{ include "common.redis.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.redis.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.redis.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right prefix path for the values - -Usage: -{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.keys.prefix" -}} - {{- if .subchart -}}redis.{{- else -}}{{- end -}} -{{- end -}} - -{{/* -Checks whether the redis chart's includes the standarizations (version >= 14) - -Usage: -{{ include "common.redis.values.standarized.version" (dict "context" $) }} -*/}} -{{- define "common.redis.values.standarized.version" -}} - - {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} - {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} - - {{- if $standarizedAuthValues -}} - {{- true -}} - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/templates/validations/_validations.tpl b/charts/postgresql/charts/common/templates/validations/_validations.tpl deleted file mode 100644 index 31ceda87..00000000 --- a/charts/postgresql/charts/common/templates/validations/_validations.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate values must not be empty. - -Usage: -{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} -{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" -*/}} -{{- define "common.validations.values.multiple.empty" -}} - {{- range .required -}} - {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} - {{- end -}} -{{- end -}} - -{{/* -Validate a value must not be empty. - -Usage: -{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" - - subchart - String - Optional - Name of the subchart that the validated password is part of. -*/}} -{{- define "common.validations.values.single.empty" -}} - {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} - {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} - - {{- if not $value -}} - {{- $varname := "my-value" -}} - {{- $getCurrentValue := "" -}} - {{- if and .secret .field -}} - {{- $varname = include "common.utils.fieldToEnvVar" . -}} - {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} - {{- end -}} - {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} - {{- end -}} -{{- end -}} diff --git a/charts/postgresql/charts/common/values.yaml b/charts/postgresql/charts/common/values.yaml deleted file mode 100644 index 9abe0e15..00000000 --- a/charts/postgresql/charts/common/values.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# Copyright VMware, Inc. -# SPDX-License-Identifier: APACHE-2.0 - -## bitnami/common -## It is required by CI/CD tools and processes. -## @skip exampleValue -## -exampleValue: common-chart diff --git a/charts/postgresql/templates/NOTES.txt b/charts/postgresql/templates/NOTES.txt deleted file mode 100644 index c996a005..00000000 --- a/charts/postgresql/templates/NOTES.txt +++ /dev/null @@ -1,115 +0,0 @@ -CHART NAME: {{ .Chart.Name }} -CHART VERSION: {{ .Chart.Version }} -APP VERSION: {{ .Chart.AppVersion }} - -** Please be patient while the chart is being deployed ** - -{{- if .Values.diagnosticMode.enabled }} -The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: - - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} - -Get the list of pods by executing: - - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} - -Access the pod you want to debug by executing - - kubectl exec --namespace {{ .Release.Namespace }} -ti -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash - -In order to replicate the container startup scripts execute this command: - - /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh - -{{- else }} - -{{- $customUser := include "postgresql.username" . }} -{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary .Values.auth.postgresPassword .Values.auth.password (eq $customUser "postgres")) "context" $) -}} -{{- $authEnabled := and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres"))) }} -{{- if not $authEnabled }} - -WARNING: PostgreSQL has been configured without authentication, this is not recommended for production environments. -{{- end }} - -PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on the following DNS names from within your cluster: - - {{ include "postgresql.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection - -{{- if eq .Values.architecture "replication" }} - - {{ include "postgresql.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection - -{{- end }} - -{{- if and (not (empty $customUser)) (ne $customUser "postgres") }} -{{- if .Values.auth.enablePostgresUser }} - -To get the password for "postgres" run: - - export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.adminPasswordKey" .}}}" | base64 -d) -{{- end }} - -To get the password for "{{ $customUser }}" run: - - export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{include "postgresql.userPasswordKey" .}}}" | base64 -d) -{{- else }} -{{- if .Values.auth.enablePostgresUser }} - -To get the password for "{{ default "postgres" $customUser }}" run: - - export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{ ternary "password" (include "postgresql.adminPasswordKey" .) (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d) -{{- end }} -{{- end }} - -To connect to your database run the following command: - {{- if $authEnabled }} - - kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \ - --command -- psql --host {{ include "postgresql.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} - {{- else }} - - kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} \ - --command -- psql --host {{ include "postgresql.primary.fullname" . }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} - {{- end }} - - > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist" - -To connect to your database from outside the cluster execute the following commands: - -{{- if contains "NodePort" .Values.primary.service.type }} - - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.primary.fullname" . }}) - {{- if $authEnabled }} - PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} - {{- else }} - psql --host $NODE_IP --port $NODE_PORT -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} - {{- end }} -{{- else if contains "LoadBalancer" .Values.primary.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.primary.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") - {{- if $authEnabled }} - PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} - {{- else }} - psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} - {{- end }} -{{- else if contains "ClusterIP" .Values.primary.service.type }} - - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.primary.fullname" . }} {{ include "postgresql.service.port" . }}:{{ include "postgresql.service.port" . }} & - {{- if $authEnabled }} - PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} - {{- else }} - psql --host 127.0.0.1 -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} - {{- end }} -{{- end }} -{{- end }} - -WARNING: The configured password will be ignored on new installation in case when previous PostgreSQL release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. - -{{- include "postgresql.validateValues" . -}} -{{- include "common.warnings.rollingTag" .Values.image -}} -{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} diff --git a/charts/postgresql/templates/_helpers.tpl b/charts/postgresql/templates/_helpers.tpl deleted file mode 100644 index 368a0c67..00000000 --- a/charts/postgresql/templates/_helpers.tpl +++ /dev/null @@ -1,406 +0,0 @@ -{{/* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{/* vim: set filetype=mustache: */}} - -{{/* -Create a default fully qualified app name for PostgreSQL Primary objects -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.primary.fullname" -}} -{{- if eq .Values.architecture "replication" -}} - {{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} - {{- include "common.names.fullname" . -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified app name for PostgreSQL read-only replicas objects -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.readReplica.fullname" -}} -{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the default FQDN for PostgreSQL primary headless service -We truncate at 63 chars because of the DNS naming spec. -*/}} -{{- define "postgresql.primary.svc.headless" -}} -{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the default FQDN for PostgreSQL read-only replicas headless service -We truncate at 63 chars because of the DNS naming spec. -*/}} -{{- define "postgresql.readReplica.svc.headless" -}} -{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Return the proper PostgreSQL image name -*/}} -{{- define "postgresql.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper PostgreSQL metrics image name -*/}} -{{- define "postgresql.metrics.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper image name (for the init container volume-permissions image) -*/}} -{{- define "postgresql.volumePermissions.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "postgresql.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} -{{- end -}} - -{{/* -Return the name for a custom user to create -*/}} -{{- define "postgresql.username" -}} -{{- if .Values.global.postgresql.auth.username -}} - {{- .Values.global.postgresql.auth.username -}} -{{- else -}} - {{- .Values.auth.username -}} -{{- end -}} -{{- end -}} - -{{/* -Return the name for a custom database to create -*/}} -{{- define "postgresql.database" -}} -{{- if .Values.global.postgresql.auth.database -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.database $) -}} -{{- else if .Values.auth.database -}} - {{- printf "%s" (tpl .Values.auth.database $) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password secret. -*/}} -{{- define "postgresql.secretName" -}} -{{- if .Values.global.postgresql.auth.existingSecret -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}} -{{- else if .Values.auth.existingSecret -}} - {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} -{{- else -}} - {{- printf "%s" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the replication-password key. -*/}} -{{- define "postgresql.replicationPasswordKey" -}} -{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} - {{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}} - {{- else if .Values.auth.secretKeys.replicationPasswordKey -}} - {{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}} - {{- else -}} - {{- "replication-password" -}} - {{- end -}} -{{- else -}} - {{- "replication-password" -}} -{{- end -}} -{{- end -}} - -{{/* -Get the admin-password key. -*/}} -{{- define "postgresql.adminPasswordKey" -}} -{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} - {{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}} - {{- else if .Values.auth.secretKeys.adminPasswordKey -}} - {{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}} - {{- end -}} -{{- else -}} - {{- "postgres-password" -}} -{{- end -}} -{{- end -}} - -{{/* -Get the user-password key. -*/}} -{{- define "postgresql.userPasswordKey" -}} -{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret -}} - {{- if or (empty (include "postgresql.username" .)) (eq (include "postgresql.username" .) "postgres") -}} - {{- printf "%s" (include "postgresql.adminPasswordKey" .) -}} - {{- else -}} - {{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey -}} - {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}} - {{- else if .Values.auth.secretKeys.userPasswordKey -}} - {{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}} - {{- end -}} - {{- end -}} -{{- else -}} - {{- "password" -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a secret object should be created -*/}} -{{- define "postgresql.createSecret" -}} -{{- $customUser := include "postgresql.username" . -}} -{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "common.names.fullname" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword .Values.global.postgresql.auth.password .Values.auth.password) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) -}} -{{- if and (not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret)) (or $postgresPassword .Values.auth.enablePostgresUser (and (not (empty $customUser)) (ne $customUser "postgres")) (eq .Values.architecture "replication") (and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw))) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL service port -*/}} -{{- define "postgresql.service.port" -}} -{{- if .Values.global.postgresql.service.ports.postgresql -}} - {{- .Values.global.postgresql.service.ports.postgresql -}} -{{- else -}} - {{- .Values.primary.service.ports.postgresql -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL service port -*/}} -{{- define "postgresql.readReplica.service.port" -}} -{{- if .Values.global.postgresql.service.ports.postgresql -}} - {{- .Values.global.postgresql.service.ports.postgresql -}} -{{- else -}} - {{- .Values.readReplicas.service.ports.postgresql -}} -{{- end -}} -{{- end -}} - -{{/* -Get the PostgreSQL primary configuration ConfigMap name. -*/}} -{{- define "postgresql.primary.configmapName" -}} -{{- if .Values.primary.existingConfigmap -}} - {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}} -{{- else -}} - {{- printf "%s-configuration" (include "postgresql.primary.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap object should be created for PostgreSQL primary with the configuration -*/}} -{{- define "postgresql.primary.createConfigmap" -}} -{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) -}} - {{- true -}} -{{- else -}} -{{- end -}} -{{- end -}} - -{{/* -Get the PostgreSQL primary extended configuration ConfigMap name. -*/}} -{{- define "postgresql.primary.extendedConfigmapName" -}} -{{- if .Values.primary.existingExtendedConfigmap -}} - {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}} -{{- else -}} - {{- printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the PostgreSQL read replica extended configuration ConfigMap name. -*/}} -{{- define "postgresql.readReplicas.extendedConfigmapName" -}} - {{- printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) -}} -{{- end -}} - -{{/* -Return true if a configmap object should be created for PostgreSQL primary with the extended configuration -*/}} -{{- define "postgresql.primary.createExtendedConfigmap" -}} -{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) -}} - {{- true -}} -{{- else -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration -*/}} -{{- define "postgresql.readReplicas.createExtendedConfigmap" -}} -{{- if .Values.readReplicas.extendedConfiguration -}} - {{- true -}} -{{- else -}} -{{- end -}} -{{- end -}} - -{{/* - Create the name of the service account to use - */}} -{{- define "postgresql.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap should be mounted with PostgreSQL configuration -*/}} -{{- define "postgresql.mountConfigurationCM" -}} -{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts ConfigMap name. -*/}} -{{- define "postgresql.initdb.scriptsCM" -}} -{{- if .Values.primary.initdb.scriptsConfigMap -}} - {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}} -{{- else -}} - {{- printf "%s-init-scripts" (include "postgresql.primary.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if TLS is enabled for LDAP connection -*/}} -{{- define "postgresql.ldap.tls.enabled" -}} -{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) -}} - {{- true -}} -{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the readiness probe command -*/}} -{{- define "postgresql.readinessProbeCommand" -}} -{{- $customUser := include "postgresql.username" . -}} -- | -{{- if (include "postgresql.database" .) }} - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} -{{- else }} - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} -{{- end }} -{{- if contains "bitnami/" .Values.image.repository }} - [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] -{{- end }} -{{- end -}} - -{{/* -Compile all warnings into a single message, and call fail. -*/}} -{{- define "postgresql.validateValues" -}} -{{- $messages := list -}} -{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} -{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} -{{- $messages := without $messages "" -}} -{{- $message := join "\n" $messages -}} - -{{- if $message -}} -{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} -{{- end -}} -{{- end -}} - -{{/* -Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap -*/}} -{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} -{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) -}} -postgresql: ldap.url, ldap.server - You cannot set both `ldap.url` and `ldap.server` at the same time. - Please provide a unique way to configure LDAP. - More info at https://www.postgresql.org/docs/current/auth-ldap.html -{{- end -}} -{{- end -}} - -{{/* -Validate values of Postgresql - If PSP is enabled RBAC should be enabled too -*/}} -{{- define "postgresql.validateValues.psp" -}} -{{- if and .Values.psp.create (not .Values.rbac.create) -}} -postgresql: psp.create, rbac.create - RBAC should be enabled if PSP is enabled in order for PSP to work. - More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert file. -*/}} -{{- define "postgresql.tlsCert" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}} -{{- else -}} - {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert key file. -*/}} -{{- define "postgresql.tlsCertKey" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}} -{{- else -}} -{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the CA cert file. -*/}} -{{- define "postgresql.tlsCACert" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}} -{{- else -}} - {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the CRL file. -*/}} -{{- define "postgresql.tlsCRL" -}} -{{- if .Values.tls.crlFilename -}} -{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a TLS credentials secret object should be created -*/}} -{{- define "postgresql.createTlsSecret" -}} -{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the CA cert file. -*/}} -{{- define "postgresql.tlsSecretName" -}} -{{- if .Values.tls.autoGenerated -}} - {{- printf "%s-crt" (include "common.names.fullname" .) -}} -{{- else -}} - {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} -{{- end -}} -{{- end -}} diff --git a/charts/postgresql/templates/backup/cronjob.yaml b/charts/postgresql/templates/backup/cronjob.yaml deleted file mode 100644 index 2f43584f..00000000 --- a/charts/postgresql/templates/backup/cronjob.yaml +++ /dev/null @@ -1,126 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.backup.enabled }} -{{- $customUser := include "postgresql.username" . }} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ include "postgresql.primary.fullname" . }}-pgdumpall - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: pg_dumpall - {{- if .Values.backup.cronjob.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.backup.cronjob.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - schedule: {{ quote .Values.backup.cronjob.schedule }} - concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} - failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} - successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} - {{- if .Values.backup.cronjob.startingDeadlineSeconds }} - startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} - {{- end }} - jobTemplate: - spec: - {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 12 }} - app.kubernetes.io/component: pg_dumpall - {{- if .Values.backup.cronjob.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 12 }} - {{- end }} - {{- if or .Values.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.backup.cronjob.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} - spec: - containers: - - name: {{ include "postgresql.primary.fullname" . }}-pgdumpall - image: {{ include "postgresql.image" . }} - env: - - name: PGUSER - {{- if .Values.auth.enablePostgresUser }} - value: postgres - {{- else }} - value: {{ $customUser | quote }} - {{- end }} - {{- if .Values.auth.usePasswordFiles }} - - name: PGPASSFILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }} - {{- else }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.adminPasswordKey" . }} - {{- end }} - - name: PGHOST - value: {{ include "postgresql.primary.fullname" . }} - - name: PGPORT - value: {{ .Values.containerPorts.postgresql | quote }} - - name: PGDUMP_DIR - value: {{ .Values.backup.cronjob.storage.mountPath }} - {{- if .Values.tls.enabled }} - - name: PGSSLROOTCERT - {{- if .Values.tls.autoGenerated -}} - value: /tmp/certs/ca.crt - {{- else }} - value: {{- printf "/tmp/certs/%s" .Values.tls.certCAFilename -}} - {{- end }} - {{- end }} - command: - {{- range .Values.backup.cronjob.command }} - - {{ . }} - {{- end }} - volumeMounts: - {{- if .Values.tls.enabled }} - - name: certs - mountPath: /certs - {{- end }} - - name: datadir - mountPath: {{ .Values.backup.cronjob.storage.mountPath }} - subPath: {{ .Values.backup.cronjob.storage.subPath }} - securityContext: - {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.containerSecurityContext "context" $) | nindent 14 }} - restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} - volumes: - {{- if .Values.tls.enabled }} - - name: raw-certificates - emptyDir: /tmp/certs - {{- end }} - {{- if .Values.backup.cronjob.storage.existingClaim }} - - name: datadir - persistentVolumeClaim: - claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} - {{- else }} - - name: datadir - persistentVolumeClaim: - claimName: {{ include "postgresql.primary.fullname" . }}-pgdumpall - {{- end }} -{{- end }} diff --git a/charts/postgresql/templates/backup/pvc.yaml b/charts/postgresql/templates/backup/pvc.yaml deleted file mode 100644 index 6cd6d64d..00000000 --- a/charts/postgresql/templates/backup/pvc.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "postgresql.primary.fullname" . }}-pgdumpall - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: pg_dumpall - {{- if .Values.backup.cronjob.labels }} - {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy}} - annotations: - {{- if .Values.backup.cronjob.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} - {{- if .Values.backup.cronjob.storage.resourcePolicy }} - helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} - {{- end }} -spec: - accessModes: - {{- range .Values.backup.cronjob.storage.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.backup.cronjob.storage.size | quote }} - {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) }} -{{- end }} diff --git a/charts/postgresql/templates/extra-list.yaml b/charts/postgresql/templates/extra-list.yaml deleted file mode 100644 index 2d35a580..00000000 --- a/charts/postgresql/templates/extra-list.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- range .Values.extraDeploy }} ---- -{{ include "common.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} diff --git a/charts/postgresql/templates/networkpolicy-egress.yaml b/charts/postgresql/templates/networkpolicy-egress.yaml deleted file mode 100644 index db453822..00000000 --- a/charts/postgresql/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/postgresql/templates/primary/configmap.yaml b/charts/postgresql/templates/primary/configmap.yaml deleted file mode 100644 index 0873d00e..00000000 --- a/charts/postgresql/templates/primary/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.primary.createConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-configuration" (include "postgresql.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - {{- if .Values.primary.configuration }} - postgresql.conf: |- - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.primary.pgHbaConfiguration }} - pg_hba.conf: | - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/postgresql/templates/primary/extended-configmap.yaml b/charts/postgresql/templates/primary/extended-configmap.yaml deleted file mode 100644 index 522deefd..00000000 --- a/charts/postgresql/templates/primary/extended-configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.primary.createExtendedConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - override.conf: |- - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }} -{{- end }} diff --git a/charts/postgresql/templates/primary/initialization-configmap.yaml b/charts/postgresql/templates/primary/initialization-configmap.yaml deleted file mode 100644 index ddd2fb41..00000000 --- a/charts/postgresql/templates/primary/initialization-configmap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-init-scripts" (include "postgresql.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }} -{{- end }} diff --git a/charts/postgresql/templates/primary/metrics-configmap.yaml b/charts/postgresql/templates/primary/metrics-configmap.yaml deleted file mode 100644 index d5122183..00000000 --- a/charts/postgresql/templates/primary/metrics-configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} -{{- end }} diff --git a/charts/postgresql/templates/primary/metrics-svc.yaml b/charts/postgresql/templates/primary/metrics-svc.yaml deleted file mode 100644 index 1cbde4b8..00000000 --- a/charts/postgresql/templates/primary/metrics-svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: ClusterIP - sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} - {{- if .Values.metrics.service.clusterIP }} - clusterIP: {{ .Values.metrics.service.clusterIP }} - {{- end }} - ports: - - name: http-metrics - port: {{ .Values.metrics.service.ports.metrics }} - targetPort: http-metrics - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: primary -{{- end }} diff --git a/charts/postgresql/templates/primary/networkpolicy.yaml b/charts/postgresql/templates/primary/networkpolicy.yaml deleted file mode 100644 index e9ef5179..00000000 --- a/charts/postgresql/templates/primary/networkpolicy.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "postgresql.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: primary - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: - - port: {{ .Values.metrics.containerPorts.metrics }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: - - port: {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} - - from: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} - app.kubernetes.io/component: read - ports: - - port: {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/postgresql/templates/primary/servicemonitor.yaml b/charts/postgresql/templates/primary/servicemonitor.yaml deleted file mode 100644 index 872ae74b..00000000 --- a/charts/postgresql/templates/primary/servicemonitor.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "postgresql.primary.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if .Values.metrics.serviceMonitor.labels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.metrics.serviceMonitor.jobLabel }} - jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - {{- if .Values.metrics.serviceMonitor.selector }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} - {{- end }} - app.kubernetes.io/component: metrics - endpoints: - - port: http-metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.honorLabels }} - honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace | quote }} -{{- end }} diff --git a/charts/postgresql/templates/primary/statefulset.yaml b/charts/postgresql/templates/primary/statefulset.yaml deleted file mode 100644 index 596ea859..00000000 --- a/charts/postgresql/templates/primary/statefulset.yaml +++ /dev/null @@ -1,663 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- $customUser := include "postgresql.username" . }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ include "postgresql.primary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.primary.labels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.primary.annotations }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.primary.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - replicas: 1 - serviceName: {{ include "postgresql.primary.svc.headless" . }} - {{- if .Values.primary.updateStrategy }} - updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: primary - template: - metadata: - name: {{ include "postgresql.primary.fullname" . }} - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: primary - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.primary.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if or (include "postgresql.primary.createConfigmap" .) (include "postgresql.primary.createExtendedConfigmap" .) .Values.primary.podAnnotations }} - annotations: - {{- if (include "postgresql.primary.createConfigmap" .) }} - checksum/configuration: {{ pick (include (print $.Template.BasePath "/primary/configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} - {{- end }} - {{- if (include "postgresql.primary.createExtendedConfigmap" .) }} - checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} - {{- end }} - {{- if .Values.primary.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- if .Values.primary.extraPodSpec }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} - {{- end }} - serviceAccountName: {{ include "postgresql.serviceAccountName" . }} - {{- include "postgresql.imagePullSecrets" . | nindent 6 }} - {{- if .Values.primary.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.primary.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.primary.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.primary.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.primary.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }} - {{- end }} - {{- if .Values.primary.priorityClassName }} - priorityClassName: {{ .Values.primary.priorityClassName }} - {{- end }} - {{- if .Values.primary.schedulerName }} - schedulerName: {{ .Values.primary.schedulerName | quote }} - {{- end }} - {{- if .Values.primary.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.primary.podSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - hostNetwork: {{ .Values.primary.hostNetwork }} - hostIPC: {{ .Values.primary.hostIPC }} - {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled)) .Values.primary.initContainers }} - initContainers: - {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} - - name: copy-certs - image: {{ include "postgresql.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.primary.resources }} - resources: {{- toYaml .Values.primary.resources | nindent 12 }} - {{- end }} - # We don't require a privileged container in this case - {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - chmod 600 {{ include "postgresql.tlsCertKey" . }} - volumeMounts: - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }} - - name: init-chmod-data - image: {{ include "postgresql.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - {{- if .Values.primary.persistence.enabled }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }} - {{- else }} - chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }} - {{- end }} - mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} - chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} - find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` - {{- else }} - xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} - {{- end }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - chmod -R 777 /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ - {{- else }} - chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ - {{- end }} - chmod 600 {{ include "postgresql.tlsCertKey" . }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.primary.persistence.enabled }} - - name: data - mountPath: {{ .Values.primary.persistence.mountPath }} - {{- if .Values.primary.persistence.subPath }} - subPath: {{ .Values.primary.persistence.subPath }} - {{- end }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- end }} - {{- end }} - {{- if .Values.primary.initContainers }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - containers: - - name: postgresql - image: {{ include "postgresql.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.primary.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.primary.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.primary.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: POSTGRESQL_PORT_NUMBER - value: {{ .Values.containerPorts.postgresql | quote }} - - name: POSTGRESQL_VOLUME_DIR - value: {{ .Values.primary.persistence.mountPath | quote }} - {{- if .Values.primary.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - # Authentication - {{- if or (eq $customUser "postgres") (empty $customUser) }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.adminPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "true" - {{- end }} - {{- else }} - - name: POSTGRES_USER - value: {{ $customUser | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.userPasswordKey" . }} - {{- end }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.adminPasswordKey" . }} - {{- end }} - {{- end }} - {{- end }} - {{- if (include "postgresql.database" .) }} - - name: POSTGRES_DATABASE - value: {{ (include "postgresql.database" .) | quote }} - {{- end }} - # Replication - {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} - - name: POSTGRES_REPLICATION_MODE - value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }} - - name: POSTGRES_REPLICATION_USER - value: {{ .Values.auth.replicationUsername | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.replicationPasswordKey" .) }} - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.replicationPasswordKey" . }} - {{- end }} - {{- if ne .Values.replication.synchronousCommit "off" }} - - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE - value: {{ .Values.replication.synchronousCommit | quote }} - - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS - value: {{ .Values.replication.numSynchronousReplicas | quote }} - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - {{- end }} - # Initdb - {{- if .Values.primary.initdb.args }} - - name: POSTGRES_INITDB_ARGS - value: {{ .Values.primary.initdb.args | quote }} - {{- end }} - {{- if .Values.primary.initdb.postgresqlWalDir }} - - name: POSTGRES_INITDB_WALDIR - value: {{ .Values.primary.initdb.postgresqlWalDir | quote }} - {{- end }} - {{- if .Values.primary.initdb.user }} - - name: POSTGRES_INITSCRIPTS_USERNAME - value: {{ .Values.primary.initdb.user }} - {{- end }} - {{- if .Values.primary.initdb.password }} - - name: POSTGRES_INITSCRIPTS_PASSWORD - value: {{ .Values.primary.initdb.password | quote }} - {{- end }} - # Standby - {{- if .Values.primary.standby.enabled }} - - name: POSTGRES_MASTER_HOST - value: {{ .Values.primary.standby.primaryHost }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ .Values.primary.standby.primaryPort | quote }} - {{- end }} - # LDAP - - name: POSTGRESQL_ENABLE_LDAP - value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} - {{- if .Values.ldap.enabled }} - {{- if or .Values.ldap.url .Values.ldap.uri }} - - name: POSTGRESQL_LDAP_URL - value: {{ coalesce .Values.ldap.url .Values.ldap.uri }} - {{- else }} - - name: POSTGRESQL_LDAP_SERVER - value: {{ .Values.ldap.server }} - - name: POSTGRESQL_LDAP_PORT - value: {{ .Values.ldap.port | quote }} - - name: POSTGRESQL_LDAP_SCHEME - value: {{ .Values.ldap.scheme }} - {{- if (include "postgresql.ldap.tls.enabled" .) }} - - name: POSTGRESQL_LDAP_TLS - value: "1" - {{- end }} - - name: POSTGRESQL_LDAP_PREFIX - value: {{ .Values.ldap.prefix | quote }} - - name: POSTGRESQL_LDAP_SUFFIX - value: {{ .Values.ldap.suffix | quote }} - - name: POSTGRESQL_LDAP_BASE_DN - value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }} - - name: POSTGRESQL_LDAP_BIND_DN - value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}} - {{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }} - - name: POSTGRESQL_LDAP_BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: ldap-password - {{- end }} - - name: POSTGRESQL_LDAP_SEARCH_ATTR - value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }} - - name: POSTGRESQL_LDAP_SEARCH_FILTER - value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }} - {{- end }} - {{- end }} - # TLS - - name: POSTGRESQL_ENABLE_TLS - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS - value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} - - name: POSTGRESQL_TLS_CERT_FILE - value: {{ include "postgresql.tlsCert" . }} - - name: POSTGRESQL_TLS_KEY_FILE - value: {{ include "postgresql.tlsCertKey" . }} - {{- if .Values.tls.certCAFilename }} - - name: POSTGRESQL_TLS_CA_FILE - value: {{ include "postgresql.tlsCACert" . }} - {{- end }} - {{- if .Values.tls.crlFilename }} - - name: POSTGRESQL_TLS_CRL_FILE - value: {{ include "postgresql.tlsCRL" . }} - {{- end }} - {{- end }} - # Audit - - name: POSTGRESQL_LOG_HOSTNAME - value: {{ .Values.audit.logHostname | quote }} - - name: POSTGRESQL_LOG_CONNECTIONS - value: {{ .Values.audit.logConnections | quote }} - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: {{ .Values.audit.logDisconnections | quote }} - {{- if .Values.audit.logLinePrefix }} - - name: POSTGRESQL_LOG_LINE_PREFIX - value: {{ .Values.audit.logLinePrefix | quote }} - {{- end }} - {{- if .Values.audit.logTimezone }} - - name: POSTGRESQL_LOG_TIMEZONE - value: {{ .Values.audit.logTimezone | quote }} - {{- end }} - {{- if .Values.audit.pgAuditLog }} - - name: POSTGRESQL_PGAUDIT_LOG - value: {{ .Values.audit.pgAuditLog | quote }} - {{- end }} - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: {{ .Values.audit.pgAuditLogCatalog | quote }} - # Others - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: {{ .Values.audit.clientMinMessages | quote }} - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} - {{- if .Values.primary.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} - envFrom: - {{- if .Values.primary.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.primary.extraEnvVarsCM }} - {{- end }} - {{- if .Values.primary.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.primary.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: tcp-postgresql - containerPort: {{ .Values.containerPorts.postgresql }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.primary.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.primary.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.primary.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.primary.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.primary.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.primary.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - {{- end }} - {{- end }} - {{- if .Values.primary.resources }} - resources: {{- toYaml .Values.primary.resources | nindent 12 }} - {{- end }} - {{- if .Values.primary.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - volumeMounts: - {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} - - name: custom-init-scripts - mountPath: /docker-entrypoint-initdb.d/ - {{- end }} - {{- if .Values.primary.initdb.scriptsSecret }} - - name: custom-init-scripts-secret - mountPath: /docker-entrypoint-initdb.d/secret - {{- end }} - {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} - - name: postgresql-extended-config - mountPath: {{ .Values.primary.persistence.mountPath }}/conf/conf.d/ - {{- end }} - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - readOnly: true - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.primary.persistence.enabled }} - - name: data - mountPath: {{ .Values.primary.persistence.mountPath }} - {{- if .Values.primary.persistence.subPath }} - subPath: {{ .Values.primary.persistence.subPath }} - {{- end }} - {{- end }} - {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} - - name: postgresql-config - mountPath: {{ .Values.primary.persistence.mountPath }}/conf - {{- end }} - {{- if .Values.primary.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ include "postgresql.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.metrics.customMetrics }} - args: ["--extend.query-path", "/conf/custom-metrics.yaml"] - {{- end }} - env: - {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }} - - name: DATA_SOURCE_URI - value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }} - {{- if .Values.auth.usePasswordFiles }} - - name: DATA_SOURCE_PASS_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }} - {{- else }} - - name: DATA_SOURCE_PASS - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.userPasswordKey" . }} - {{- end }} - - name: DATA_SOURCE_USER - value: {{ default "postgres" $customUser | quote }} - {{- if .Values.metrics.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http-metrics - containerPort: {{ .Values.metrics.containerPorts.metrics }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.metrics.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: http-metrics - {{- end }} - {{- if .Values.metrics.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- if .Values.metrics.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- end }} - volumeMounts: - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.metrics.customMetrics }} - - name: custom-metrics - mountPath: /conf - readOnly: true - {{- end }} - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.primary.sidecars }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} - {{- end }} - volumes: - {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} - - name: postgresql-config - configMap: - name: {{ include "postgresql.primary.configmapName" . }} - {{- end }} - {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} - - name: postgresql-extended-config - configMap: - name: {{ include "postgresql.primary.extendedConfigmapName" . }} - {{- end }} - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-password - secret: - secretName: {{ include "postgresql.secretName" . }} - {{- end }} - {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} - - name: custom-init-scripts - configMap: - name: {{ include "postgresql.initdb.scriptsCM" . }} - {{- end }} - {{- if .Values.primary.initdb.scriptsSecret }} - - name: custom-init-scripts-secret - secret: - secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - secret: - secretName: {{ include "postgresql.tlsSecretName" . }} - - name: postgresql-certificates - emptyDir: {} - {{- end }} - {{- if .Values.primary.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} - - name: custom-metrics - configMap: - name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - emptyDir: - medium: Memory - {{- if .Values.shmVolume.sizeLimit }} - sizeLimit: {{ .Values.shmVolume.sizeLimit }} - {{- end }} - {{- end }} - {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} - - name: data - persistentVolumeClaim: - claimName: {{ tpl .Values.primary.persistence.existingClaim $ }} - {{- else if not .Values.primary.persistence.enabled }} - - name: data - emptyDir: {} - {{- else }} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: data - {{- if .Values.primary.persistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.primary.persistence.labels }} - labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.primary.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - {{- if .Values.primary.persistence.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }} - {{- end }} - resources: - requests: - storage: {{ .Values.primary.persistence.size | quote }} - {{- if .Values.primary.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} - {{- end }} - {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }} - {{- end }} diff --git a/charts/postgresql/templates/primary/svc-headless.yaml b/charts/postgresql/templates/primary/svc-headless.yaml deleted file mode 100644 index c387809b..00000000 --- a/charts/postgresql/templates/primary/svc-headless.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.primary.svc.headless" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - app.kubernetes.io/component: primary - {{- if or .Values.primary.service.headless.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.primary.service.headless.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.service.headless.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} - # Use this annotation in addition to the actual publishNotReadyAddresses - # field below because the annotation will stop being respected soon but the - # field is broken in some versions of Kubernetes: - # https://github.com/kubernetes/kubernetes/issues/58662 - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: ClusterIP - clusterIP: None - # We want all pods in the StatefulSet to have their addresses published for - # the sake of the other Postgresql pods even before they're ready, since they - # have to be able to talk to each other in order to become ready. - publishNotReadyAddresses: true - ports: - - name: tcp-postgresql - port: {{ template "postgresql.service.port" . }} - targetPort: tcp-postgresql - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: primary diff --git a/charts/postgresql/templates/primary/svc.yaml b/charts/postgresql/templates/primary/svc.yaml deleted file mode 100644 index 6d42aa85..00000000 --- a/charts/postgresql/templates/primary/svc.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.primary.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - app.kubernetes.io/component: primary - {{- if or .Values.commonAnnotations .Values.primary.service.annotations }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.primary.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.primary.service.type }} - {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }} - externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} - {{- end }} - {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }} - loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges | toJson}} - {{- end }} - {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }} - loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} - {{- end }} - {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }} - clusterIP: {{ .Values.primary.service.clusterIP }} - {{- end }} - {{- if .Values.primary.service.sessionAffinity }} - sessionAffinity: {{ .Values.primary.service.sessionAffinity }} - {{- end }} - {{- if .Values.primary.service.sessionAffinityConfig }} - sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }} - {{- end }} - ports: - - name: tcp-postgresql - port: {{ template "postgresql.service.port" . }} - targetPort: tcp-postgresql - {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }} - nodePort: {{ .Values.primary.service.nodePorts.postgresql }} - {{- else if eq .Values.primary.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- if .Values.primary.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: primary diff --git a/charts/postgresql/templates/prometheusrule.yaml b/charts/postgresql/templates/prometheusrule.yaml deleted file mode 100644 index 0fcba252..00000000 --- a/charts/postgresql/templates/prometheusrule.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.prometheusRule.labels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.labels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - groups: - - name: {{ include "common.names.fullname" . }} - rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} -{{- end }} diff --git a/charts/postgresql/templates/psp.yaml b/charts/postgresql/templates/psp.yaml deleted file mode 100644 index 0a39350c..00000000 --- a/charts/postgresql/templates/psp.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- if and $pspAvailable .Values.psp.create }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - privileged: false - volumes: - - 'configMap' - - 'secret' - - 'persistentVolumeClaim' - - 'emptyDir' - - 'projected' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} diff --git a/charts/postgresql/templates/read/extended-configmap.yaml b/charts/postgresql/templates/read/extended-configmap.yaml deleted file mode 100644 index 1f07471a..00000000 --- a/charts/postgresql/templates/read/extended-configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: read - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - override.conf: |- - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }} -{{- end }} diff --git a/charts/postgresql/templates/read/metrics-configmap.yaml b/charts/postgresql/templates/read/metrics-configmap.yaml deleted file mode 100644 index b2058a5c..00000000 --- a/charts/postgresql/templates/read/metrics-configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} -{{- end }} diff --git a/charts/postgresql/templates/read/metrics-svc.yaml b/charts/postgresql/templates/read/metrics-svc.yaml deleted file mode 100644 index 8aa0a918..00000000 --- a/charts/postgresql/templates/read/metrics-svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: metrics-read - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.metrics.service.annotations }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.metrics.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: ClusterIP - sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} - {{- if .Values.metrics.service.clusterIP }} - clusterIP: {{ .Values.metrics.service.clusterIP }} - {{- end }} - ports: - - name: http-metrics - port: {{ .Values.metrics.service.ports.metrics }} - targetPort: http-metrics - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: read -{{- end }} diff --git a/charts/postgresql/templates/read/networkpolicy.yaml b/charts/postgresql/templates/read/networkpolicy.yaml deleted file mode 100644 index 90321ee0..00000000 --- a/charts/postgresql/templates/read/networkpolicy.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "postgresql.readReplica.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: read - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: read - ingress: - {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: - - port: {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/postgresql/templates/read/servicemonitor.yaml b/charts/postgresql/templates/read/servicemonitor.yaml deleted file mode 100644 index 93dbd25b..00000000 --- a/charts/postgresql/templates/read/servicemonitor.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "postgresql.readReplica.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: metrics-read - {{- if .Values.metrics.serviceMonitor.labels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.metrics.serviceMonitor.jobLabel }} - jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - {{- if .Values.metrics.serviceMonitor.selector }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} - {{- end }} - app.kubernetes.io/component: metrics-read - endpoints: - - port: http-metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.honorLabels }} - honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace | quote }} -{{- end }} diff --git a/charts/postgresql/templates/read/statefulset.yaml b/charts/postgresql/templates/read/statefulset.yaml deleted file mode 100644 index 0f53fa52..00000000 --- a/charts/postgresql/templates/read/statefulset.yaml +++ /dev/null @@ -1,562 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replication" }} -{{- $customUser := include "postgresql.username" . }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ include "postgresql.readReplica.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: read - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.readReplicas.labels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.readReplicas.annotations }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.readReplicas.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - replicas: {{ .Values.readReplicas.replicaCount }} - serviceName: {{ include "postgresql.readReplica.svc.headless" . }} - {{- if .Values.readReplicas.updateStrategy }} - updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: read - template: - metadata: - name: {{ include "postgresql.readReplica.fullname" . }} - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: read - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if or (include "postgresql.readReplicas.createExtendedConfigmap" .) .Values.readReplicas.podAnnotations }} - annotations: - {{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }} - checksum/extended-configuration: {{ pick (include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | fromYaml) "data" | toYaml | sha256sum }} - {{- end }} - {{- if .Values.readReplicas.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - spec: - {{- if .Values.readReplicas.extraPodSpec }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} - {{- end }} - serviceAccountName: {{ include "postgresql.serviceAccountName" . }} - {{- include "postgresql.imagePullSecrets" . | nindent 6 }} - {{- if .Values.readReplicas.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.readReplicas.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.topologySpreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.priorityClassName }} - priorityClassName: {{ .Values.readReplicas.priorityClassName }} - {{- end }} - {{- if .Values.readReplicas.schedulerName }} - schedulerName: {{ .Values.readReplicas.schedulerName | quote }} - {{- end }} - {{- if .Values.readReplicas.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.readReplicas.podSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - hostNetwork: {{ .Values.readReplicas.hostNetwork }} - hostIPC: {{ .Values.readReplicas.hostIPC }} - {{- if or (and .Values.tls.enabled (not .Values.volumePermissions.enabled)) (and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled)) .Values.readReplicas.initContainers }} - initContainers: - {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} - - name: copy-certs - image: {{ include "postgresql.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.readReplicas.resources }} - resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} - {{- end }} - # We don't require a privileged container in this case - {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - chmod 600 {{ include "postgresql.tlsCertKey" . }} - volumeMounts: - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }} - - name: init-chmod-data - image: {{ include "postgresql.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.readReplicas.resources }} - resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -ec - - | - {{- if .Values.readReplicas.persistence.enabled }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }} - {{- else }} - chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }} - {{- end }} - mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} - chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} - find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` - {{- else }} - xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} - {{- end }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - chmod -R 777 /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ - {{- else }} - chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ - {{- end }} - chmod 600 {{ include "postgresql.tlsCertKey" . }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - {{ if .Values.readReplicas.persistence.enabled }} - - name: data - mountPath: {{ .Values.readReplicas.persistence.mountPath }} - {{- if .Values.readReplicas.persistence.subPath }} - subPath: {{ .Values.readReplicas.persistence.subPath }} - {{- end }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- end }} - {{- end }} - {{- if .Values.readReplicas.initContainers }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - containers: - - name: postgresql - image: {{ include "postgresql.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.readReplicas.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: POSTGRESQL_PORT_NUMBER - value: {{ .Values.containerPorts.postgresql | quote }} - - name: POSTGRESQL_VOLUME_DIR - value: {{ .Values.readReplicas.persistence.mountPath | quote }} - {{- if .Values.readReplicas.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - # Authentication - {{- if or (eq $customUser "postgres") (empty $customUser) }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.adminPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "true" - {{- end }} - {{- else }} - - name: POSTGRES_USER - value: {{ $customUser | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }} - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.userPasswordKey" . }} - {{- end }} - {{- if .Values.auth.enablePostgresUser }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_POSTGRES_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.adminPasswordKey" .) }} - {{- else }} - - name: POSTGRES_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.adminPasswordKey" . }} - {{- end }} - {{- end }} - {{- end }} - # Replication - - name: POSTGRES_REPLICATION_MODE - value: "slave" - - name: POSTGRES_REPLICATION_USER - value: {{ .Values.auth.replicationUsername | quote }} - {{- if .Values.auth.usePasswordFiles }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.replicationPasswordKey" .) }} - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.replicationPasswordKey" . }} - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - - name: POSTGRES_MASTER_HOST - value: {{ include "postgresql.primary.fullname" . }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ include "postgresql.service.port" . | quote }} - # TLS - - name: POSTGRESQL_ENABLE_TLS - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS - value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} - - name: POSTGRESQL_TLS_CERT_FILE - value: {{ include "postgresql.tlsCert" . }} - - name: POSTGRESQL_TLS_KEY_FILE - value: {{ include "postgresql.tlsCertKey" . }} - {{- if .Values.tls.certCAFilename }} - - name: POSTGRESQL_TLS_CA_FILE - value: {{ include "postgresql.tlsCACert" . }} - {{- end }} - {{- if .Values.tls.crlFilename }} - - name: POSTGRESQL_TLS_CRL_FILE - value: {{ include "postgresql.tlsCRL" . }} - {{- end }} - {{- end }} - # Audit - - name: POSTGRESQL_LOG_HOSTNAME - value: {{ .Values.audit.logHostname | quote }} - - name: POSTGRESQL_LOG_CONNECTIONS - value: {{ .Values.audit.logConnections | quote }} - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: {{ .Values.audit.logDisconnections | quote }} - {{- if .Values.audit.logLinePrefix }} - - name: POSTGRESQL_LOG_LINE_PREFIX - value: {{ .Values.audit.logLinePrefix | quote }} - {{- end }} - {{- if .Values.audit.logTimezone }} - - name: POSTGRESQL_LOG_TIMEZONE - value: {{ .Values.audit.logTimezone | quote }} - {{- end }} - {{- if .Values.audit.pgAuditLog }} - - name: POSTGRESQL_PGAUDIT_LOG - value: {{ .Values.audit.pgAuditLog | quote }} - {{- end }} - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: {{ .Values.audit.pgAuditLogCatalog | quote }} - # Others - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: {{ .Values.audit.clientMinMessages | quote }} - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} - {{- if .Values.readReplicas.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }} - envFrom: - {{- if .Values.readReplicas.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.readReplicas.extraEnvVarsCM }} - {{- end }} - {{- if .Values.readReplicas.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.readReplicas.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: tcp-postgresql - containerPort: {{ .Values.containerPorts.postgresql }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.readReplicas.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- else }} - - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.readReplicas.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }} - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.resources }} - resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} - {{- end }} - {{- if .Values.readReplicas.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.readReplicas.extendedConfiguration }} - - name: postgresql-extended-config - mountPath: {{ .Values.readReplicas.persistence.mountPath }}/conf/conf.d/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - readOnly: true - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.readReplicas.persistence.enabled }} - - name: data - mountPath: {{ .Values.readReplicas.persistence.mountPath }} - {{- if .Values.readReplicas.persistence.subPath }} - subPath: {{ .Values.readReplicas.persistence.subPath }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.extraVolumeMounts }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ include "postgresql.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.metrics.customMetrics }} - args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ] - {{- end }} - env: - {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }} - - name: DATA_SOURCE_URI - value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }} - {{- if .Values.auth.usePasswordFiles }} - - name: DATA_SOURCE_PASS_FILE - value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }} - {{- else }} - - name: DATA_SOURCE_PASS - valueFrom: - secretKeyRef: - name: {{ include "postgresql.secretName" . }} - key: {{ include "postgresql.userPasswordKey" . }} - {{- end }} - - name: DATA_SOURCE_USER - value: {{ default "postgres" $customUser | quote }} - {{- if .Values.metrics.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - ports: - - name: http-metrics - containerPort: {{ .Values.metrics.containerPorts.metrics }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.metrics.customStartupProbe }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.startupProbe.enabled }} - startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} - tcpSocket: - port: http-metrics - {{- end }} - {{- if .Values.metrics.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.livenessProbe.enabled }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- if .Values.metrics.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} - {{- else if .Values.metrics.readinessProbe.enabled }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} - httpGet: - path: / - port: http-metrics - {{- end }} - {{- end }} - volumeMounts: - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.metrics.customMetrics }} - - name: custom-metrics - mountPath: /conf - readOnly: true - {{- end }} - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.sidecars }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} - {{- end }} - volumes: - {{- if .Values.readReplicas.extendedConfiguration }} - - name: postgresql-extended-config - configMap: - name: {{ include "postgresql.readReplicas.extendedConfigmapName" . }} - {{- end }} - {{- if .Values.auth.usePasswordFiles }} - - name: postgresql-password - secret: - secretName: {{ include "postgresql.secretName" . }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - secret: - secretName: {{ include "postgresql.tlsSecretName" . }} - - name: postgresql-certificates - emptyDir: {} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} - - name: custom-metrics - configMap: - name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - emptyDir: - medium: Memory - {{- if .Values.shmVolume.sizeLimit }} - sizeLimit: {{ .Values.shmVolume.sizeLimit }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }} - - name: data - persistentVolumeClaim: - claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }} - {{- else if not .Values.readReplicas.persistence.enabled }} - - name: data - emptyDir: {} - {{- else }} - volumeClaimTemplates: - - metadata: - name: data - {{- if .Values.readReplicas.persistence.annotations }} - annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.readReplicas.persistence.labels }} - labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.readReplicas.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - {{- if .Values.readReplicas.persistence.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }} - {{- end }} - resources: - requests: - storage: {{ .Values.readReplicas.persistence.size | quote }} - {{- if .Values.readReplicas.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }} - {{- end -}} - {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/postgresql/templates/read/svc-headless.yaml b/charts/postgresql/templates/read/svc-headless.yaml deleted file mode 100644 index 842b7be7..00000000 --- a/charts/postgresql/templates/read/svc-headless.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replication" }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.readReplica.svc.headless" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - app.kubernetes.io/component: read - {{- if or .Values.readReplicas.service.headless.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.readReplicas.service.headless.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.service.headless.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} - # Use this annotation in addition to the actual publishNotReadyAddresses - # field below because the annotation will stop being respected soon but the - # field is broken in some versions of Kubernetes: - # https://github.com/kubernetes/kubernetes/issues/58662 - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: ClusterIP - clusterIP: None - # We want all pods in the StatefulSet to have their addresses published for - # the sake of the other Postgresql pods even before they're ready, since they - # have to be able to talk to each other in order to become ready. - publishNotReadyAddresses: true - ports: - - name: tcp-postgresql - port: {{ include "postgresql.readReplica.service.port" . }} - targetPort: tcp-postgresql - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: read -{{- end }} diff --git a/charts/postgresql/templates/read/svc.yaml b/charts/postgresql/templates/read/svc.yaml deleted file mode 100644 index 108c694d..00000000 --- a/charts/postgresql/templates/read/svc.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if eq .Values.architecture "replication" }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "postgresql.readReplica.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - app.kubernetes.io/component: read - {{- if or .Values.commonAnnotations .Values.readReplicas.service.annotations }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.readReplicas.service.annotations }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.annotations "context" $) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.readReplicas.service.type }} - {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }} - externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }} - {{- end }} - {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }} - loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }} - {{- end }} - {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }} - loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }} - {{- end }} - {{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }} - clusterIP: {{ .Values.readReplicas.service.clusterIP }} - {{- end }} - {{- if .Values.readReplicas.service.sessionAffinity }} - sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }} - {{- end }} - {{- if .Values.readReplicas.service.sessionAffinityConfig }} - sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }} - {{- end }} - ports: - - name: tcp-postgresql - port: {{ include "postgresql.readReplica.service.port" . }} - targetPort: tcp-postgresql - {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }} - nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }} - {{- else if eq .Values.readReplicas.service.type "ClusterIP" }} - nodePort: null - {{- end }} - {{- if .Values.readReplicas.service.extraPorts }} - {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }} - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: read -{{- end }} diff --git a/charts/postgresql/templates/role.yaml b/charts/postgresql/templates/role.yaml deleted file mode 100644 index 964fcfe0..00000000 --- a/charts/postgresql/templates/role.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.rbac.create }} -kind: Role -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -# yamllint disable rule:indentation -rules: - {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} - {{- if and $pspAvailable .Values.psp.create }} - - apiGroups: - - 'policy' - resources: - - 'podsecuritypolicies' - verbs: - - 'use' - resourceNames: - - {{ include "common.names.fullname" . }} - {{- end }} - {{- if .Values.rbac.rules }} - {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} - {{- end }} -# yamllint enable rule:indentation -{{- end }} diff --git a/charts/postgresql/templates/rolebinding.yaml b/charts/postgresql/templates/rolebinding.yaml deleted file mode 100644 index 80f88ed4..00000000 --- a/charts/postgresql/templates/rolebinding.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.rbac.create }} -kind: RoleBinding -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -roleRef: - kind: Role - name: {{ include "common.names.fullname" . }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "postgresql.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} -{{- end }} diff --git a/charts/postgresql/templates/secrets.yaml b/charts/postgresql/templates/secrets.yaml deleted file mode 100644 index d8929006..00000000 --- a/charts/postgresql/templates/secrets.yaml +++ /dev/null @@ -1,108 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- $host := include "postgresql.primary.fullname" . }} -{{- $port := include "postgresql.service.port" . }} -{{- $customUser := include "postgresql.username" . }} -{{- $postgresPassword := include "common.secrets.lookup" (dict "secret" (include "postgresql.secretName" .) "key" .Values.auth.secretKeys.adminPasswordKey "defaultValue" (ternary (coalesce .Values.global.postgresql.auth.password .Values.auth.password .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (coalesce .Values.global.postgresql.auth.postgresPassword .Values.auth.postgresPassword) (or (empty $customUser) (eq $customUser "postgres"))) "context" $) | trimAll "\"" | b64dec }} -{{- if and (not $postgresPassword) .Values.auth.enablePostgresUser }} -{{- $postgresPassword = randAlphaNum 10 }} -{{- end }} -{{- $replicationPassword := "" }} -{{- if eq .Values.architecture "replication" }} -{{- $replicationPassword = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" .Values.auth.secretKeys.replicationPasswordKey "providedValues" (list "auth.replicationPassword") "context" $) | trimAll "\"" | b64dec }} -{{- end }} -{{- $ldapPassword := "" }} -{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} -{{- $ldapPassword = coalesce .Values.ldap.bind_password .Values.ldap.bindpw }} -{{- end }} -{{- $password := "" }} -{{- if and (not (empty $customUser)) (ne $customUser "postgres") }} -{{- $password = include "common.secrets.passwords.manage" (dict "secret" (include "postgresql.secretName" .) "key" .Values.auth.secretKeys.userPasswordKey "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) | trimAll "\"" | b64dec }} -{{- end }} -{{- $database := include "postgresql.database" . }} -{{- if (include "postgresql.createSecret" .) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - {{- if $postgresPassword }} - postgres-password: {{ $postgresPassword | b64enc | quote }} - {{- end }} - {{- if $password }} - password: {{ $password | b64enc | quote }} - {{- end }} - {{- if $replicationPassword }} - replication-password: {{ $replicationPassword | b64enc | quote }} - {{- end }} - # We don't auto-generate LDAP password when it's not provided as we do for other passwords - {{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} - ldap-password: {{ $ldapPassword | b64enc | quote }} - {{- end }} -{{- end }} -{{- if .Values.serviceBindings.enabled }} -{{- if $postgresPassword }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }}-svcbind-postgres - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: servicebinding.io/postgresql -data: - provider: {{ print "bitnami" | b64enc | quote }} - type: {{ print "postgresql" | b64enc | quote }} - host: {{ $host | b64enc | quote }} - port: {{ $port | b64enc | quote }} - username: {{ print "postgres" | b64enc | quote }} - database: {{ print "postgres" | b64enc | quote }} - password: {{ $postgresPassword | b64enc | quote }} - uri: {{ printf "postgresql://postgres:%s@%s:%s/postgres" $postgresPassword $host $port | b64enc | quote }} -{{- end }} -{{- if $password }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }}-svcbind-custom-user - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: servicebinding.io/postgresql -data: - provider: {{ print "bitnami" | b64enc | quote }} - type: {{ print "postgresql" | b64enc | quote }} - host: {{ $host | b64enc | quote }} - port: {{ $port | b64enc | quote }} - username: {{ $customUser | b64enc | quote }} - password: {{ $password | b64enc | quote }} - {{- if $database }} - database: {{ $database | b64enc | quote }} - {{- end }} - uri: {{ printf "postgresql://%s:%s@%s:%s/%s" $customUser $password $host $port $database | b64enc | quote }} -{{- end }} -{{- end }} diff --git a/charts/postgresql/templates/serviceaccount.yaml b/charts/postgresql/templates/serviceaccount.yaml deleted file mode 100644 index 2bcb74bc..00000000 --- a/charts/postgresql/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "postgresql.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.serviceAccount.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- end }} diff --git a/charts/postgresql/templates/tls-secrets.yaml b/charts/postgresql/templates/tls-secrets.yaml deleted file mode 100644 index 124294a1..00000000 --- a/charts/postgresql/templates/tls-secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if (include "postgresql.createTlsSecret" . ) }} -{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }} -{{- $ca := genCA "postgresql-ca" 365 }} -{{- $fullname := include "common.names.fullname" . }} -{{- $releaseNamespace := .Release.Namespace }} -{{- $clusterDomain := .Values.clusterDomain }} -{{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }} -{{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }} -{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} -{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} - tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} - ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} -{{- end }} diff --git a/charts/postgresql/values.schema.json b/charts/postgresql/values.schema.json deleted file mode 100644 index fc41483c..00000000 --- a/charts/postgresql/values.schema.json +++ /dev/null @@ -1,156 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "architecture": { - "type": "string", - "title": "PostgreSQL architecture", - "form": true, - "description": "Allowed values: `standalone` or `replication`" - }, - "auth": { - "type": "object", - "title": "Authentication configuration", - "form": true, - "properties": { - "enablePostgresUser": { - "type": "boolean", - "title": "Enable \"postgres\" admin user", - "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user", - "form": true - }, - "postgresPassword": { - "type": "string", - "title": "Password for the \"postgres\" admin user", - "description": "Defaults to a random 10-character alphanumeric string if not set", - "form": true - }, - "database": { - "type": "string", - "title": "PostgreSQL custom database", - "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL", - "form": true - }, - "username": { - "type": "string", - "title": "PostgreSQL custom user", - "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database", - "form": true - }, - "password": { - "type": "string", - "title": "Password for the custom user to create", - "description": "Defaults to a random 10-character alphanumeric string if not set", - "form": true - }, - "replicationUsername": { - "type": "string", - "title": "PostgreSQL replication user", - "description": "Name of user used to manage replication.", - "form": true, - "hidden": { - "value": "standalone", - "path": "architecture" - } - }, - "replicationPassword": { - "type": "string", - "title": "Password for PostgreSQL replication user", - "description": "Defaults to a random 10-character alphanumeric string if not set", - "form": true, - "hidden": { - "value": "standalone", - "path": "architecture" - } - } - } - }, - "persistence": { - "type": "object", - "properties": { - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi" - } - } - }, - "resources": { - "type": "object", - "title": "Required Resources", - "description": "Configure resource requests", - "form": true, - "properties": { - "requests": { - "type": "object", - "properties": { - "memory": { - "type": "string", - "form": true, - "render": "slider", - "title": "Memory Request", - "sliderMin": 10, - "sliderMax": 2048, - "sliderUnit": "Mi" - }, - "cpu": { - "type": "string", - "form": true, - "render": "slider", - "title": "CPU Request", - "sliderMin": 10, - "sliderMax": 2000, - "sliderUnit": "m" - } - } - } - } - }, - "replication": { - "type": "object", - "form": true, - "title": "Replication Details", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable Replication", - "form": true - }, - "readReplicas": { - "type": "integer", - "title": "read Replicas", - "form": true, - "hidden": { - "value": "standalone", - "path": "architecture" - } - } - } - }, - "volumePermissions": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable Init Containers", - "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" - } - } - }, - "metrics": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "title": "Configure metrics exporter", - "form": true - } - } - } - } -} diff --git a/charts/postgresql/values.yaml b/charts/postgresql/values.yaml deleted file mode 100644 index 1384fc63..00000000 --- a/charts/postgresql/values.yaml +++ /dev/null @@ -1,1566 +0,0 @@ -# Copyright VMware, Inc. -# SPDX-License-Identifier: APACHE-2.0 - -## @section Global parameters -## Please, note that this will override the parameters, including dependencies, configured to use the global value -## -global: - ## @param global.imageRegistry Global Docker image registry - ## - imageRegistry: "" - ## @param global.imagePullSecrets Global Docker registry secret names as an array - ## e.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - ## @param global.storageClass Global StorageClass for Persistent Volume(s) - ## - storageClass: "" - postgresql: - ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) - ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) - ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) - ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) - ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). - ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. - ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. - ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. - ## - auth: - postgresPassword: "" - username: "" - password: "" - database: "" - existingSecret: "" - secretKeys: - adminPasswordKey: "" - userPasswordKey: "" - replicationPasswordKey: "" - ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) - ## - service: - ports: - postgresql: "" - -## @section Common parameters -## - -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname template -## -fullnameOverride: "" -## @param clusterDomain Kubernetes Cluster Domain -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) -## -extraDeploy: [] -## @param commonLabels Add labels to all the deployed resources -## -commonLabels: {} -## @param commonAnnotations Add annotations to all the deployed resources -## -commonAnnotations: {} -## Enable diagnostic mode in the statefulset -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the statefulset - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the statefulset - ## - args: - - infinity - -## @section PostgreSQL common parameters -## - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## @param image.registry PostgreSQL image registry -## @param image.repository PostgreSQL image repository -## @param image.tag PostgreSQL image tag (immutable tags are recommended) -## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag -## @param image.pullPolicy PostgreSQL image pull policy -## @param image.pullSecrets Specify image pull secrets -## @param image.debug Specify if debug values should be set -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 15.4.0-debian-11-r0 - digest: "" - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false -## Authentication parameters -## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run -## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run -## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run -## -auth: - ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user - ## - enablePostgresUser: true - ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided - ## - postgresPassword: "" - ## @param auth.username Name for a custom user to create - ## - username: "" - ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided - ## - password: "" - ## @param auth.database Name for a custom database to create - ## - database: "" - ## @param auth.replicationUsername Name of the replication user - ## - replicationUsername: repl_user - ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided - ## - replicationPassword: "" - ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. - ## - existingSecret: "" - ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. - ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. - ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. - ## - secretKeys: - adminPasswordKey: postgres-password - userPasswordKey: password - replicationPasswordKey: replication-password - ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable - ## - usePasswordFiles: false -## @param architecture PostgreSQL architecture (`standalone` or `replication`) -## -architecture: standalone -## Replication configuration -## Ignored if `architecture` is `standalone` -## -replication: - ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` - ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. - ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT - ## - synchronousCommit: "off" - numSynchronousReplicas: 0 - ## @param replication.applicationName Cluster application name. Useful for advanced replication settings - ## - applicationName: my_application -## @param containerPorts.postgresql PostgreSQL container port -## -containerPorts: - postgresql: 5432 -## Audit settings -## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing -## @param audit.logHostname Log client hostnames -## @param audit.logConnections Add client log-in operations to the log file -## @param audit.logDisconnections Add client log-outs operations to the log file -## @param audit.pgAuditLog Add operations to log using the pgAudit extension -## @param audit.pgAuditLogCatalog Log catalog using pgAudit -## @param audit.clientMinMessages Message log level to share with the user -## @param audit.logLinePrefix Template for log line prefix (default if not set) -## @param audit.logTimezone Timezone for the log timestamps -## -audit: - logHostname: false - logConnections: false - logDisconnections: false - pgAuditLog: "" - pgAuditLogCatalog: "off" - clientMinMessages: error - logLinePrefix: "" - logTimezone: "" -## LDAP configuration -## @param ldap.enabled Enable LDAP support -## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead -## @param ldap.server IP address or name of the LDAP server. -## @param ldap.port Port number on the LDAP server to connect to -## @param ldap.prefix String to prepend to the user name when forming the DN to bind -## @param ldap.suffix String to append to the user name when forming the DN to bind -## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead -## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead -## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead -## @param ldap.basedn Root DN to begin the search for the user in -## @param ldap.binddn DN of user to bind to LDAP -## @param ldap.bindpw Password for the user to bind to LDAP -## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead -## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead -## @param ldap.searchAttribute Attribute to match against the user name in the search -## @param ldap.searchFilter The search filter to use when doing search+bind authentication -## @param ldap.scheme Set to `ldaps` to use LDAPS -## DEPRECATED ldap.tls as string is deprecated,please use 'ldap.tls.enabled' instead -## @param ldap.tls.enabled Se to true to enable TLS encryption -## -ldap: - enabled: false - server: "" - port: "" - prefix: "" - suffix: "" - basedn: "" - binddn: "" - bindpw: "" - searchAttribute: "" - searchFilter: "" - scheme: "" - tls: - enabled: false - ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. - ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html - ## - uri: "" -## @param postgresqlDataDir PostgreSQL data dir folder -## -postgresqlDataDir: /bitnami/postgresql/data -## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) -## -postgresqlSharedPreloadLibraries: "pgaudit" -## Start PostgreSQL pod(s) without limitations on shm memory. -## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` -## ref: https://github.com/docker-library/postgres/issues/416 -## ref: https://github.com/containerd/containerd/issues/3654 -## -shmVolume: - ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) - ## - enabled: true - ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs - ## Note: the size of the tmpfs counts against container's memory limit - ## e.g: - ## sizeLimit: 1Gi - ## - sizeLimit: "" -## TLS configuration -## -tls: - ## @param tls.enabled Enable TLS traffic support - ## - enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates - ## - autoGenerated: false - ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's - ## - preferServerCiphers: true - ## @param tls.certificatesSecret Name of an existing secret that contains the certificates - ## - certificatesSecret: "" - ## @param tls.certFilename Certificate filename - ## - certFilename: "" - ## @param tls.certKeyFilename Certificate key filename - ## - certKeyFilename: "" - ## @param tls.certCAFilename CA Certificate filename - ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate - ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html - ## - certCAFilename: "" - ## @param tls.crlFilename File containing a Certificate Revocation List - ## - crlFilename: "" - -## @section PostgreSQL Primary parameters -## -primary: - ## @param primary.name Name of the primary database (eg primary, master, leader, ...) - ## - name: primary - ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap - ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html - ## - configuration: "" - ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration - ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html - ## e.g:# - ## pgHbaConfiguration: |- - ## local all all trust - ## host all all localhost trust - ## host mydatabase mysuser 192.168.0.0/24 md5 - ## - pgHbaConfiguration: "" - ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration - ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored - ## - existingConfigmap: "" - ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf - ## - extendedConfiguration: "" - ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration - ## NOTE: `primary.extendedConfiguration` will be ignored - ## - existingExtendedConfigmap: "" - ## Initdb configuration - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments - ## - initdb: - ## @param primary.initdb.args PostgreSQL initdb extra arguments - ## - args: "" - ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log - ## - postgresqlWalDir: "" - ## @param primary.initdb.scripts Dictionary of initdb scripts - ## Specify dictionary of scripts to be run at first boot - ## e.g: - ## scripts: - ## my_init_script.sh: | - ## #!/bin/sh - ## echo "Do something." - ## - scripts: {} - ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot - ## NOTE: This will override `primary.initdb.scripts` - ## - scriptsConfigMap: "" - ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) - ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` - ## - scriptsSecret: "" - ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts - ## - user: "" - ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts - ## - password: "" - ## Configure current cluster's primary server to be the standby server in other cluster. - ## This will allow cross cluster replication and provide cross cluster high availability. - ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. - ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not - ## @param primary.standby.primaryHost The Host of replication primary in the other cluster - ## @param primary.standby.primaryPort The Port of replication primary in the other cluster - ## - standby: - enabled: false - primaryHost: "" - primaryPort: "" - ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes - ## - extraEnvVarsCM: "" - ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes - ## - extraEnvVarsSecret: "" - ## @param primary.command Override default container command (useful when using custom images) - ## - command: [] - ## @param primary.args Override default container args (useful when using custom images) - ## - args: [] - ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers - ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers - ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers - ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe - ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param primary.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param primary.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup - ## - lifecycleHooks: {} - ## PostgreSQL Primary resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers - ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers - ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers - ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param primary.podSecurityContext.enabled Enable security context - ## @param primary.podSecurityContext.fsGroup Group ID for the pod - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param primary.containerSecurityContext.enabled Enable container security context - ## @param primary.containerSecurityContext.runAsUser User ID for the container - ## @param primary.containerSecurityContext.runAsGroup Group ID for the container - ## @param primary.containerSecurityContext.runAsNonRoot Set runAsNonRoot for the container - ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation for the container - ## @param primary.containerSecurityContext.seccompProfile.type Set seccompProfile.type for the container - ## @param primary.containerSecurityContext.capabilities.drop Set capabilities.drop for the container - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - ## @param primary.hostAliases PostgreSQL primary pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) - ## - hostNetwork: false - ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) - ## - hostIPC: false - ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) - ## - labels: {} - ## @param primary.annotations Annotations for PostgreSQL primary pods - ## - annotations: {} - ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) - ## - podLabels: {} - ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) - ## - podAnnotations: {} - ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## PostgreSQL Primary node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param primary.affinity Affinity for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods - ## - topologySpreadConstraints: [] - ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) - ## - priorityClassName: "" - ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods - ## - terminationGracePeriodSeconds: "" - ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type - ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - rollingUpdate: {} - ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) - ## - extraVolumeMounts: [] - ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) - ## - extraVolumes: [] - ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) - ## Example - ## - ## initContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - initContainers: [] - ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) - ## - extraPodSpec: {} - ## PostgreSQL Primary service configuration - ## - service: - ## @param primary.service.type Kubernetes Service type - ## - type: ClusterIP - ## @param primary.service.ports.postgresql PostgreSQL service port - ## - ports: - postgresql: 5432 - ## Node ports to expose - ## NOTE: choose port between <30000-32767> - ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - postgresql: "" - ## @param primary.service.clusterIP Static clusterIP or None for headless services - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param primary.service.annotations Annotations for PostgreSQL primary service - ## - annotations: {} - ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param primary.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service - ## - extraPorts: [] - ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - ## Headless service properties - ## - headless: - ## @param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service - ## - annotations: {} - ## PostgreSQL Primary persistence configuration - ## - persistence: - ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC - ## - enabled: true - ## @param primary.persistence.existingClaim Name of an existing PVC to use - ## - existingClaim: "" - ## @param primary.persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PostgreSQL images - ## - mountPath: /bitnami/postgresql - ## @param primary.persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - ## - subPath: "" - ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume - ## - accessModes: - - ReadWriteOnce - ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume - ## - size: 8Gi - ## @param primary.persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param primary.persistence.labels Labels for the PVC - ## - labels: {} - ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param primary.persistence.dataSource Custom PVC data source - ## - dataSource: {} - -## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) -## -readReplicas: - ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...) - ## - name: read - ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas - ## - replicaCount: 1 - ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf - ## - extendedConfiguration: "" - ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsCM: "" - ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes - ## - extraEnvVarsSecret: "" - ## @param readReplicas.command Override default container command (useful when using custom images) - ## - command: [] - ## @param readReplicas.args Override default container args (useful when using custom images) - ## - args: [] - ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers - ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers - ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers - ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe - ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup - ## - lifecycleHooks: {} - ## PostgreSQL read only resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers - ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers - ## - resources: - limits: {} - requests: - memory: 256Mi - cpu: 250m - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.podSecurityContext.enabled Enable security context - ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## @param readReplicas.containerSecurityContext.enabled Enable container security context - ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container - ## @param readReplicas.containerSecurityContext.runAsGroup Group ID for the container - ## @param readReplicas.containerSecurityContext.runAsNonRoot Set runAsNonRoot for the container - ## @param readReplicas.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation for the container - ## @param readReplicas.containerSecurityContext.seccompProfile.type Set seccompProfile.type for the container - ## @param readReplicas.containerSecurityContext.capabilities.drop Set capabilities.drop for the container - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) - ## - hostNetwork: false - ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) - ## - hostIPC: false - ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) - ## - labels: {} - ## @param readReplicas.annotations Annotations for PostgreSQL read only pods - ## - annotations: {} - ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) - ## - podLabels: {} - ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) - ## - podAnnotations: {} - ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## PostgreSQL read only node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods - ## - topologySpreadConstraints: [] - ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) - ## - priorityClassName: "" - ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods - ## - terminationGracePeriodSeconds: "" - ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type - ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - type: RollingUpdate - rollingUpdate: {} - ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) - ## - extraVolumeMounts: [] - ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) - ## - extraVolumes: [] - ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) - ## Example - ## - ## initContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - initContainers: [] - ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) - ## - extraPodSpec: {} - ## PostgreSQL read only service configuration - ## - service: - ## @param readReplicas.service.type Kubernetes Service type - ## - type: ClusterIP - ## @param readReplicas.service.ports.postgresql PostgreSQL service port - ## - ports: - postgresql: 5432 - ## Node ports to expose - ## NOTE: choose port between <30000-32767> - ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - postgresql: "" - ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service - ## - annotations: {} - ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` - ## Set the LoadBalancer service type to internal only - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service - ## - extraPorts: [] - ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" - ## If "ClientIP", consecutive client requests will be directed to the same Pod - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - ## - sessionAffinity: None - ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - ## Headless service properties - ## - headless: - ## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service - ## - annotations: {} - ## PostgreSQL read only persistence configuration - ## - persistence: - ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC - ## - enabled: true - ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use - ## - existingClaim: "" - ## @param readReplicas.persistence.mountPath The path the volume will be mounted at - ## Note: useful when using custom PostgreSQL images - ## - mountPath: /bitnami/postgresql - ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to - ## Useful in dev environments and one PV for multiple services - ## - subPath: "" - ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume - ## - accessModes: - - ReadWriteOnce - ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume - ## - size: 8Gi - ## @param readReplicas.persistence.annotations Annotations for the PVC - ## - annotations: {} - ## @param readReplicas.persistence.labels Labels for the PVC - ## - labels: {} - ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param readReplicas.persistence.dataSource Custom PVC data source - ## - dataSource: {} - - -## @section Backup parameters -## This section implements a trivial logical dump cronjob of the database. -## This only comes with the consistency guarantees of the dump program. -## This is not a snapshot based roll forward/backward recovery backup. -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ -backup: - ## @param backup.enabled Enable the logical dump of the database "regularly" - enabled: false - cronjob: - ## @param backup.cronjob.schedule Set the cronjob parameter schedule - schedule: "@daily" - ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy - concurrencyPolicy: Allow - ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit - failedJobsHistoryLimit: 1 - ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit - successfulJobsHistoryLimit: 3 - ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds - startingDeadlineSeconds: "" - ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished - ttlSecondsAfterFinished: "" - ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy - restartPolicy: OnFailure - ## backup container's Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param backup.cronjob.containerSecurityContext.runAsUser User ID for the backup container - ## @param backup.cronjob.containerSecurityContext.runAsGroup Group ID for the backup container - ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set backup container's Security Context runAsNonRoot - ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Is the container itself readonly - ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate backup pod(s) privileges - ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set backup container's Security Context seccompProfile type - ## @param backup.cronjob.containerSecurityContext.capabilities.drop Set backup container's Security Context capabilities to drop - containerSecurityContext: - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - ## @param backup.cronjob.command Set backup container's command to run - command: - - /bin/sh - - -c - - "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump" - - ## @param backup.cronjob.labels Set the cronjob labels - labels: {} - ## @param backup.cronjob.annotations Set the cronjob annotations - annotations: {} - storage: - ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) - ## If defined, PVC must be created manually before volume will be bound - ## - existingClaim: "" - ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted - ## - resourcePolicy: "" - ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. - ## - storageClass: "" - ## @param backup.cronjob.storage.accessModes PV Access Mode - ## - accessModes: - - ReadWriteOnce - ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume - ## - size: 8Gi - ## @param backup.cronjob.storage.annotations PVC annotations - ## - annotations: {} - ## @param backup.cronjob.storage.mountPath Path to mount the volume at - ## - mountPath: /backup/pgdump - ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at - ## and one PV for multiple services. - ## - subPath: "" - ## Fine tuning for volumeClaimTemplates - ## - volumeClaimTemplates: - ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) - ## A label query over volumes to consider for binding (e.g. when using local volumes) - ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details - ## - selector: {} - -## @section NetworkPolicy parameters -## - -## Add networkpolicies -## -networkPolicy: - ## @param networkPolicy.enabled Enable network policies - ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. - ## - metrics: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## Ingress Rules - ## - ingressRules: - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node. - ## - primaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes. - ## - readReplicasAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - -## @section Volume Permissions parameters -## - -## Init containers parameters: -## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume - ## - enabled: false - ## @param volumePermissions.image.registry Init container volume-permissions image registry - ## @param volumePermissions.image.repository Init container volume-permissions image repository - ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) - ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy - ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets - ## - image: - registry: docker.io - repository: bitnami/os-shell - tag: 11-debian-11-r34 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init container resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits Init container volume-permissions resource limits - ## @param volumePermissions.resources.requests Init container volume-permissions resource requests - ## - resources: - limits: {} - requests: {} - ## Init container' Security Context - ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser - ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container - ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container - ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container - ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container - ## - containerSecurityContext: - runAsUser: 0 - runAsGroup: 0 - runAsNonRoot: false - seccompProfile: - type: RuntimeDefault -## @section Other Parameters -## - -## @param serviceBindings.enabled Create secret for service binding (Experimental) -## Ref: https://servicebinding.io/service-provider/ -## -serviceBindings: - enabled: false - -## Service account for PostgreSQL to use. -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod - ## - create: false - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created - ## Can be set to false if pods using this serviceAccount do not need to use K8s API - ## - automountServiceAccountToken: true - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} -## Creates role for ServiceAccount -## @param rbac.create Create Role and RoleBinding (required for PSP to work) -## -rbac: - create: false - ## @param rbac.rules Custom RBAC rules to set - ## e.g: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## Pod Security Policy -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later -## -psp: - create: false - -## @section Metrics Parameters -## - -metrics: - ## @param metrics.enabled Start a prometheus exporter - ## - enabled: false - ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry - ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository - ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) - ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy - ## @param metrics.image.pullSecrets Specify image pull secrets - ## - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.13.2-debian-11-r15 - digest: "" - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param metrics.customMetrics Define additional custom metrics - ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file - ## customMetrics: - ## pg_database: - ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" - ## metrics: - ## - name: - ## usage: "LABEL" - ## description: "Name of the database" - ## - size_bytes: - ## usage: "GAUGE" - ## description: "Size of the database in bytes" - ## - customMetrics: {} - ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter - ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables - ## For example: - ## extraEnvVars: - ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS - ## value: "true" - ## - extraEnvVars: [] - ## PostgreSQL Prometheus exporter containers' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context - ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser - ## @param metrics.containerSecurityContext.runAsGroup Set PostgreSQL Prometheus exporter containers' Security Context runAsGroup - ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot - ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set PostgreSQL Prometheus exporter containers' Security Context allowPrivilegeEscalation - ## @param metrics.containerSecurityContext.seccompProfile.type Set PostgreSQL Prometheus exporter containers' Security Context seccompProfile.type - ## @param metrics.containerSecurityContext.capabilities.drop Set PostgreSQL Prometheus exporter containers' Security Context capabilities.drop - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - runAsGroup: 0 - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes - ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers - ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe - ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe - ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe - ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe - ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe - ## - startupProbe: - enabled: false - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 15 - successThreshold: 1 - ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one - ## - customStartupProbe: {} - ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port - ## - containerPorts: - metrics: 9187 - ## PostgreSQL Prometheus exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container - ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container - ## - resources: - limits: {} - requests: {} - ## Service configuration - ## - service: - ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port - ## - ports: - metrics: 9187 - ## @param metrics.service.clusterIP Static clusterIP or None for headless services - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address - ## - clusterIP: "" - ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/user-guide/services/ - ## - sessionAffinity: None - ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator - ## - enabled: false - ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - interval: "" - ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus - ## - labels: {} - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration - ## - selector: {} - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint - ## - honorLabels: false - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator - ## - enabled: false - ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) - ## - namespace: "" - ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus - ## - labels: {} - ## @param metrics.prometheusRule.rules PrometheusRule definitions - ## Make sure to constraint the rules to the current postgresql service. - ## rules: - ## - alert: HugeReplicationLag - ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 - ## for: 1m - ## labels: - ## severity: critical - ## annotations: - ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). - ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). - ## - rules: [] diff --git a/charts/redis/.helmignore b/charts/redis/.helmignore deleted file mode 100644 index f0c13194..00000000 --- a/charts/redis/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/redis/Chart.yaml b/charts/redis/Chart.yaml deleted file mode 100644 index d29e79ff..00000000 --- a/charts/redis/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -annotations: - category: Database -apiVersion: v2 -appVersion: 6.2.6 -dependencies: -- name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: 1.x.x -description: Open source, advanced key-value store. It is often referred to as a data - structure server since keys can contain strings, hashes, lists, sets and sorted - sets. -home: https://github.com/bitnami/charts/tree/master/bitnami/redis -icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png -keywords: -- redis -- keyvalue -- database -maintainers: -- email: containers@bitnami.com - name: Bitnami -- email: cedric@desaintmartin.fr - name: desaintmartin -name: redis -sources: -- https://github.com/bitnami/bitnami-docker-redis -- http://redis.io/ -version: 15.7.6 diff --git a/charts/redis/README.md b/charts/redis/README.md deleted file mode 100644 index 4394c3cf..00000000 --- a/charts/redis/README.md +++ /dev/null @@ -1,346 +0,0 @@ -# redis - -![Version: 15.7.6](https://img.shields.io/badge/Version-15.7.6-informational?style=flat-square) ![AppVersion: 6.2.6](https://img.shields.io/badge/AppVersion-6.2.6-informational?style=flat-square) - -Open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Bitnami | | | -| desaintmartin | | | - -## Source Code - -* -* - -## Requirements - -| Repository | Name | Version | -|------------|------|---------| -| https://charts.bitnami.com/bitnami | common | 1.x.x | - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| architecture | string | `"replication"` | | -| auth.enabled | bool | `true` | | -| auth.existingSecret | string | `""` | | -| auth.existingSecretPasswordKey | string | `""` | | -| auth.password | string | `""` | | -| auth.sentinel | bool | `true` | | -| auth.usePasswordFiles | bool | `false` | | -| clusterDomain | string | `"cluster.local"` | | -| commonAnnotations | object | `{}` | | -| commonConfiguration | string | `"# Enable AOF https://redis.io/topics/persistence#append-only-file\nappendonly yes\n# Disable RDB persistence, AOF persistence already enabled.\nsave \"\""` | | -| commonLabels | object | `{}` | | -| diagnosticMode.args[0] | string | `"infinity"` | | -| diagnosticMode.command[0] | string | `"sleep"` | | -| diagnosticMode.enabled | bool | `false` | | -| existingConfigmap | string | `""` | | -| extraDeploy | list | `[]` | | -| fullnameOverride | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.imageRegistry | string | `""` | | -| global.redis.password | string | `""` | | -| global.storageClass | string | `""` | | -| image.debug | bool | `false` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.pullSecrets | list | `[]` | | -| image.registry | string | `"docker.io"` | | -| image.repository | string | `"bitnami/redis"` | | -| image.tag | string | `"6.2.6-debian-10-r97"` | | -| kubeVersion | string | `""` | | -| master.affinity | object | `{}` | | -| master.args | list | `[]` | | -| master.command | list | `[]` | | -| master.configuration | string | `""` | | -| master.containerPort | int | `6379` | | -| master.containerSecurityContext.enabled | bool | `true` | | -| master.containerSecurityContext.runAsUser | int | `1001` | | -| master.customLivenessProbe | object | `{}` | | -| master.customReadinessProbe | object | `{}` | | -| master.disableCommands[0] | string | `"FLUSHDB"` | | -| master.disableCommands[1] | string | `"FLUSHALL"` | | -| master.extraEnvVars | list | `[]` | | -| master.extraEnvVarsCM | string | `""` | | -| master.extraEnvVarsSecret | string | `""` | | -| master.extraFlags | list | `[]` | | -| master.extraVolumeMounts | list | `[]` | | -| master.extraVolumes | list | `[]` | | -| master.hostAliases | list | `[]` | | -| master.initContainers | list | `[]` | | -| master.lifecycleHooks | object | `{}` | | -| master.livenessProbe.enabled | bool | `true` | | -| master.livenessProbe.failureThreshold | int | `5` | | -| master.livenessProbe.initialDelaySeconds | int | `20` | | -| master.livenessProbe.periodSeconds | int | `5` | | -| master.livenessProbe.successThreshold | int | `1` | | -| master.livenessProbe.timeoutSeconds | int | `5` | | -| master.nodeAffinityPreset.key | string | `""` | | -| master.nodeAffinityPreset.type | string | `""` | | -| master.nodeAffinityPreset.values | list | `[]` | | -| master.nodeSelector | object | `{}` | | -| master.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | -| master.persistence.annotations | object | `{}` | | -| master.persistence.dataSource | object | `{}` | | -| master.persistence.enabled | bool | `true` | | -| master.persistence.existingClaim | string | `""` | | -| master.persistence.medium | string | `""` | | -| master.persistence.path | string | `"/data"` | | -| master.persistence.selector | object | `{}` | | -| master.persistence.size | string | `"8Gi"` | | -| master.persistence.storageClass | string | `""` | | -| master.persistence.subPath | string | `""` | | -| master.podAffinityPreset | string | `""` | | -| master.podAnnotations | object | `{}` | | -| master.podAntiAffinityPreset | string | `"soft"` | | -| master.podLabels | object | `{}` | | -| master.podSecurityContext.enabled | bool | `true` | | -| master.podSecurityContext.fsGroup | int | `1001` | | -| master.preExecCmds | list | `[]` | | -| master.priorityClassName | string | `""` | | -| master.readinessProbe.enabled | bool | `true` | | -| master.readinessProbe.failureThreshold | int | `5` | | -| master.readinessProbe.initialDelaySeconds | int | `20` | | -| master.readinessProbe.periodSeconds | int | `5` | | -| master.readinessProbe.successThreshold | int | `1` | | -| master.readinessProbe.timeoutSeconds | int | `1` | | -| master.resources.limits | object | `{}` | | -| master.resources.requests | object | `{}` | | -| master.schedulerName | string | `""` | | -| master.service.annotations | object | `{}` | | -| master.service.clusterIP | string | `""` | | -| master.service.externalTrafficPolicy | string | `"Cluster"` | | -| master.service.loadBalancerIP | string | `""` | | -| master.service.loadBalancerSourceRanges | list | `[]` | | -| master.service.nodePort | string | `""` | | -| master.service.port | int | `6379` | | -| master.service.type | string | `"ClusterIP"` | | -| master.shareProcessNamespace | bool | `false` | | -| master.sidecars | list | `[]` | | -| master.spreadConstraints | list | `[]` | | -| master.terminationGracePeriodSeconds | int | `30` | | -| master.tolerations | list | `[]` | | -| master.updateStrategy.rollingUpdate | object | `{}` | | -| master.updateStrategy.type | string | `"RollingUpdate"` | | -| metrics.containerSecurityContext.enabled | bool | `true` | | -| metrics.containerSecurityContext.runAsUser | int | `1001` | | -| metrics.enabled | bool | `false` | | -| metrics.extraArgs | object | `{}` | | -| metrics.extraVolumeMounts | list | `[]` | | -| metrics.extraVolumes | list | `[]` | | -| metrics.image.pullPolicy | string | `"IfNotPresent"` | | -| metrics.image.pullSecrets | list | `[]` | | -| metrics.image.registry | string | `"docker.io"` | | -| metrics.image.repository | string | `"bitnami/redis-exporter"` | | -| metrics.image.tag | string | `"1.33.0-debian-10-r21"` | | -| metrics.podAnnotations."prometheus.io/port" | string | `"9121"` | | -| metrics.podAnnotations."prometheus.io/scrape" | string | `"true"` | | -| metrics.podLabels | object | `{}` | | -| metrics.prometheusRule.additionalLabels | object | `{}` | | -| metrics.prometheusRule.enabled | bool | `false` | | -| metrics.prometheusRule.namespace | string | `""` | | -| metrics.prometheusRule.rules | list | `[]` | | -| metrics.redisTargetHost | string | `"localhost"` | | -| metrics.resources.limits | object | `{}` | | -| metrics.resources.requests | object | `{}` | | -| metrics.service.annotations | object | `{}` | | -| metrics.service.externalTrafficPolicy | string | `"Cluster"` | | -| metrics.service.loadBalancerIP | string | `""` | | -| metrics.service.loadBalancerSourceRanges | list | `[]` | | -| metrics.service.port | int | `9121` | | -| metrics.service.type | string | `"ClusterIP"` | | -| metrics.serviceMonitor.additionalLabels | object | `{}` | | -| metrics.serviceMonitor.enabled | bool | `false` | | -| metrics.serviceMonitor.honorLabels | bool | `false` | | -| metrics.serviceMonitor.interval | string | `"30s"` | | -| metrics.serviceMonitor.metricRelabelings | list | `[]` | | -| metrics.serviceMonitor.namespace | string | `""` | | -| metrics.serviceMonitor.relabellings | list | `[]` | | -| metrics.serviceMonitor.scrapeTimeout | string | `""` | | -| nameOverride | string | `""` | | -| networkPolicy.allowExternal | bool | `true` | | -| networkPolicy.enabled | bool | `false` | | -| networkPolicy.extraEgress | list | `[]` | | -| networkPolicy.extraIngress | list | `[]` | | -| networkPolicy.ingressNSMatchLabels | object | `{}` | | -| networkPolicy.ingressNSPodMatchLabels | object | `{}` | | -| pdb.create | bool | `false` | | -| pdb.maxUnavailable | string | `""` | | -| pdb.minAvailable | int | `1` | | -| podSecurityPolicy.create | bool | `false` | | -| podSecurityPolicy.enabled | bool | `false` | | -| rbac.create | bool | `false` | | -| rbac.rules | list | `[]` | | -| replica.affinity | object | `{}` | | -| replica.args | list | `[]` | | -| replica.autoscaling.enabled | bool | `false` | | -| replica.autoscaling.maxReplicas | int | `11` | | -| replica.autoscaling.minReplicas | int | `1` | | -| replica.autoscaling.targetCPU | string | `""` | | -| replica.autoscaling.targetMemory | string | `""` | | -| replica.command | list | `[]` | | -| replica.configuration | string | `""` | | -| replica.containerPort | int | `6379` | | -| replica.containerSecurityContext.enabled | bool | `true` | | -| replica.containerSecurityContext.runAsUser | int | `1001` | | -| replica.customLivenessProbe | object | `{}` | | -| replica.customReadinessProbe | object | `{}` | | -| replica.disableCommands[0] | string | `"FLUSHDB"` | | -| replica.disableCommands[1] | string | `"FLUSHALL"` | | -| replica.extraEnvVars | list | `[]` | | -| replica.extraEnvVarsCM | string | `""` | | -| replica.extraEnvVarsSecret | string | `""` | | -| replica.extraFlags | list | `[]` | | -| replica.extraVolumeMounts | list | `[]` | | -| replica.extraVolumes | list | `[]` | | -| replica.hostAliases | list | `[]` | | -| replica.initContainers | list | `[]` | | -| replica.lifecycleHooks | object | `{}` | | -| replica.livenessProbe.enabled | bool | `true` | | -| replica.livenessProbe.failureThreshold | int | `5` | | -| replica.livenessProbe.initialDelaySeconds | int | `20` | | -| replica.livenessProbe.periodSeconds | int | `5` | | -| replica.livenessProbe.successThreshold | int | `1` | | -| replica.livenessProbe.timeoutSeconds | int | `5` | | -| replica.nodeAffinityPreset.key | string | `""` | | -| replica.nodeAffinityPreset.type | string | `""` | | -| replica.nodeAffinityPreset.values | list | `[]` | | -| replica.nodeSelector | object | `{}` | | -| replica.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | -| replica.persistence.annotations | object | `{}` | | -| replica.persistence.dataSource | object | `{}` | | -| replica.persistence.enabled | bool | `true` | | -| replica.persistence.medium | string | `""` | | -| replica.persistence.path | string | `"/data"` | | -| replica.persistence.selector | object | `{}` | | -| replica.persistence.size | string | `"8Gi"` | | -| replica.persistence.storageClass | string | `""` | | -| replica.persistence.subPath | string | `""` | | -| replica.podAffinityPreset | string | `""` | | -| replica.podAnnotations | object | `{}` | | -| replica.podAntiAffinityPreset | string | `"soft"` | | -| replica.podLabels | object | `{}` | | -| replica.podSecurityContext.enabled | bool | `true` | | -| replica.podSecurityContext.fsGroup | int | `1001` | | -| replica.preExecCmds | list | `[]` | | -| replica.priorityClassName | string | `""` | | -| replica.readinessProbe.enabled | bool | `true` | | -| replica.readinessProbe.failureThreshold | int | `5` | | -| replica.readinessProbe.initialDelaySeconds | int | `20` | | -| replica.readinessProbe.periodSeconds | int | `5` | | -| replica.readinessProbe.successThreshold | int | `1` | | -| replica.readinessProbe.timeoutSeconds | int | `1` | | -| replica.replicaCount | int | `3` | | -| replica.resources.limits | object | `{}` | | -| replica.resources.requests | object | `{}` | | -| replica.schedulerName | string | `""` | | -| replica.service.annotations | object | `{}` | | -| replica.service.clusterIP | string | `""` | | -| replica.service.externalTrafficPolicy | string | `"Cluster"` | | -| replica.service.loadBalancerIP | string | `""` | | -| replica.service.loadBalancerSourceRanges | list | `[]` | | -| replica.service.nodePort | string | `""` | | -| replica.service.port | int | `6379` | | -| replica.service.type | string | `"ClusterIP"` | | -| replica.shareProcessNamespace | bool | `false` | | -| replica.sidecars | list | `[]` | | -| replica.spreadConstraints | list | `[]` | | -| replica.terminationGracePeriodSeconds | int | `30` | | -| replica.tolerations | list | `[]` | | -| replica.updateStrategy.rollingUpdate | object | `{}` | | -| replica.updateStrategy.type | string | `"RollingUpdate"` | | -| sentinel.args | list | `[]` | | -| sentinel.automateClusterRecovery | bool | `false` | | -| sentinel.command | list | `[]` | | -| sentinel.configuration | string | `""` | | -| sentinel.containerPort | int | `26379` | | -| sentinel.containerSecurityContext.enabled | bool | `true` | | -| sentinel.containerSecurityContext.runAsUser | int | `1001` | | -| sentinel.customLivenessProbe | object | `{}` | | -| sentinel.customReadinessProbe | object | `{}` | | -| sentinel.downAfterMilliseconds | int | `60000` | | -| sentinel.enabled | bool | `false` | | -| sentinel.extraEnvVars | list | `[]` | | -| sentinel.extraEnvVarsCM | string | `""` | | -| sentinel.extraEnvVarsSecret | string | `""` | | -| sentinel.extraVolumeMounts | list | `[]` | | -| sentinel.extraVolumes | list | `[]` | | -| sentinel.failoverTimeout | int | `18000` | | -| sentinel.image.debug | bool | `false` | | -| sentinel.image.pullPolicy | string | `"IfNotPresent"` | | -| sentinel.image.pullSecrets | list | `[]` | | -| sentinel.image.registry | string | `"docker.io"` | | -| sentinel.image.repository | string | `"bitnami/redis-sentinel"` | | -| sentinel.image.tag | string | `"6.2.6-debian-10-r95"` | | -| sentinel.lifecycleHooks | object | `{}` | | -| sentinel.livenessProbe.enabled | bool | `true` | | -| sentinel.livenessProbe.failureThreshold | int | `5` | | -| sentinel.livenessProbe.initialDelaySeconds | int | `20` | | -| sentinel.livenessProbe.periodSeconds | int | `5` | | -| sentinel.livenessProbe.successThreshold | int | `1` | | -| sentinel.livenessProbe.timeoutSeconds | int | `5` | | -| sentinel.masterSet | string | `"mymaster"` | | -| sentinel.parallelSyncs | int | `1` | | -| sentinel.preExecCmds | list | `[]` | | -| sentinel.quorum | int | `2` | | -| sentinel.readinessProbe.enabled | bool | `true` | | -| sentinel.readinessProbe.failureThreshold | int | `5` | | -| sentinel.readinessProbe.initialDelaySeconds | int | `20` | | -| sentinel.readinessProbe.periodSeconds | int | `5` | | -| sentinel.readinessProbe.successThreshold | int | `1` | | -| sentinel.readinessProbe.timeoutSeconds | int | `1` | | -| sentinel.resources.limits | object | `{}` | | -| sentinel.resources.requests | object | `{}` | | -| sentinel.service.annotations | object | `{}` | | -| sentinel.service.clusterIP | string | `""` | | -| sentinel.service.externalTrafficPolicy | string | `"Cluster"` | | -| sentinel.service.loadBalancerIP | string | `""` | | -| sentinel.service.loadBalancerSourceRanges | list | `[]` | | -| sentinel.service.nodePorts.redis | string | `""` | | -| sentinel.service.nodePorts.sentinel | string | `""` | | -| sentinel.service.port | int | `6379` | | -| sentinel.service.sentinelPort | int | `26379` | | -| sentinel.service.type | string | `"ClusterIP"` | | -| sentinel.terminationGracePeriodSeconds | int | `30` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.automountServiceAccountToken | bool | `true` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `""` | | -| sysctl.command | list | `[]` | | -| sysctl.enabled | bool | `false` | | -| sysctl.image.pullPolicy | string | `"IfNotPresent"` | | -| sysctl.image.pullSecrets | list | `[]` | | -| sysctl.image.registry | string | `"docker.io"` | | -| sysctl.image.repository | string | `"bitnami/bitnami-shell"` | | -| sysctl.image.tag | string | `"10-debian-10-r307"` | | -| sysctl.mountHostSys | bool | `false` | | -| sysctl.resources.limits | object | `{}` | | -| sysctl.resources.requests | object | `{}` | | -| tls.authClients | bool | `true` | | -| tls.autoGenerated | bool | `false` | | -| tls.certCAFilename | string | `""` | | -| tls.certFilename | string | `""` | | -| tls.certKeyFilename | string | `""` | | -| tls.certificatesSecret | string | `""` | | -| tls.dhParamsFilename | string | `""` | | -| tls.enabled | bool | `false` | | -| tls.existingSecret | string | `""` | | -| volumePermissions.containerSecurityContext.runAsUser | int | `0` | | -| volumePermissions.enabled | bool | `false` | | -| volumePermissions.image.pullPolicy | string | `"IfNotPresent"` | | -| volumePermissions.image.pullSecrets | list | `[]` | | -| volumePermissions.image.registry | string | `"docker.io"` | | -| volumePermissions.image.repository | string | `"bitnami/bitnami-shell"` | | -| volumePermissions.image.tag | string | `"10-debian-10-r307"` | | -| volumePermissions.resources.limits | object | `{}` | | -| volumePermissions.resources.requests | object | `{}` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/redis/charts/common/.helmignore b/charts/redis/charts/common/.helmignore deleted file mode 100644 index 50af0317..00000000 --- a/charts/redis/charts/common/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/redis/charts/common/Chart.yaml b/charts/redis/charts/common/Chart.yaml deleted file mode 100644 index cf934aad..00000000 --- a/charts/redis/charts/common/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - category: Infrastructure -apiVersion: v2 -appVersion: 1.10.0 -description: A Library Helm Chart for grouping common logic between bitnami charts. - This chart is not deployable by itself. -home: https://github.com/bitnami/charts/tree/master/bitnami/common -icon: https://bitnami.com/downloads/logos/bitnami-mark.png -keywords: -- common -- helper -- template -- function -- bitnami -maintainers: -- email: containers@bitnami.com - name: Bitnami -name: common -sources: -- https://github.com/bitnami/charts -- https://www.bitnami.com/ -type: library -version: 1.10.3 diff --git a/charts/redis/charts/common/README.md b/charts/redis/charts/common/README.md deleted file mode 100644 index dfb8c558..00000000 --- a/charts/redis/charts/common/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# common - -![Version: 1.10.3](https://img.shields.io/badge/Version-1.10.3-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: 1.10.0](https://img.shields.io/badge/AppVersion-1.10.0-informational?style=flat-square) - -A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Bitnami | | | - -## Source Code - -* -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| exampleValue | string | `"common-chart"` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/redis/charts/common/templates/_affinities.tpl b/charts/redis/charts/common/templates/_affinities.tpl deleted file mode 100644 index 189ea403..00000000 --- a/charts/redis/charts/common/templates/_affinities.tpl +++ /dev/null @@ -1,102 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a soft nodeAffinity definition -{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.soft" -}} -preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} - weight: 1 -{{- end -}} - -{{/* -Return a hard nodeAffinity definition -{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.hard" -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . | quote }} - {{- end }} -{{- end -}} - -{{/* -Return a nodeAffinity definition -{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.nodes.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.nodes.hard" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} -*/}} -{{- define "common.affinities.pods.soft" -}} -{{- $component := default "" .component -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - namespaces: - - {{ .context.Release.Namespace | quote }} - topologyKey: kubernetes.io/hostname - weight: 1 -{{- end -}} - -{{/* -Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} -*/}} -{{- define "common.affinities.pods.hard" -}} -{{- $component := default "" .component -}} -{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} -requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - {{- range $key, $value := $extraMatchLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - namespaces: - - {{ .context.Release.Namespace | quote }} - topologyKey: kubernetes.io/hostname -{{- end -}} - -{{/* -Return a podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.pods" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.pods.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.pods.hard" . -}} - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_capabilities.tpl b/charts/redis/charts/common/templates/_capabilities.tpl deleted file mode 100644 index b94212bb..00000000 --- a/charts/redis/charts/common/templates/_capabilities.tpl +++ /dev/null @@ -1,128 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the target Kubernetes version -*/}} -{{- define "common.capabilities.kubeVersion" -}} -{{- if .Values.global }} - {{- if .Values.global.kubeVersion }} - {{- .Values.global.kubeVersion -}} - {{- else }} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} - {{- end -}} -{{- else }} -{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for poddisruptionbudget. -*/}} -{{- define "common.capabilities.policy.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "policy/v1beta1" -}} -{{- else -}} -{{- print "policy/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for cronjob. -*/}} -{{- define "common.capabilities.cronjob.apiVersion" -}} -{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "batch/v1beta1" -}} -{{- else -}} -{{- print "batch/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "apps/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress. -*/}} -{{- define "common.capabilities.ingress.apiVersion" -}} -{{- if .Values.ingress -}} -{{- if .Values.ingress.apiVersion -}} -{{- .Values.ingress.apiVersion -}} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end }} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for RBAC resources. -*/}} -{{- define "common.capabilities.rbac.apiVersion" -}} -{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "rbac.authorization.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "rbac.authorization.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for CRDs. -*/}} -{{- define "common.capabilities.crd.apiVersion" -}} -{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "apiextensions.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiextensions.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the used Helm version is 3.3+. -A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. -This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. -**To be removed when the catalog's minimun Helm version is 3.3** -*/}} -{{- define "common.capabilities.supportsHelmVersion" -}} -{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_errors.tpl b/charts/redis/charts/common/templates/_errors.tpl deleted file mode 100644 index a79cc2e3..00000000 --- a/charts/redis/charts/common/templates/_errors.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Through error when upgrading using empty passwords values that must not be empty. - -Usage: -{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} -{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} -{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} - -Required password params: - - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. - - context - Context - Required. Parent context. -*/}} -{{- define "common.errors.upgrade.passwords.empty" -}} - {{- $validationErrors := join "" .validationErrors -}} - {{- if and $validationErrors .context.Release.IsUpgrade -}} - {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} - {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} - {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} - {{- $errorString = print $errorString "\n%s" -}} - {{- printf $errorString $validationErrors | fail -}} - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_images.tpl b/charts/redis/charts/common/templates/_images.tpl deleted file mode 100644 index 42ffbc72..00000000 --- a/charts/redis/charts/common/templates/_images.tpl +++ /dev/null @@ -1,75 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} -*/}} -{{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} -{{- $repositoryName := .imageRoot.repository -}} -{{- $tag := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} -{{- end -}} -{{- if $registryName }} -{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- else -}} -{{- printf "%s:%s" $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) -{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} -*/}} -{{- define "common.images.pullSecrets" -}} - {{- $pullSecrets := list }} - - {{- if .global }} - {{- range .global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) }} -imagePullSecrets: - {{- range $pullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names evaluating values as templates -{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} -*/}} -{{- define "common.images.renderPullSecrets" -}} - {{- $pullSecrets := list }} - {{- $context := .context }} - - {{- if $context.Values.global }} - {{- range $context.Values.global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) }} -imagePullSecrets: - {{- range $pullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_ingress.tpl b/charts/redis/charts/common/templates/_ingress.tpl deleted file mode 100644 index f905f200..00000000 --- a/charts/redis/charts/common/templates/_ingress.tpl +++ /dev/null @@ -1,55 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Generate backend entry that is compatible with all Kubernetes API versions. - -Usage: -{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} - -Params: - - serviceName - String. Name of an existing service backend - - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.ingress.backend" -}} -{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} -{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} -serviceName: {{ .serviceName }} -servicePort: {{ .servicePort }} -{{- else -}} -service: - name: {{ .serviceName }} - port: - {{- if typeIs "string" .servicePort }} - name: {{ .servicePort }} - {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} - number: {{ .servicePort | int }} - {{- end }} -{{- end -}} -{{- end -}} - -{{/* -Print "true" if the API pathType field is supported -Usage: -{{ include "common.ingress.supportsPathType" . }} -*/}} -{{- define "common.ingress.supportsPathType" -}} -{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the ingressClassname field is supported -Usage: -{{ include "common.ingress.supportsIngressClassname" . }} -*/}} -{{- define "common.ingress.supportsIngressClassname" -}} -{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_labels.tpl b/charts/redis/charts/common/templates/_labels.tpl deleted file mode 100644 index 252066c7..00000000 --- a/charts/redis/charts/common/templates/_labels.tpl +++ /dev/null @@ -1,18 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Kubernetes standard labels -*/}} -{{- define "common.labels.standard" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -helm.sh/chart: {{ include "common.names.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector -*/}} -{{- define "common.labels.matchLabels" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_names.tpl b/charts/redis/charts/common/templates/_names.tpl deleted file mode 100644 index cf032317..00000000 --- a/charts/redis/charts/common/templates/_names.tpl +++ /dev/null @@ -1,52 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "common.names.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "common.names.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "common.names.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified dependency name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -Usage: -{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} -*/}} -{{- define "common.names.dependency.fullname" -}} -{{- if .chartValues.fullnameOverride -}} -{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .chartName .chartValues.nameOverride -}} -{{- if contains $name .context.Release.Name -}} -{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_secrets.tpl b/charts/redis/charts/common/templates/_secrets.tpl deleted file mode 100644 index 60b84a70..00000000 --- a/charts/redis/charts/common/templates/_secrets.tpl +++ /dev/null @@ -1,129 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Generate secret name. - -Usage: -{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret - - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.secrets.name" -}} -{{- $name := (include "common.names.fullname" .context) -}} - -{{- if .defaultNameSuffix -}} -{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- with .existingSecret -}} -{{- if not (typeIs "string" .) -}} -{{- with .name -}} -{{- $name = . -}} -{{- end -}} -{{- else -}} -{{- $name = . -}} -{{- end -}} -{{- end -}} - -{{- printf "%s" $name -}} -{{- end -}} - -{{/* -Generate secret key. - -Usage: -{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret - - key - String - Required. Name of the key in the secret. -*/}} -{{- define "common.secrets.key" -}} -{{- $key := .key -}} - -{{- if .existingSecret -}} - {{- if not (typeIs "string" .existingSecret) -}} - {{- if .existingSecret.keyMapping -}} - {{- $key = index .existingSecret.keyMapping $.key -}} - {{- end -}} - {{- end }} -{{- end -}} - -{{- printf "%s" $key -}} -{{- end -}} - -{{/* -Generate secret password or retrieve one if already created. - -Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - length - int - Optional - Length of the generated random password. - - strong - Boolean - Optional - Whether to add symbols to the generated random password. - - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - - context - Context - Required - Parent context. -*/}} -{{- define "common.secrets.passwords.manage" -}} - -{{- $password := "" }} -{{- $subchart := "" }} -{{- $chartName := default "" .chartName }} -{{- $passwordLength := default 10 .length }} -{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} -{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} -{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} -{{- if $secret }} - {{- if index $secret.data .key }} - {{- $password = index $secret.data .key }} - {{- end -}} -{{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} -{{- else }} - - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} - - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} - - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} - {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} - {{- end }} -{{- end -}} -{{- printf "%s" $password -}} -{{- end -}} - -{{/* -Returns whether a previous generated secret already exists - -Usage: -{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - context - Context - Required - Parent context. -*/}} -{{- define "common.secrets.exists" -}} -{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} -{{- if $secret }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_storage.tpl b/charts/redis/charts/common/templates/_storage.tpl deleted file mode 100644 index 60e2a844..00000000 --- a/charts/redis/charts/common/templates/_storage.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper Storage Class -{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} -*/}} -{{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} - -{{- end -}} diff --git a/charts/redis/charts/common/templates/_tplvalues.tpl b/charts/redis/charts/common/templates/_tplvalues.tpl deleted file mode 100644 index 2db16685..00000000 --- a/charts/redis/charts/common/templates/_tplvalues.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Renders a value that contains template. -Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "common.tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_utils.tpl b/charts/redis/charts/common/templates/_utils.tpl deleted file mode 100644 index ea083a24..00000000 --- a/charts/redis/charts/common/templates/_utils.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Print instructions to get a secret value. -Usage: -{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} -*/}} -{{- define "common.utils.secret.getvalue" -}} -{{- $varname := include "common.utils.fieldToEnvVar" . -}} -export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) -{{- end -}} - -{{/* -Build env var name given a field -Usage: -{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} -*/}} -{{- define "common.utils.fieldToEnvVar" -}} - {{- $fieldNameSplit := splitList "-" .field -}} - {{- $upperCaseFieldNameSplit := list -}} - - {{- range $fieldNameSplit -}} - {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} - {{- end -}} - - {{ join "_" $upperCaseFieldNameSplit }} -{{- end -}} - -{{/* -Gets a value from .Values given -Usage: -{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} -*/}} -{{- define "common.utils.getValueFromKey" -}} -{{- $splitKey := splitList "." .key -}} -{{- $value := "" -}} -{{- $latestObj := $.context.Values -}} -{{- range $splitKey -}} - {{- if not $latestObj -}} - {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} - {{- end -}} - {{- $value = ( index $latestObj . ) -}} - {{- $latestObj = $value -}} -{{- end -}} -{{- printf "%v" (default "" $value) -}} -{{- end -}} - -{{/* -Returns first .Values key with a defined value or first of the list if all non-defined -Usage: -{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} -*/}} -{{- define "common.utils.getKeyFromList" -}} -{{- $key := first .keys -}} -{{- $reverseKeys := reverse .keys }} -{{- range $reverseKeys }} - {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} - {{- if $value -}} - {{- $key = . }} - {{- end -}} -{{- end -}} -{{- printf "%s" $key -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/_warnings.tpl b/charts/redis/charts/common/templates/_warnings.tpl deleted file mode 100644 index ae10fa41..00000000 --- a/charts/redis/charts/common/templates/_warnings.tpl +++ /dev/null @@ -1,14 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Warning about using rolling tag. -Usage: -{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} -*/}} -{{- define "common.warnings.rollingTag" -}} - -{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ -{{- end }} - -{{- end -}} diff --git a/charts/redis/charts/common/templates/validations/_cassandra.tpl b/charts/redis/charts/common/templates/validations/_cassandra.tpl deleted file mode 100644 index ded1ae3b..00000000 --- a/charts/redis/charts/common/templates/validations/_cassandra.tpl +++ /dev/null @@ -1,72 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Cassandra required passwords are not empty. - -Usage: -{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.cassandra.passwords" -}} - {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} - {{- $enabled := include "common.cassandra.values.enabled" . -}} - {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} - {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.dbUser.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled cassandra. - -Usage: -{{ include "common.cassandra.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.cassandra.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.cassandra.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key dbUser - -Usage: -{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.key.dbUser" -}} - {{- if .subchart -}} - cassandra.dbUser - {{- else -}} - dbUser - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/validations/_mariadb.tpl b/charts/redis/charts/common/templates/validations/_mariadb.tpl deleted file mode 100644 index b6906ff7..00000000 --- a/charts/redis/charts/common/templates/validations/_mariadb.tpl +++ /dev/null @@ -1,103 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MariaDB required passwords are not empty. - -Usage: -{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mariadb.passwords" -}} - {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mariadb.values.enabled" . -}} - {{- $architecture := include "common.mariadb.values.architecture" . -}} - {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mariadb. - -Usage: -{{ include "common.mariadb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mariadb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mariadb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.key.auth" -}} - {{- if .subchart -}} - mariadb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/validations/_mongodb.tpl b/charts/redis/charts/common/templates/validations/_mongodb.tpl deleted file mode 100644 index a071ea4d..00000000 --- a/charts/redis/charts/common/templates/validations/_mongodb.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MongoDB® required passwords are not empty. - -Usage: -{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mongodb.passwords" -}} - {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mongodb.values.enabled" . -}} - {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} - {{- $architecture := include "common.mongodb.values.architecture" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} - {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} - - {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} - {{- if and $valueUsername $valueDatabase -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replicaset") -}} - {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mongodb. - -Usage: -{{ include "common.mongodb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mongodb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mongodb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.key.auth" -}} - {{- if .subchart -}} - mongodb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/validations/_postgresql.tpl b/charts/redis/charts/common/templates/validations/_postgresql.tpl deleted file mode 100644 index 164ec0d0..00000000 --- a/charts/redis/charts/common/templates/validations/_postgresql.tpl +++ /dev/null @@ -1,129 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate PostgreSQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.postgresql.passwords" -}} - {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} - {{- $enabled := include "common.postgresql.values.enabled" . -}} - {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} - {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} - - {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} - {{- if (eq $enabledReplication "true") -}} - {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to decide whether evaluate global values. - -Usage: -{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} -Params: - - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" -*/}} -{{- define "common.postgresql.values.use.global" -}} - {{- if .context.Values.global -}} - {{- if .context.Values.global.postgresql -}} - {{- index .context.Values.global.postgresql .key | quote -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.existingSecret" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} - - {{- if .subchart -}} - {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} - {{- else -}} - {{- default (.context.Values.existingSecret | quote) $globalValue -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled postgresql. - -Usage: -{{ include "common.postgresql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key postgressPassword. - -Usage: -{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.postgressPassword" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} - - {{- if not $globalValue -}} - {{- if .subchart -}} - postgresql.postgresqlPassword - {{- else -}} - postgresqlPassword - {{- end -}} - {{- else -}} - global.postgresql.postgresqlPassword - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled.replication. - -Usage: -{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.enabled.replication" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.replication.enabled -}} - {{- else -}} - {{- printf "%v" .context.Values.replication.enabled -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key replication.password. - -Usage: -{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.replicationPassword" -}} - {{- if .subchart -}} - postgresql.replication.password - {{- else -}} - replication.password - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/validations/_redis.tpl b/charts/redis/charts/common/templates/validations/_redis.tpl deleted file mode 100644 index 5d72959b..00000000 --- a/charts/redis/charts/common/templates/validations/_redis.tpl +++ /dev/null @@ -1,76 +0,0 @@ - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Redis™ required passwords are not empty. - -Usage: -{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.redis.passwords" -}} - {{- $enabled := include "common.redis.values.enabled" . -}} - {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} - - {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} - {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} - - {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} - {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} - - {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} - {{- if eq $useAuth "true" -}} - {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled redis. - -Usage: -{{ include "common.redis.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.redis.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.redis.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right prefix path for the values - -Usage: -{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.keys.prefix" -}} - {{- if .subchart -}}redis.{{- else -}}{{- end -}} -{{- end -}} - -{{/* -Checks whether the redis chart's includes the standarizations (version >= 14) - -Usage: -{{ include "common.redis.values.standarized.version" (dict "context" $) }} -*/}} -{{- define "common.redis.values.standarized.version" -}} - - {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} - {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} - - {{- if $standarizedAuthValues -}} - {{- true -}} - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/templates/validations/_validations.tpl b/charts/redis/charts/common/templates/validations/_validations.tpl deleted file mode 100644 index 9a814cf4..00000000 --- a/charts/redis/charts/common/templates/validations/_validations.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate values must not be empty. - -Usage: -{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} -{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" -*/}} -{{- define "common.validations.values.multiple.empty" -}} - {{- range .required -}} - {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} - {{- end -}} -{{- end -}} - -{{/* -Validate a value must not be empty. - -Usage: -{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" - - subchart - String - Optional - Name of the subchart that the validated password is part of. -*/}} -{{- define "common.validations.values.single.empty" -}} - {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} - {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} - - {{- if not $value -}} - {{- $varname := "my-value" -}} - {{- $getCurrentValue := "" -}} - {{- if and .secret .field -}} - {{- $varname = include "common.utils.fieldToEnvVar" . -}} - {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} - {{- end -}} - {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} - {{- end -}} -{{- end -}} diff --git a/charts/redis/charts/common/values.yaml b/charts/redis/charts/common/values.yaml deleted file mode 100644 index f2df68e5..00000000 --- a/charts/redis/charts/common/values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -## bitnami/common -## It is required by CI/CD tools and processes. -## @skip exampleValue -## -exampleValue: common-chart diff --git a/charts/redis/ci/extra-flags-values.yaml b/charts/redis/ci/extra-flags-values.yaml deleted file mode 100644 index 8c1dcefb..00000000 --- a/charts/redis/ci/extra-flags-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -master: - extraFlags: - - --maxmemory-policy allkeys-lru - persistence: - enabled: false -replica: - extraFlags: - - --maxmemory-policy allkeys-lru - persistence: - enabled: false -auth: - enabled: false diff --git a/charts/redis/ci/sentinel-values.yaml b/charts/redis/ci/sentinel-values.yaml deleted file mode 100644 index 48dfa1d4..00000000 --- a/charts/redis/ci/sentinel-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -sentinel: - enabled: true -metrics: - enabled: true - sentinel: - enabled: true diff --git a/charts/redis/ci/standalone-values.yaml b/charts/redis/ci/standalone-values.yaml deleted file mode 100644 index dfef688c..00000000 --- a/charts/redis/ci/standalone-values.yaml +++ /dev/null @@ -1 +0,0 @@ -architecture: standalone diff --git a/charts/redis/img/redis-cluster-topology.png b/charts/redis/img/redis-cluster-topology.png deleted file mode 100644 index f0a02a9f..00000000 Binary files a/charts/redis/img/redis-cluster-topology.png and /dev/null differ diff --git a/charts/redis/img/redis-topology.png b/charts/redis/img/redis-topology.png deleted file mode 100644 index 3f5280fe..00000000 Binary files a/charts/redis/img/redis-topology.png and /dev/null differ diff --git a/charts/redis/templates/NOTES.txt b/charts/redis/templates/NOTES.txt deleted file mode 100644 index 966910eb..00000000 --- a/charts/redis/templates/NOTES.txt +++ /dev/null @@ -1,191 +0,0 @@ -CHART NAME: {{ .Chart.Name }} -CHART VERSION: {{ .Chart.Version }} -APP VERSION: {{ .Chart.AppVersion }} - -** Please be patient while the chart is being deployed ** - -{{- if .Values.diagnosticMode.enabled }} -The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: - - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} - -Get the list of pods by executing: - - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} - -Access the pod you want to debug by executing - - kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash - -In order to replicate the container startup scripts execute this command: - -For Redis: - - /opt/bitnami/scripts/redis/entrypoint.sh /opt/bitnami/scripts/redis/run.sh - -{{- if .Values.sentinel.enabled }} - -For Redis Sentinel: - - /opt/bitnami/scripts/redis-sentinel/entrypoint.sh /opt/bitnami/scripts/redis-sentinel/run.sh - -{{- end }} -{{- else }} - -{{- if contains .Values.master.service.type "LoadBalancer" }} -{{- if not .Values.auth.enabled }} -{{ if and (not .Values.networkPolicy.enabled) (.Values.networkPolicy.allowExternal) }} - -------------------------------------------------------------------------------- - WARNING - - By specifying "master.service.type=LoadBalancer" and "auth.enabled=false" you have - most likely exposed the Redis™ service externally without any authentication - mechanism. - - For security reasons, we strongly suggest that you switch to "ClusterIP" or - "NodePort". As alternative, you can also switch to "auth.enabled=true" - providing a valid password on "password" parameter. - -------------------------------------------------------------------------------- -{{- end }} -{{- end }} -{{- end }} - -{{- if eq .Values.architecture "replication" }} -{{- if .Values.sentinel.enabled }} - -Redis™ can be accessed via port {{ .Values.sentinel.service.port }} on the following DNS name from within your cluster: - - {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations - -For read/write operations, first access the Redis™ Sentinel cluster, which is available in port {{ .Values.sentinel.service.sentinelPort }} using the same domain name above. - -{{- else }} - -Redis™ can be accessed on the following DNS names from within your cluster: - - {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.port }}) - {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.port }}) - -{{- end }} -{{- else }} - -Redis™ can be accessed via port {{ .Values.master.service.port }} on the following DNS name from within your cluster: - - {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} - -{{- end }} - -{{ if .Values.auth.enabled }} - -To get your password run: - - export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 --decode) - -{{- end }} - -To connect to your Redis™ server: - -1. Run a Redis™ pod that you can use as a client: - - kubectl run --namespace {{ .Release.Namespace }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity - -{{- if .Values.tls.enabled }} - - Copy your TLS certificates to the pod: - - kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.cert redis-client:/tmp/client.cert - kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.key redis-client:/tmp/client.key - kubectl cp --namespace {{ .Release.Namespace }} /path/to/CA.cert redis-client:/tmp/CA.cert - -{{- end }} - - Use the following command to attach to the pod: - - kubectl exec --tty -i redis-client \ - {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "common.names.fullname" . }}-client=true" \{{- end }} - --namespace {{ .Release.Namespace }} -- bash - -2. Connect using the Redis™ CLI: - -{{- if eq .Values.architecture "replication" }} - {{- if .Values.sentinel.enabled }} - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }} -p {{ .Values.sentinel.service.port }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Read only operations - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }} -p {{ .Values.sentinel.service.sentinelPort }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Sentinel access - {{- else }} - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ printf "%s-master" (include "common.names.fullname" .) }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ printf "%s-replicas" (include "common.names.fullname" .) }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - {{- end }} -{{- else }} - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h {{ template "common.names.fullname" . }}-master{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} -{{- end }} - -{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} - -Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to redis. - -{{- else }} - -To connect to your database from outside the cluster execute the following commands: - -{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} -{{- if contains "NodePort" .Values.sentinel.service.type }} - - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - -{{- else if contains "LoadBalancer" .Values.sentinel.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.sentinel.service.port }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - -{{- else if contains "ClusterIP" .Values.sentinel.service.type }} - - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.port }}:{{ .Values.sentinel.service.port }} & - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.sentinel.service.port }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - -{{- end }} -{{- else }} -{{- if contains "NodePort" .Values.master.service.type }} - - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }}) - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - -{{- else if contains "LoadBalancer" .Values.master.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.master.service.port }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - -{{- else if contains "ClusterIP" .Values.master.service.type }} - - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.port }}:{{ .Values.master.service.port }} & - {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.master.service.port }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} - -{{- end }} -{{- end }} - -{{- end }} -{{- end }} -{{- include "redis.checkRollingTags" . }} -{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} -{{- include "common.warnings.rollingTag" .Values.sysctl.image }} -{{- include "redis.validateValues" . }} - -{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (not .Release.IsUpgrade ) }} -{{- if $.Values.sentinel.service.nodePorts.sentinel }} -No need to upgrade, ports and nodeports have been set from values -{{- else }} -#!#!#!#!#!#!#!# IMPORTANT #!#!#!#!#!#!#!# -YOU NEED TO PERFORM AN UPGRADE FOR THE SERVICES AND WORKLOAD TO BE CREATED -{{- end }} -{{- end }} diff --git a/charts/redis/templates/_helpers.tpl b/charts/redis/templates/_helpers.tpl deleted file mode 100644 index d0d2d43c..00000000 --- a/charts/redis/templates/_helpers.tpl +++ /dev/null @@ -1,276 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the proper Redis image name -*/}} -{{- define "redis.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper Redis Sentinel image name -*/}} -{{- define "redis.sentinel.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.sentinel.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper image name (for the metrics image) -*/}} -{{- define "redis.metrics.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper image name (for the init container volume-permissions image) -*/}} -{{- define "redis.volumePermissions.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return sysctl image -*/}} -{{- define "redis.sysctl.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.sysctl.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "redis.imagePullSecrets" -}} -{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.sentinel.image .Values.metrics.image .Values.volumePermissions.image .Values.sysctl.image) "global" .Values.global) -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiGroup for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} -{{- else -}} -{{- print "extensions" -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a TLS secret object should be created -*/}} -{{- define "redis.createTlsSecret" -}} -{{- if and .Values.tls.enabled .Values.tls.autoGenerated (and (not .Values.tls.existingSecret) (not .Values.tls.certificatesSecret)) }} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return the secret containing Redis TLS certificates -*/}} -{{- define "redis.tlsSecretName" -}} -{{- $secretName := coalesce .Values.tls.existingSecret .Values.tls.certificatesSecret -}} -{{- if $secretName -}} - {{- printf "%s" (tpl $secretName $) -}} -{{- else -}} - {{- printf "%s-crt" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert file. -*/}} -{{- define "redis.tlsCert" -}} -{{- if (include "redis.createTlsSecret" . ) -}} - {{- printf "/opt/bitnami/redis/certs/%s" "tls.crt" -}} -{{- else -}} - {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/redis/certs/%s" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert key file. -*/}} -{{- define "redis.tlsCertKey" -}} -{{- if (include "redis.createTlsSecret" . ) -}} - {{- printf "/opt/bitnami/redis/certs/%s" "tls.key" -}} -{{- else -}} - {{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/redis/certs/%s" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the CA cert file. -*/}} -{{- define "redis.tlsCACert" -}} -{{- if (include "redis.createTlsSecret" . ) -}} - {{- printf "/opt/bitnami/redis/certs/%s" "ca.crt" -}} -{{- else -}} - {{- required "Certificate CA filename is required when TLS in enabled" .Values.tls.certCAFilename | printf "/opt/bitnami/redis/certs/%s" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the DH params file. -*/}} -{{- define "redis.tlsDHParams" -}} -{{- if .Values.tls.dhParamsFilename -}} -{{- printf "/opt/bitnami/redis/certs/%s" .Values.tls.dhParamsFilename -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "redis.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Return the configuration configmap name -*/}} -{{- define "redis.configmapName" -}} -{{- if .Values.existingConfigmap -}} - {{- printf "%s" (tpl .Values.existingConfigmap $) -}} -{{- else -}} - {{- printf "%s-configuration" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap object should be created -*/}} -{{- define "redis.createConfigmap" -}} -{{- if empty .Values.existingConfigmap }} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password secret. -*/}} -{{- define "redis.secretName" -}} -{{- if .Values.auth.existingSecret -}} -{{- printf "%s" .Values.auth.existingSecret -}} -{{- else -}} -{{- printf "%s" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password key to be retrieved from Redis™ secret. -*/}} -{{- define "redis.secretPasswordKey" -}} -{{- if and .Values.auth.existingSecret .Values.auth.existingSecretPasswordKey -}} -{{- printf "%s" .Values.auth.existingSecretPasswordKey -}} -{{- else -}} -{{- printf "redis-password" -}} -{{- end -}} -{{- end -}} - - -{{/* -Returns the available value for certain key in an existing secret (if it exists), -otherwise it generates a random value. -*/}} -{{- define "getValueFromSecret" }} - {{- $len := (default 16 .Length) | int -}} - {{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}} - {{- if $obj }} - {{- index $obj .Key | b64dec -}} - {{- else -}} - {{- randAlphaNum $len -}} - {{- end -}} -{{- end }} - -{{/* -Return Redis™ password -*/}} -{{- define "redis.password" -}} -{{- if not (empty .Values.global.redis.password) }} - {{- .Values.global.redis.password -}} -{{- else if not (empty .Values.auth.password) -}} - {{- .Values.auth.password -}} -{{- else -}} - {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "redis-password") -}} -{{- end -}} -{{- end -}} - -{{/* Check if there are rolling tags in the images */}} -{{- define "redis.checkRollingTags" -}} -{{- include "common.warnings.rollingTag" .Values.image }} -{{- include "common.warnings.rollingTag" .Values.sentinel.image }} -{{- include "common.warnings.rollingTag" .Values.metrics.image }} -{{- end -}} - -{{/* -Compile all warnings into a single message, and call fail. -*/}} -{{- define "redis.validateValues" -}} -{{- $messages := list -}} -{{- $messages := append $messages (include "redis.validateValues.spreadConstraints" .) -}} -{{- $messages := append $messages (include "redis.validateValues.architecture" .) -}} -{{- $messages := append $messages (include "redis.validateValues.podSecurityPolicy.create" .) -}} -{{- $messages := append $messages (include "redis.validateValues.tls" .) -}} -{{- $messages := without $messages "" -}} -{{- $message := join "\n" $messages -}} - -{{- if $message -}} -{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} -{{- end -}} -{{- end -}} - -{{/* Validate values of Redis™ - spreadConstrainsts K8s version */}} -{{- define "redis.validateValues.spreadConstraints" -}} -{{- if and (semverCompare "<1.16-0" .Capabilities.KubeVersion.GitVersion) .Values.replica.spreadConstraints -}} -redis: spreadConstraints - Pod Topology Spread Constraints are only available on K8s >= 1.16 - Find more information at https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -{{- end -}} -{{- end -}} - -{{/* Validate values of Redis™ - must provide a valid architecture */}} -{{- define "redis.validateValues.architecture" -}} -{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replication") -}} -redis: architecture - Invalid architecture selected. Valid values are "standalone" and - "replication". Please set a valid architecture (--set architecture="xxxx") -{{- end -}} -{{- if and .Values.sentinel.enabled (not (eq .Values.architecture "replication")) }} -redis: architecture - Using redis sentinel on standalone mode is not supported. - To deploy redis sentinel, please select the "replication" mode - (--set "architecture=replication,sentinel.enabled=true") -{{- end -}} -{{- end -}} - -{{/* Validate values of Redis™ - PodSecurityPolicy create */}} -{{- define "redis.validateValues.podSecurityPolicy.create" -}} -{{- if and .Values.podSecurityPolicy.create (not .Values.podSecurityPolicy.enabled) }} -redis: podSecurityPolicy.create - In order to create PodSecurityPolicy, you also need to enable - podSecurityPolicy.enabled field -{{- end -}} -{{- end -}} - -{{/* Validate values of Redis™ - TLS enabled */}} -{{- define "redis.validateValues.tls" -}} -{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecret) (not .Values.tls.certificatesSecret) }} -redis: tls.enabled - In order to enable TLS, you also need to provide - an existing secret containing the TLS certificates or - enable auto-generated certificates. -{{- end -}} -{{- end -}} diff --git a/charts/redis/templates/configmap.yaml b/charts/redis/templates/configmap.yaml deleted file mode 100644 index a8824abf..00000000 --- a/charts/redis/templates/configmap.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if (include "redis.createConfigmap" .) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-configuration" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - redis.conf: |- - # User-supplied common configuration: - {{- if .Values.commonConfiguration }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonConfiguration "context" $ ) | nindent 4 }} - {{- end }} - # End of common configuration - master.conf: |- - dir {{ .Values.master.persistence.path }} - # User-supplied master configuration: - {{- if .Values.master.configuration }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.configuration "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.master.disableCommands }} - {{- range .Values.master.disableCommands }} - rename-command {{ . }} "" - {{- end }} - {{- end }} - # End of master configuration - replica.conf: |- - dir {{ .Values.replica.persistence.path }} - slave-read-only yes - # User-supplied replica configuration: - {{- if .Values.replica.configuration }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.configuration "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.replica.disableCommands }} - {{- range .Values.replica.disableCommands }} - rename-command {{ . }} "" - {{- end }} - {{- end }} - # End of replica configuration - {{- if .Values.sentinel.enabled }} - sentinel.conf: |- - dir "/tmp" - port {{ .Values.sentinel.containerPort }} - sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.port }} {{ .Values.sentinel.quorum }} - sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} - sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} - sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} - # User-supplied sentinel configuration: - {{- if .Values.sentinel.configuration }} - {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.configuration "context" $ ) | nindent 4 }} - {{- end }} - # End of sentinel configuration - {{- end }} -{{- end }} diff --git a/charts/redis/templates/extra-list.yaml b/charts/redis/templates/extra-list.yaml deleted file mode 100644 index 9ac65f9e..00000000 --- a/charts/redis/templates/extra-list.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{- range .Values.extraDeploy }} ---- -{{ include "common.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} diff --git a/charts/redis/templates/headless-svc.yaml b/charts/redis/templates/headless-svc.yaml deleted file mode 100644 index 7b9f0ca2..00000000 --- a/charts/redis/templates/headless-svc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-headless" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - type: ClusterIP - clusterIP: None - {{- if .Values.sentinel.enabled }} - publishNotReadyAddresses: true - {{- end }} - ports: - - name: tcp-redis - port: {{ if .Values.sentinel.enabled }}{{ .Values.sentinel.service.port }}{{ else }}{{ .Values.master.service.port }}{{ end }} - targetPort: redis - {{- if .Values.sentinel.enabled }} - - name: tcp-sentinel - port: {{ .Values.sentinel.service.sentinelPort }} - targetPort: redis-sentinel - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/charts/redis/templates/health-configmap.yaml b/charts/redis/templates/health-configmap.yaml deleted file mode 100644 index ca289f33..00000000 --- a/charts/redis/templates/health-configmap.yaml +++ /dev/null @@ -1,170 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-health" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - ping_readiness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ -{{- if .Values.tls.enabled }} - -p $REDIS_TLS_PORT \ - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- else }} - -p $REDIS_PORT \ -{{- end }} - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ -{{- if .Values.tls.enabled }} - -p $REDIS_TLS_PORT \ - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- else }} - -p $REDIS_PORT \ -{{- end }} - ping - ) - if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then - echo "$response" - exit 1 - fi -{{- if .Values.sentinel.enabled }} - ping_sentinel.sh: |- - #!/bin/bash - -{{- if .Values.auth.sentinel }} - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" -{{- end }} - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ -{{- if .Values.tls.enabled }} - -p $REDIS_SENTINEL_TLS_PORT_NUMBER \ - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- else }} - -p $REDIS_SENTINEL_PORT \ -{{- end }} - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - parse_sentinels.awk: |- - /ip/ {FOUND_IP=1} - /port/ {FOUND_PORT=1} - /runid/ {FOUND_RUNID=1} - !/ip|port|runid/ { - if (FOUND_IP==1) { - IP=$1; FOUND_IP=0; - } - else if (FOUND_PORT==1) { - PORT=$1; - FOUND_PORT=0; - } else if (FOUND_RUNID==1) { - printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0; - } - } -{{- end }} - ping_readiness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ -{{- if .Values.tls.enabled }} - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- end }} - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ -{{- if .Values.tls.enabled }} - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- end }} - ping - ) - if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then - echo "$response" - exit 1 - fi - ping_readiness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? - "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? - exit $exit_status - ping_liveness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? - "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? - exit $exit_status diff --git a/charts/redis/templates/master/psp.yaml b/charts/redis/templates/master/psp.yaml deleted file mode 100644 index 2ba93b6e..00000000 --- a/charts/redis/templates/master/psp.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- if and $pspAvailable .Values.podSecurityPolicy.create }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - allowPrivilegeEscalation: false - fsGroup: - rule: 'MustRunAs' - ranges: - - min: {{ .Values.master.podSecurityContext.fsGroup }} - max: {{ .Values.master.podSecurityContext.fsGroup }} - hostIPC: false - hostNetwork: false - hostPID: false - privileged: false - readOnlyRootFilesystem: false - requiredDropCapabilities: - - ALL - runAsUser: - rule: 'MustRunAs' - ranges: - - min: {{ .Values.master.containerSecurityContext.runAsUser }} - max: {{ .Values.master.containerSecurityContext.runAsUser }} - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: {{ .Values.master.containerSecurityContext.runAsUser }} - max: {{ .Values.master.containerSecurityContext.runAsUser }} - volumes: - - 'configMap' - - 'secret' - - 'emptyDir' - - 'persistentVolumeClaim' -{{- end }} diff --git a/charts/redis/templates/master/service.yaml b/charts/redis/templates/master/service.yaml deleted file mode 100644 index c253d1d8..00000000 --- a/charts/redis/templates/master/service.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if not .Values.sentinel.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: master - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.master.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.master.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.master.service.type }} - {{ if eq .Values.master.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.master.service.externalTrafficPolicy }} - {{- end }} - {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml .Values.master.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - {{- if and (eq .Values.master.service.type "ClusterIP") .Values.master.service.clusterIP }} - clusterIP: {{ .Values.master.service.clusterIP }} - {{- end }} - ports: - - name: tcp-redis - port: {{ .Values.master.service.port }} - targetPort: redis - {{- if and (or (eq .Values.master.service.type "NodePort") (eq .Values.master.service.type "LoadBalancer")) .Values.master.service.nodePort }} - nodePort: {{ .Values.master.service.nodePort }} - {{- else if eq .Values.master.service.type "ClusterIP" }} - nodePort: null - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: master -{{- end }} diff --git a/charts/redis/templates/master/statefulset.yaml b/charts/redis/templates/master/statefulset.yaml deleted file mode 100644 index 70b0748d..00000000 --- a/charts/redis/templates/master/statefulset.yaml +++ /dev/null @@ -1,443 +0,0 @@ -{{- if or (not (eq .Values.architecture "replication")) (not .Values.sentinel.enabled) }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ printf "%s-master" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: master - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - replicas: 1 - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: master - serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} - {{- if .Values.master.updateStrategy }} - updateStrategy: {{- toYaml .Values.master.updateStrategy | nindent 4 }} - {{- end }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: master - {{- if .Values.master.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.podLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} - {{- end }} - annotations: - {{- if (include "redis.createConfigmap" .) }} - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- end }} - checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} - checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if .Values.master.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - spec: - {{- include "redis.imagePullSecrets" . | nindent 6 }} - {{- if .Values.master.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.master.podSecurityContext.enabled }} - securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "redis.serviceAccountName" . }} - {{- if .Values.master.priorityClassName }} - priorityClassName: {{ .Values.master.priorityClassName | quote }} - {{- end }} - {{- if .Values.master.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.master.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.master.podAffinityPreset "component" "master" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.master.podAntiAffinityPreset "component" "master" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.master.nodeAffinityPreset.type "key" .Values.master.nodeAffinityPreset.key "values" .Values.master.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.master.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.master.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.master.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.master.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.master.spreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.master.spreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.master.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.master.shareProcessNamespace }} - {{- end }} - {{- if .Values.master.schedulerName }} - schedulerName: {{ .Values.master.schedulerName | quote }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.master.terminationGracePeriodSeconds }} - containers: - - name: redis - image: {{ template "redis.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.master.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.master.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.master.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.master.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.master.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.master.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.master.args "context" $) | nindent 12 }} - {{- else }} - args: - - -c - - /opt/bitnami/scripts/start-scripts/start-master.sh - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: REDIS_REPLICATION_MODE - value: master - - name: ALLOW_EMPTY_PASSWORD - value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - {{- if .Values.auth.enabled }} - {{- if .Values.auth.usePasswordFiles }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - - name: REDIS_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_TLS_PORT - value: {{ .Values.master.containerPort | quote }} - - name: REDIS_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_TLS_DH_PARAMS_FILE - value: {{ template "redis.tlsDHParams" . }} - {{- end }} - {{- else }} - - name: REDIS_PORT - value: {{ .Values.master.containerPort | quote }} - {{- end }} - {{- if .Values.master.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.master.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.master.extraEnvVarsCM .Values.master.extraEnvVarsSecret }} - envFrom: - {{- if .Values.master.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.master.extraEnvVarsCM }} - {{- end }} - {{- if .Values.master.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.master.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: redis - containerPort: {{ .Values.master.containerPort }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.master.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }} - # One second longer than command timeout should prevent generation of zombie processes. - timeoutSeconds: {{ add1 .Values.master.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.master.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }} - {{- else if .Values.master.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.master.customLivenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.master.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }} - timeoutSeconds: {{ add1 .Values.master.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.master.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_readiness_local.sh {{ .Values.master.readinessProbe.timeoutSeconds }} - {{- else if .Values.master.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.master.customReadinessProbe | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.master.resources }} - resources: {{- toYaml .Values.master.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: {{ .Values.master.persistence.path }} - subPath: {{ .Values.master.persistence.subPath }} - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc/ - - name: tmp - mountPath: /tmp - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.master.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ include "redis.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - - -c - - | - if [[ -f '/secrets/redis-password' ]]; then - export REDIS_PASSWORD=$(cat /secrets/redis-password) - fi - redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: REDIS_ALIAS - value: {{ template "common.names.fullname" . }} - {{- if .Values.auth.enabled }} - - name: REDIS_USER - value: default - {{- if (not .Values.auth.usePasswordFiles) }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: REDIS_ADDR - value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.master.containerPort }} - {{- if .Values.tls.authClients }} - - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE - value: {{ template "redis.tlsCert" . }} - {{- end }} - - name: REDIS_EXPORTER_TLS_CA_CERT_FILE - value: {{ template "redis.tlsCACert" . }} - {{- end }} - ports: - - name: metrics - containerPort: 9121 - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - mountPath: /secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.master.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.master.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.master.persistence.enabled .Values.master.podSecurityContext.enabled .Values.master.containerSecurityContext.enabled }} - {{- if or .Values.master.initContainers $needsVolumePermissions .Values.sysctl.enabled }} - initContainers: - {{- if .Values.master.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.master.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- if $needsVolumePermissions }} - - name: volume-permissions - image: {{ include "redis.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - - -ec - - | - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.master.persistence.path }} - {{- else }} - chown -R {{ .Values.master.containerSecurityContext.runAsUser }}:{{ .Values.master.podSecurityContext.fsGroup }} {{ .Values.master.persistence.path }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: redis-data - mountPath: {{ .Values.master.persistence.path }} - subPath: {{ .Values.master.persistence.subPath }} - {{- end }} - {{- if .Values.sysctl.enabled }} - - name: init-sysctl - image: {{ include "redis.sysctl.image" . }} - imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} - securityContext: - privileged: true - runAsUser: 0 - {{- if .Values.sysctl.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.sysctl.resources }} - resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} - {{- end }} - {{- if .Values.sysctl.mountHostSys }} - volumeMounts: - - name: host-sys - mountPath: /host-sys - {{- end }} - {{- end }} - {{- end }} - volumes: - - name: start-scripts - configMap: - name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - defaultMode: 0755 - - name: health - configMap: - name: {{ printf "%s-health" (include "common.names.fullname" .) }} - defaultMode: 0755 - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - secret: - secretName: {{ template "redis.secretName" . }} - items: - - key: {{ template "redis.secretPasswordKey" . }} - path: redis-password - {{- end }} - - name: config - configMap: - name: {{ include "redis.configmapName" . }} - {{- if .Values.sysctl.mountHostSys }} - - name: host-sys - hostPath: - path: /sys - {{- end }} - - name: redis-tmp-conf - {{- if .Values.master.persistence.medium }} - emptyDir: { - medium: {{ .Values.master.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - - name: tmp - {{- if .Values.master.persistence.medium }} - emptyDir: { - medium: {{ .Values.master.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - secret: - secretName: {{ include "redis.tlsSecretName" . }} - defaultMode: 256 - {{- end }} - {{- if .Values.master.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.metrics.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if not .Values.master.persistence.enabled }} - - name: redis-data - {{- if .Values.master.persistence.medium }} - emptyDir: { - medium: {{ .Values.master.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - {{- else if .Values.master.persistence.existingClaim }} - - name: redis-data - persistentVolumeClaim: - claimName: {{ printf "%s" (tpl .Values.master.persistence.existingClaim .) }} - {{- else }} - volumeClaimTemplates: - - metadata: - name: redis-data - labels: {{- include "common.labels.matchLabels" . | nindent 10 }} - app.kubernetes.io/component: master - {{- if .Values.master.persistence.annotations }} - annotations: {{- toYaml .Values.master.persistence.annotations | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.master.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.master.persistence.size | quote }} - {{- if .Values.master.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.selector "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.master.persistence.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.master.persistence.dataSource "context" $) | nindent 10 }} - {{- end }} - {{- include "common.storage.class" (dict "persistence" .Values.master.persistence "global" .Values.global) | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/metrics-svc.yaml b/charts/redis/templates/metrics-svc.yaml deleted file mode 100644 index 94459ec0..00000000 --- a/charts/redis/templates/metrics-svc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: metrics - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.metrics.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.metrics.service.type }} - {{- if eq .Values.metrics.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy }} - {{- end }} - {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml .Values.metrics.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - ports: - - name: http-metrics - port: {{ .Values.metrics.service.port }} - protocol: TCP - targetPort: metrics - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} -{{- end }} diff --git a/charts/redis/templates/networkpolicy.yaml b/charts/redis/templates/networkpolicy.yaml deleted file mode 100644 index b79f2ed1..00000000 --- a/charts/redis/templates/networkpolicy.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ template "networkPolicy.apiVersion" . }} -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - policyTypes: - - Ingress - {{- if or (eq .Values.architecture "replication") .Values.networkPolicy.extraEgress }} - - Egress - egress: - {{- if eq .Values.architecture "replication" }} - # Allow dns resolution - - ports: - - port: 53 - protocol: UDP - # Allow outbound connections to other cluster pods - - ports: - - port: {{ .Values.master.containerPort }} - {{- if .Values.sentinel.enabled }} - - port: {{ .Values.sentinel.containerPort }} - {{- end }} - to: - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.extraEgress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} - ingress: - # Allow inbound connections - - ports: - - port: {{ .Values.master.containerPort }} - {{- if .Values.sentinel.enabled }} - - port: {{ .Values.sentinel.containerPort }} - {{- end }} - {{- if not .Values.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: - {{ template "common.names.fullname" . }}-client: "true" - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} - {{- if .Values.networkPolicy.ingressNSMatchLabels }} - - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} - podSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.metrics.enabled }} - # Allow prometheus scrapes for metrics - - ports: - - port: 9121 - {{- end }} - {{- if .Values.networkPolicy.extraIngress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/pdb.yaml b/charts/redis/templates/pdb.yaml deleted file mode 100644 index f82d278a..00000000 --- a/charts/redis/templates/pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.pdb.create }} -apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if .Values.pdb.minAvailable }} - minAvailable: {{ .Values.pdb.minAvailable }} - {{- end }} - {{- if .Values.pdb.maxUnavailable }} - maxUnavailable: {{ .Values.pdb.maxUnavailable }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/redis/templates/prometheusrule.yaml b/charts/redis/templates/prometheusrule.yaml deleted file mode 100644 index cd8bc68b..00000000 --- a/charts/redis/templates/prometheusrule.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ template "common.names.fullname" . }} - {{- if .Values.metrics.prometheusRule.namespace }} - namespace: {{ .Values.metrics.prometheusRule.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.metrics.prometheusRule.additionalLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- with .Values.metrics.prometheusRule.rules }} - groups: - - name: {{ template "common.names.name" $ }} - rules: {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/replicas/hpa.yaml b/charts/redis/templates/replicas/hpa.yaml deleted file mode 100644 index 468a504c..00000000 --- a/charts/redis/templates/replicas/hpa.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if and .Values.replica.autoscaling.enabled (not .Values.sentinel.enabled) }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: replica - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - scaleTargetRef: - apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} - kind: StatefulSet - name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - minReplicas: {{ .Values.replica.autoscaling.minReplicas }} - maxReplicas: {{ .Values.replica.autoscaling.maxReplicas }} - metrics: - {{- if .Values.replica.autoscaling.targetCPU }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.replica.autoscaling.targetCPU }} - {{- end }} - {{- if .Values.replica.autoscaling.targetMemory }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.replica.autoscaling.targetMemory }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/replicas/service.yaml b/charts/redis/templates/replicas/service.yaml deleted file mode 100644 index fd9c617d..00000000 --- a/charts/redis/templates/replicas/service.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if and (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} -apiVersion: v1 -kind: Service -metadata: - name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: replica - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.replica.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.replica.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.replica.service.type }} - {{- if eq .Values.replica.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.replica.service.externalTrafficPolicy }} - {{- end }} - {{- if and (eq .Values.replica.service.type "LoadBalancer") .Values.replica.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.replica.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.replica.service.type "LoadBalancer") .Values.replica.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml .Values.replica.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - {{- if and (eq .Values.replica.service.type "ClusterIP") .Values.replica.service.clusterIP }} - clusterIP: {{ .Values.replica.service.clusterIP }} - {{- end }} - ports: - - name: tcp-redis - port: {{ .Values.replica.service.port }} - targetPort: redis - {{- if and (or (eq .Values.replica.service.type "NodePort") (eq .Values.replica.service.type "LoadBalancer")) .Values.replica.service.nodePort }} - nodePort: {{ .Values.replica.service.nodePort }} - {{- else if eq .Values.replica.service.type "ClusterIP" }} - nodePort: null - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: replica -{{- end }} diff --git a/charts/redis/templates/replicas/statefulset.yaml b/charts/redis/templates/replicas/statefulset.yaml deleted file mode 100644 index 720e843c..00000000 --- a/charts/redis/templates/replicas/statefulset.yaml +++ /dev/null @@ -1,443 +0,0 @@ -{{- if and (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ printf "%s-replicas" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: replica - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- if not .Values.replica.autoscaling.enabled }} - replicas: {{ .Values.replica.replicaCount }} - {{- end }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: replica - serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} - {{- if .Values.replica.updateStrategy }} - updateStrategy: {{- toYaml .Values.replica.updateStrategy | nindent 4 }} - {{- end }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: replica - {{- if .Values.replica.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} - {{- end }} - annotations: - {{- if (include "redis.createConfigmap" .) }} - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- end }} - checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} - checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if .Values.replica.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - spec: - {{- include "redis.imagePullSecrets" . | nindent 6 }} - {{- if .Values.replica.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.podSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "redis.serviceAccountName" . }} - {{- if .Values.replica.priorityClassName }} - priorityClassName: {{ .Values.replica.priorityClassName | quote }} - {{- end }} - {{- if .Values.replica.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.replica.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAffinityPreset "component" "replica" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAntiAffinityPreset "component" "replica" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.replica.nodeAffinityPreset.type "key" .Values.replica.nodeAffinityPreset.key "values" .Values.replica.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.replica.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.replica.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.spreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.replica.spreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.replica.shareProcessNamespace }} - {{- end }} - {{- if .Values.replica.schedulerName }} - schedulerName: {{ .Values.replica.schedulerName | quote }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.replica.terminationGracePeriodSeconds }} - containers: - - name: redis - image: {{ template "redis.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.replica.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.replica.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.replica.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.replica.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.replica.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.replica.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.replica.args "context" $) | nindent 12 }} - {{- else }} - args: - - -c - - /opt/bitnami/scripts/start-scripts/start-replica.sh - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: REDIS_REPLICATION_MODE - value: slave - - name: REDIS_MASTER_HOST - value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} - - name: REDIS_MASTER_PORT_NUMBER - value: {{ .Values.master.containerPort | quote }} - - name: ALLOW_EMPTY_PASSWORD - value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - {{- if .Values.auth.enabled }} - {{- if .Values.auth.usePasswordFiles }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - - name: REDIS_MASTER_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - - name: REDIS_MASTER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - - name: REDIS_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_TLS_PORT - value: {{ .Values.replica.containerPort | quote }} - - name: REDIS_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_TLS_DH_PARAMS_FILE - value: {{ template "redis.tlsDHParams" . }} - {{- end }} - {{- else }} - - name: REDIS_PORT - value: {{ .Values.replica.containerPort | quote }} - {{- end }} - {{- if .Values.replica.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.replica.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.replica.extraEnvVarsCM .Values.replica.extraEnvVarsSecret }} - envFrom: - {{- if .Values.replica.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.replica.extraEnvVarsCM }} - {{- end }} - {{- if .Values.replica.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.replica.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: redis - containerPort: {{ .Values.replica.containerPort }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.replica.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.replica.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.replica.livenessProbe.periodSeconds }} - timeoutSeconds: {{ add1 .Values.replica.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.replica.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.replica.livenessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_liveness_local_and_master.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} - {{- else if .Values.replica.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.replica.customLivenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.replica.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.replica.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.replica.readinessProbe.periodSeconds }} - timeoutSeconds: {{ add1 .Values.replica.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.replica.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.replica.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_readiness_local_and_master.sh {{ .Values.replica.readinessProbe.timeoutSeconds }} - {{- else if .Values.replica.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.replica.customReadinessProbe | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.replica.resources }} - resources: {{- toYaml .Values.replica.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: /data - subPath: {{ .Values.replica.persistence.subPath }} - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.replica.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ include "redis.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - - -c - - | - if [[ -f '/secrets/redis-password' ]]; then - export REDIS_PASSWORD=$(cat /secrets/redis-password) - fi - redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: REDIS_ALIAS - value: {{ template "common.names.fullname" . }} - {{- if .Values.auth.enabled }} - - name: REDIS_USER - value: default - {{- if (not .Values.auth.usePasswordFiles) }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: REDIS_ADDR - value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.replica.containerPort }} - {{- if .Values.tls.authClients }} - - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE - value: {{ template "redis.tlsCert" . }} - {{- end }} - - name: REDIS_EXPORTER_TLS_CA_CERT_FILE - value: {{ template "redis.tlsCACert" . }} - {{- end }} - ports: - - name: metrics - containerPort: 9121 - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - mountPath: /secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.metrics.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.replica.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.replica.persistence.enabled .Values.replica.podSecurityContext.enabled .Values.replica.containerSecurityContext.enabled }} - {{- if or .Values.replica.initContainers $needsVolumePermissions .Values.sysctl.enabled }} - initContainers: - {{- if .Values.replica.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.replica.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- if $needsVolumePermissions }} - - name: volume-permissions - image: {{ include "redis.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - - -ec - - | - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.replica.persistence.path }} - {{- else }} - chown -R {{ .Values.replica.containerSecurityContext.runAsUser }}:{{ .Values.replica.podSecurityContext.fsGroup }} {{ .Values.replica.persistence.path }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: redis-data - mountPath: {{ .Values.replica.persistence.path }} - subPath: {{ .Values.replica.persistence.subPath }} - {{- end }} - {{- if .Values.sysctl.enabled }} - - name: init-sysctl - image: {{ include "redis.sysctl.image" . }} - imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} - securityContext: - privileged: true - runAsUser: 0 - {{- if .Values.sysctl.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.sysctl.resources }} - resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} - {{- end }} - {{- if .Values.sysctl.mountHostSys }} - volumeMounts: - - name: host-sys - mountPath: /host-sys - {{- end }} - {{- end }} - {{- end }} - volumes: - - name: start-scripts - configMap: - name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - defaultMode: 0755 - - name: health - configMap: - name: {{ printf "%s-health" (include "common.names.fullname" .) }} - defaultMode: 0755 - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - secret: - secretName: {{ template "redis.secretName" . }} - items: - - key: {{ template "redis.secretPasswordKey" . }} - path: redis-password - {{- end }} - - name: config - configMap: - name: {{ include "redis.configmapName" . }} - {{- if .Values.sysctl.mountHostSys }} - - name: host-sys - hostPath: - path: /sys - {{- end }} - - name: redis-tmp-conf - {{- if .Values.replica.persistence.medium }} - emptyDir: { - medium: {{ .Values.replica.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - secret: - secretName: {{ include "redis.tlsSecretName" . }} - defaultMode: 256 - {{- end }} - {{- if .Values.replica.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.metrics.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if not .Values.replica.persistence.enabled }} - - name: redis-data - {{- if .Values.replica.persistence.medium }} - emptyDir: { - medium: {{ .Values.replica.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - volumeClaimTemplates: - - metadata: - name: redis-data - labels: {{- include "common.labels.matchLabels" . | nindent 10 }} - app.kubernetes.io/component: replica - {{- if .Values.replica.persistence.annotations }} - annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.replica.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.replica.persistence.size | quote }} - {{- if .Values.replica.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} - {{- end }} - {{- if .Values.replica.persistence.dataSource }} - dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.replica.persistence.dataSource "context" $) | nindent 10 }} - {{- end }} - {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/role.yaml b/charts/redis/templates/role.yaml deleted file mode 100644 index 0475e0da..00000000 --- a/charts/redis/templates/role.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -rules: - {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} - {{- if and $pspAvailable .Values.podSecurityPolicy.enabled }} - - apiGroups: - - '{{ template "podSecurityPolicy.apiGroup" . }}' - resources: - - 'podsecuritypolicies' - verbs: - - 'use' - resourceNames: [{{ template "common.names.fullname" . }}] - {{- end }} - {{- if .Values.rbac.rules }} - {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/rolebinding.yaml b/charts/redis/templates/rolebinding.yaml deleted file mode 100644 index 74968b8f..00000000 --- a/charts/redis/templates/rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: RoleBinding -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "common.names.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "redis.serviceAccountName" . }} -{{- end }} diff --git a/charts/redis/templates/scripts-configmap.yaml b/charts/redis/templates/scripts-configmap.yaml deleted file mode 100644 index a387cd1c..00000000 --- a/charts/redis/templates/scripts-configmap.yaml +++ /dev/null @@ -1,572 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: -{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} - start-node.sh: | - #!/bin/bash - - . /opt/bitnami/scripts/libos.sh - . /opt/bitnami/scripts/liblog.sh - . /opt/bitnami/scripts/libvalidations.sh - - get_port() { - hostname="$1" - type="$2" - - port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") - port=${!port_var} - - if [ -z "$port" ]; then - case $type in - "SENTINEL") - echo {{ .Values.sentinel.containerPort }} - ;; - "REDIS") - echo {{ .Values.master.containerPort }} - ;; - esac - else - echo $port - fi - } - - get_full_hostname() { - hostname="$1" - - {{- if eq .Values.sentinel.service.type "NodePort" }} - echo "${hostname}.{{- .Release.Namespace }}" - {{- else }} - echo "${hostname}.${HEADLESS_SERVICE}" - {{- end }} - } - - REDISPORT=$(get_port "$HOSTNAME" "REDIS") - - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "TCP_SENTINEL") - - validate_quorum() { - if is_boolean_yes "$REDIS_TLS_ENABLED"; then - quorum_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel master {{ .Values.sentinel.masterSet }}" - else - quorum_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel master {{ .Values.sentinel.masterSet }}" - fi - - info "about to run the command: $quorum_info_command" - eval $quorum_info_command | grep -Fq "s_down" - } - - trigger_manual_failover() { - if is_boolean_yes "$REDIS_TLS_ENABLED"; then - failover_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel failover {{ .Values.sentinel.masterSet }}" - else - failover_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel failover {{ .Values.sentinel.masterSet }}" - fi - - info "about to run the command: $failover_command" - eval $failover_command - } - - get_sentinel_master_info() { - if is_boolean_yes "$REDIS_TLS_ENABLED"; then - sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout 5 redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - else - sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout 5 redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - fi - - info "about to run the command: $sentinel_info_command" - eval $sentinel_info_command - } - - {{- if and .Values.replica.containerSecurityContext.runAsUser (eq (.Values.replica.containerSecurityContext.runAsUser | int) 0) }} - useradd redis - chown -R redis {{ .Values.replica.persistence.path }} - {{- end }} - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - - # check if there is a master - get_sentinel_master_info - redisRetVal=$? - if [[ $redisRetVal -ne 0 ]]; then - # there is no master yet, master by default - export REDIS_REPLICATION_MODE="master" - else - export REDIS_REPLICATION_MODE="slave" - - {{- if and .Values.sentinel.automateClusterRecovery (le (int .Values.sentinel.downAfterMilliseconds) 2000) }} - retry_count=1 - while validate_quorum - do - info "sleeping, waiting for Redis master to come up" - sleep 1s - if ! ((retry_count % 11)); then - info "Trying to manually failover" - failover_result=$(trigger_manual_failover) - - debug "Failover result: $failover_result" - fi - - ((retry_count+=1)) - done - info "Redis master is up now" - {{- end }} - - # Fetches current master's host and port - REDIS_SENTINEL_INFO=($(get_sentinel_master_info)) - info "printing REDIS_SENTINEL_INFO=(${REDIS_SENTINEL_INFO[0]},${REDIS_SENTINEL_INFO[1]})" - REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} - REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} - fi - - if [[ "$REDIS_REPLICATION_MODE" = "master" ]]; then - debug "Starting as master node" - if [[ ! -f /opt/bitnami/redis/etc/master.conf ]]; then - cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf - fi - else - debug "Starting as replica node" - if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then - cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf - fi - fi - - if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - - echo "" >> /opt/bitnami/redis/etc/replica.conf - echo "replica-announce-port $REDISPORT" >> /opt/bitnami/redis/etc/replica.conf - echo "replica-announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis/etc/replica.conf - - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_TLS_PORT}") - ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") - ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") - ARGS+=("--tls-replication" "yes") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- else }} - ARGS=("--port" "${REDIS_PORT}") - {{- end }} - - if [[ "$REDIS_REPLICATION_MODE" = "slave" ]]; then - ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") - fi - - {{- if .Values.auth.enabled }} - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") - {{- else }} - ARGS+=("--protected-mode" "no") - {{- end }} - if [[ "$REDIS_REPLICATION_MODE" = "master" ]]; then - ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") - else - ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") - fi - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - {{- if .Values.replica.extraFlags }} - {{- range .Values.replica.extraFlags }} - ARGS+=({{ . | quote }}) - {{- end }} - {{- end }} - - {{- if .Values.replica.preExecCmds }} - {{- .Values.replica.preExecCmds | nindent 4 }} - {{- end }} - - {{- if .Values.replica.command }} - exec {{ .Values.replica.command }} "${ARGS[@]}" - {{- else }} - exec redis-server "${ARGS[@]}" - {{- end }} - - start-sentinel.sh: | - #!/bin/bash - - . /opt/bitnami/scripts/libos.sh - . /opt/bitnami/scripts/libvalidations.sh - . /opt/bitnami/scripts/libfile.sh - - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - - get_port() { - hostname="$1" - type="$2" - - port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") - port=${!port_var} - - if [ -z "$port" ]; then - case $type in - "SENTINEL") - echo {{ .Values.sentinel.containerPort }} - ;; - "REDIS") - echo {{ .Values.master.containerPort }} - ;; - esac - else - echo $port - fi - } - - get_full_hostname() { - hostname="$1" - - {{- if eq .Values.sentinel.service.type "NodePort" }} - echo "${hostname}.{{- .Release.Namespace }}" - {{- else }} - echo "${hostname}.${HEADLESS_SERVICE}" - {{- end }} - } - - SERVPORT=$(get_port "$HOSTNAME" "SENTINEL") - REDISPORT=$(get_port "$HOSTNAME" "REDIS") - SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "TCP_SENTINEL") - - sentinel_conf_set() { - local -r key="${1:?missing key}" - local value="${2:-}" - - # Sanitize inputs - value="${value//\\/\\\\}" - value="${value//&/\\&}" - value="${value//\?/\\?}" - [[ "$value" = "" ]] && value="\"$value\"" - - replace_in_file "/opt/bitnami/redis-sentinel/etc/sentinel.conf" "^#*\s*${key} .*" "${key} ${value}" false - } - sentinel_conf_add() { - echo $'\n'"$@" >> "/opt/bitnami/redis-sentinel/etc/sentinel.conf" - } - host_id() { - echo "$1" | openssl sha1 | awk '{print $2}' - } - get_sentinel_master_info() { - if is_boolean_yes "$REDIS_TLS_ENABLED"; then - sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout 5 redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - else - sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout 5 redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - fi - - info "about to run the command: $sentinel_info_command" - eval $sentinel_info_command - } - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - - cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf - {{- if .Values.auth.enabled }} - printf "\nsentinel auth-pass %s %s" "{{ .Values.sentinel.masterSet }}" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - {{- if and .Values.auth.enabled .Values.auth.sentinel }} - printf "\nrequirepass %s" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - {{- end }} - {{- end }} - printf "\nsentinel myid %s" "$(host_id "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - - if ! get_sentinel_master_info; then - # No master found, lets create a master node - export REDIS_REPLICATION_MODE="master" - - REDIS_MASTER_HOST=$(get_full_hostname "$HOSTNAME") - REDIS_MASTER_PORT_NUMBER="$REDISPORT" - else - export REDIS_REPLICATION_MODE="slave" - - # Fetches current master's host and port - REDIS_SENTINEL_INFO=($(get_sentinel_master_info)) - info "printing REDIS_SENTINEL_INFO=(${REDIS_SENTINEL_INFO[0]},${REDIS_SENTINEL_INFO[1]})" - REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} - REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} - fi - - sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}" - - add_known_sentinel() { - hostname="$1" - ip="$2" - - if [[ -n "$hostname" && -n "$ip" && "$hostname" != "$HOSTNAME" ]]; then - sentinel_conf_add "sentinel known-sentinel {{ .Values.sentinel.masterSet }} $(get_full_hostname "$hostname") $(get_port "$hostname" "SENTINEL") $(host_id "$hostname")" - fi - } - add_known_replica() { - hostname="$1" - ip="$2" - - if [[ -n "$ip" && "$(get_full_hostname "$hostname")" != "$REDIS_MASTER_HOST" ]]; then - sentinel_conf_add "sentinel known-replica {{ .Values.sentinel.masterSet }} $(get_full_hostname "$hostname") $(get_port "$hostname" "REDIS")" - fi - } - - # Add available hosts on the network as known replicas & sentinels - for node in $(seq 0 $(({{ .Values.replica.replicaCount }}-1))); do - hostname="{{ template "common.names.fullname" . }}-node-$node" - ip="$(getent hosts "$hostname.$HEADLESS_SERVICE" | awk '{ print $1 }')" - add_known_sentinel "$hostname" "$ip" - add_known_replica "$hostname" "$ip" - done - - echo "" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - echo "sentinel announce-hostnames yes" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - echo "sentinel resolve-hostnames yes" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - echo "sentinel announce-port $SERVPORT" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - echo "sentinel announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_SENTINEL_TLS_PORT_NUMBER}") - ARGS+=("--tls-cert-file" "${REDIS_SENTINEL_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_SENTINEL_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_SENTINEL_TLS_CA_FILE}") - ARGS+=("--tls-replication" "yes") - ARGS+=("--tls-auth-clients" "${REDIS_SENTINEL_TLS_AUTH_CLIENTS}") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_SENTINEL_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- end }} - {{- if .Values.sentinel.preExecCmds }} - {{ .Values.sentinel.preExecCmds | nindent 4 }} - {{- end }} - exec redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel {{- if .Values.tls.enabled }} "${ARGS[@]}" {{- end }} - prestop-sentinel.sh: | - #!/bin/bash - - . /opt/bitnami/scripts/libvalidations.sh - . /opt/bitnami/scripts/libos.sh - - HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - SENTINEL_SERVICE_ENV_NAME={{ printf "%s%s" (upper (include "common.names.fullname" .)| replace "-" "_") "_SERVICE_PORT_TCP_SENTINEL" }} - SENTINEL_SERVICE_PORT=${!SENTINEL_SERVICE_ENV_NAME} - - get_full_hostname() { - hostname="$1" - - {{- if eq .Values.sentinel.service.type "NodePort" }} - echo "${hostname}.{{- .Release.Namespace }}" - {{- else }} - echo "${hostname}.${HEADLESS_SERVICE}" - {{- end }} - } - run_sentinel_command() { - if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - redis-cli -h "$REDIS_SERVICE" -p "$SENTINEL_SERVICE_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@" - else - redis-cli -h "$REDIS_SERVICE" -p "$SENTINEL_SERVICE_PORT" sentinel "$@" - fi - } - failover_finished() { - REDIS_SENTINEL_INFO=($(run_sentinel_command get-master-addr-by-name "{{ .Values.sentinel.masterSet }}")) - REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" - [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]] - } - - REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - - # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" - - if ! failover_finished; then - echo "I am the master pod and you are stopping me. Starting sentinel failover" - # if I am the master, issue a command to failover once and then wait for the failover to finish - run_sentinel_command failover "{{ .Values.sentinel.masterSet }}" - if retry_while "failover_finished" "{{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}" 1; then - echo "Master has been successfuly failed over to a different pod." - exit 0 - else - echo "Master failover failed" - exit 1 - fi - else - exit 0 - fi - prestop-redis.sh: | - #!/bin/bash - - . /opt/bitnami/scripts/libvalidations.sh - . /opt/bitnami/scripts/libos.sh - - run_redis_command() { - if is_boolean_yes "$REDIS_TLS_ENABLED"; then - redis-cli -h 127.0.0.1 -p "$REDIS_TLS_PORT" --tls --cert "$REDIS_TLS_CERT_FILE" --key "$REDIS_TLS_KEY_FILE" --cacert "$REDIS_TLS_CA_FILE" "$@" - else - redis-cli -h 127.0.0.1 -p ${REDIS_PORT} "$@" - fi - } - failover_finished() { - REDIS_ROLE=$(run_redis_command role | head -1) - [[ "$REDIS_ROLE" != "master" ]] - } - - # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - [[ -f "$REDIS_PASSWORD_FILE" ]] && export REDISCLI_AUTH="$(< "${REDIS_PASSWORD_FILE}")" - - if ! failover_finished; then - echo "Waiting for sentinel to run failover for up to {{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}s" - retry_while "failover_finished" "{{ sub .Values.sentinel.terminationGracePeriodSeconds 10 }}" 1 - else - exit 0 - fi - -{{- else }} - start-master.sh: | - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - {{- if and .Values.master.containerSecurityContext.runAsUser (eq (.Values.master.containerSecurityContext.runAsUser | int) 0) }} - useradd redis - chown -R redis {{ .Values.master.persistence.path }} - {{- end }} - if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then - cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf - fi - if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_TLS_PORT}") - ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") - ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- else }} - ARGS=("--port" "${REDIS_PORT}") - {{- end }} - {{- if .Values.auth.enabled }} - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_PASSWORD}") - {{- else }} - ARGS+=("--protected-mode" "no") - {{- end }} - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") - {{- if .Values.master.extraFlags }} - {{- range .Values.master.extraFlags }} - ARGS+=({{ . | quote }}) - {{- end }} - {{- end }} - {{- if .Values.master.preExecCmds }} - {{ .Values.master.preExecCmds | nindent 4 }} - {{- end }} - {{- if .Values.master.command }} - exec {{ .Values.master.command }} "${ARGS[@]}" - {{- else }} - exec redis-server "${ARGS[@]}" - {{- end }} - {{- if eq .Values.architecture "replication" }} - start-replica.sh: | - #!/bin/bash - - get_port() { - hostname="$1" - type="$2" - - port_var=$(echo "${hostname^^}_SERVICE_PORT_$type" | sed "s/-/_/g") - port=${!port_var} - - if [ -z "$port" ]; then - case $type in - "SENTINEL") - echo {{ .Values.sentinel.containerPort }} - ;; - "REDIS") - echo {{ .Values.master.containerPort }} - ;; - esac - else - echo $port - fi - } - - get_full_hostname() { - hostname="$1" - - {{- if eq .Values.sentinel.service.type "NodePort" }} - echo "${hostname}.{{- .Release.Namespace }}" - {{- else }} - echo "${hostname}.${HEADLESS_SERVICE}" - {{- end }} - } - - REDISPORT=$(get_port "$HOSTNAME" "REDIS") - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - {{- if and .Values.replica.containerSecurityContext.runAsUser (eq (.Values.replica.containerSecurityContext.runAsUser | int) 0) }} - useradd redis - chown -R redis {{ .Values.replica.persistence.path }} - {{- end }} - if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then - cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf - fi - if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - - echo "" >> /opt/bitnami/redis/etc/replica.conf - echo "replica-announce-port $REDISPORT" >> /opt/bitnami/redis/etc/replica.conf - echo "replica-announce-ip $(get_full_hostname "$HOSTNAME")" >> /opt/bitnami/redis/etc/replica.conf - - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_TLS_PORT}") - ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") - ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") - ARGS+=("--tls-replication" "yes") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- else }} - ARGS=("--port" "${REDIS_PORT}") - {{- end }} - ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") - {{- if .Values.auth.enabled }} - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") - {{- else }} - ARGS+=("--protected-mode" "no") - {{- end }} - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") - {{- if .Values.replica.extraFlags }} - {{- range .Values.replica.extraFlags }} - ARGS+=({{ . | quote }}) - {{- end }} - {{- end }} - {{- if .Values.replica.preExecCmds }} - {{ .Values.replica.preExecCmds | nindent 4 }} - {{- end }} - {{- if .Values.replica.command }} - exec {{ .Values.replica.command }} "${ARGS[@]}" - {{- else }} - exec redis-server "${ARGS[@]}" - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/secret.yaml b/charts/redis/templates/secret.yaml deleted file mode 100644 index aa2b3a22..00000000 --- a/charts/redis/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - redis-password: {{ include "redis.password" . | b64enc | quote }} -{{- end -}} diff --git a/charts/redis/templates/sentinel/hpa.yaml b/charts/redis/templates/sentinel/hpa.yaml deleted file mode 100644 index 51f0f80a..00000000 --- a/charts/redis/templates/sentinel/hpa.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if and .Values.replica.autoscaling.enabled .Values.sentinel.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ printf "%s-node" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: replica - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - scaleTargetRef: - apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} - kind: StatefulSet - name: {{ printf "%s-node" (include "common.names.fullname" .) }} - minReplicas: {{ .Values.replica.autoscaling.minReplicas }} - maxReplicas: {{ .Values.replica.autoscaling.maxReplicas }} - metrics: - {{- if .Values.replica.autoscaling.targetCPU }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.replica.autoscaling.targetCPU }} - {{- end }} - {{- if .Values.replica.autoscaling.targetMemory }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.replica.autoscaling.targetMemory }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/sentinel/node-services.yaml b/charts/redis/templates/sentinel/node-services.yaml deleted file mode 100644 index 0dc22acb..00000000 --- a/charts/redis/templates/sentinel/node-services.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (or .Release.IsUpgrade .Values.sentinel.service.nodePorts.redis ) }} - -{{- range $i := until (int .Values.replica.replicaCount) }} - -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }} - -{{ $sentinelport := 0}} -{{ $redisport := 0}} -{{- if $portsmap }} -{{ $sentinelport = index $portsmap (printf "%s-node-%s-%s" (include "common.names.fullname" $) (toString $i) "sentinel") }} -{{ $redisport = index $portsmap (printf "%s-node-%s-%s" (include "common.names.fullname" $) (toString $i) "redis") }} -{{- else }} -{{- end }} - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" $ }}-node-{{ $i }} - namespace: {{ $.Release.Namespace | quote }} - labels: {{- include "common.labels.standard" $ | nindent 4 }} - app.kubernetes.io/component: node - {{- if $.Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or $.Values.sentinel.service.annotations $.Values.commonAnnotations }} - annotations: - {{- if $.Values.sentinel.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" $.Values.sentinel.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if $.Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: NodePort - ports: - - name: sentinel - {{- if $.Values.sentinel.service.nodePorts.sentinel }} - nodePort: {{ (add $.Values.sentinel.service.nodePorts.sentinel $i 1) }} - port: {{ (add $.Values.sentinel.service.nodePorts.sentinel $i 1) }} - {{- else }} - nodePort: {{ $sentinelport }} - port: {{ $sentinelport }} - {{- end }} - protocol: TCP - targetPort: {{ $.Values.sentinel.containerPort }} - - name: redis - {{- if $.Values.sentinel.service.nodePorts.redis }} - nodePort: {{ (add $.Values.sentinel.service.nodePorts.redis $i 1) }} - port: {{ (add $.Values.sentinel.service.nodePorts.redis $i 1) }} - {{- else }} - nodePort: {{ $redisport }} - port: {{ $redisport }} - {{- end }} - protocol: TCP - targetPort: {{ $.Values.replica.containerPort }} - - name: sentinel-internal - nodePort: null - port: {{ $.Values.sentinel.containerPort }} - protocol: TCP - targetPort: {{ $.Values.sentinel.containerPort }} - - name: redis-internal - nodePort: null - port: {{ $.Values.replica.containerPort }} - protocol: TCP - targetPort: {{ $.Values.replica.containerPort }} - selector: - statefulset.kubernetes.io/pod-name: {{ template "common.names.fullname" $ }}-node-{{ $i }} -{{- end }} -{{- end }} diff --git a/charts/redis/templates/sentinel/ports-configmap.yaml b/charts/redis/templates/sentinel/ports-configmap.yaml deleted file mode 100644 index f5e7b2a9..00000000 --- a/charts/redis/templates/sentinel/ports-configmap.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled (eq .Values.sentinel.service.type "NodePort") (not .Values.sentinel.service.nodePorts.redis ) }} -{{- /* create a list to keep track of ports we choose to use */}} -{{ $chosenports := (list ) }} - -{{- /* Get list of all used nodeports */}} -{{ $usedports := (list ) }} -{{- range $index, $service := (lookup "v1" "Service" "" "").items }} - {{- range.spec.ports }} - {{- if .nodePort }} - {{- $usedports = (append $usedports .nodePort) }} - {{- end }} - {{- end }} -{{- end }} - -{{- /* -comments that start with # are rendered in the output when you debug, so you can less and search for them -Vars in the comment will be rendered out, so you can check their value this way. -https://helm.sh/docs/chart_best_practices/templates/#comments-yaml-comments-vs-template-comments - -remove the template comments and leave the yaml comments to help debug -*/}} - -{{- /* Sort the list */}} -{{ $usedports = $usedports | sortAlpha }} -#usedports {{ $usedports }} - -{{- /* How many nodeports per service do we want to create, except for the main service which is always two */}} -{{ $numberofPortsPerNodeService := 2 }} - -{{- /* for every nodeport we want, loop though the used ports to get an unused port */}} -{{- range $j := until (int (add (mul (int .Values.replica.replicaCount) $numberofPortsPerNodeService) 2)) }} - {{- /* #j={{ $j }} */}} - {{- $nodeport := (add $j 30000) }} - {{- $nodeportfound := false }} - {{- range $i := $usedports }} - {{- /* #i={{ $i }} - #nodeport={{ $nodeport }} - #usedports={{ $usedports }} */}} - {{- if and (has (toString $nodeport) $usedports) (eq $nodeportfound false) }} - {{- /* nodeport conflicts with in use */}} - {{- $nodeport = (add $nodeport 1) }} - {{- else if and ( has $nodeport $chosenports) (eq $nodeportfound false) }} - {{- /* nodeport already chosen, try another */}} - {{- $nodeport = (add $nodeport 1) }} - {{- else if (eq $nodeportfound false) }} - {{- /* nodeport free to use: not already claimed and not in use */}} - {{- /* select nodeport, and place into usedports */}} - {{- $chosenports = (append $chosenports $nodeport) }} - {{- $nodeportfound = true }} - {{- else }} - {{- /* nodeport has already been chosen and locked in, just work through the rest of the list to get to the next nodeport selection */}} - {{- end }} - {{- end }} - {{- if (eq $nodeportfound false) }} - {{- $chosenports = (append $chosenports $nodeport) }} - {{- end }} - -{{- end }} - -{{- /* print the usedports and chosenports for debugging */}} -#usedports {{ $usedports }} -#chosenports {{ $chosenports }}}} - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "common.names.fullname" . }}-ports-configmap - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} -{{- if $portsmap }} -{{- /* configmap already exists, do not install again */ -}} - {{- range $name, $value := $portsmap }} - "{{ $name }}": "{{ $value }}" - {{- end }} -{{- else }} -{{- /* configmap being set for first time */ -}} - {{- range $index, $port := $chosenports }} - {{- $nodenumber := (floor (div $index 2)) }} - {{- if (eq $index 0) }} - "{{ template "common.names.fullname" $ }}-sentinel": "{{ $port }}" - {{- else if (eq $index 1) }} - "{{ template "common.names.fullname" $ }}-redis": "{{ $port }}" - {{- else if (eq (mod $index 2) 0) }} - "{{ template "common.names.fullname" $ }}-node-{{ (sub $nodenumber 1) }}-sentinel": "{{ $port }}" - {{- else if (eq (mod $index 2) 1) }} - "{{ template "common.names.fullname" $ }}-node-{{ (sub $nodenumber 1) }}-redis": "{{ $port }}" - {{- end }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/redis/templates/sentinel/service.yaml b/charts/redis/templates/sentinel/service.yaml deleted file mode 100644 index 3f510685..00000000 --- a/charts/redis/templates/sentinel/service.yaml +++ /dev/null @@ -1,96 +0,0 @@ -{{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} - ---- -{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} -{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }} - -{{ $sentinelport := 0}} -{{ $redisport := 0}} -{{- if $portsmap }} -{{ $sentinelport = index $portsmap (printf "%s-%s" (include "common.names.fullname" $) "sentinel") }} -{{ $redisport = index $portsmap (printf "%s-%s" (include "common.names.fullname" $) "redis") }} -{{- else }} -{{- end }} - -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: node - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }} - annotations: - {{- if .Values.sentinel.service.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.service.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -spec: - type: {{ .Values.sentinel.service.type }} - {{- if eq .Values.sentinel.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy }} - {{- end }} - {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.sentinel.service.type "LoadBalancer") .Values.sentinel.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }} - {{- end }} - {{- if and (eq .Values.sentinel.service.type "ClusterIP") .Values.sentinel.service.clusterIP }} - clusterIP: {{ .Values.sentinel.service.clusterIP }} - {{- end }} - ports: - - name: tcp-redis - {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} - port: {{ .Values.sentinel.service.nodePorts.redis }} - {{- else if eq .Values.sentinel.service.type "NodePort" }} - port: {{ $redisport }} - {{- else }} - port: {{ .Values.sentinel.service.port }} - {{- end }} - targetPort: {{ .Values.replica.containerPort }} - {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }} - nodePort: {{ .Values.sentinel.service.nodePorts.redis }} - {{- else if eq .Values.sentinel.service.type "ClusterIP" }} - nodePort: null - {{- else if eq .Values.sentinel.service.type "NodePort" }} - nodePort: {{ $redisport }} - {{- end }} - - name: tcp-sentinel - {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.sentinel }} - port: {{ .Values.sentinel.service.nodePorts.sentinel }} - {{- else if eq .Values.sentinel.service.type "NodePort" }} - port: {{ $sentinelport }} - {{- else }} - port: {{ .Values.sentinel.service.sentinelPort }} - {{- end }} - targetPort: {{ .Values.sentinel.containerPort }} - {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.sentinel }} - nodePort: {{ .Values.sentinel.service.nodePorts.sentinel }} - {{- else if eq .Values.sentinel.service.type "ClusterIP" }} - nodePort: null - {{- else if eq .Values.sentinel.service.type "NodePort" }} - nodePort: {{ $sentinelport }} - {{- end }} - {{- if eq .Values.sentinel.service.type "NodePort" }} - - name: sentinel-internal - nodePort: null - port: {{ .Values.sentinel.containerPort }} - protocol: TCP - targetPort: {{ .Values.sentinel.containerPort }} - - name: redis-internal - nodePort: null - port: {{ .Values.replica.containerPort }} - protocol: TCP - targetPort: {{ .Values.replica.containerPort }} - {{- end }} - selector: {{- include "common.labels.matchLabels" . | nindent 4 }} - app.kubernetes.io/component: node -{{- end }} -{{- end }} diff --git a/charts/redis/templates/sentinel/statefulset.yaml b/charts/redis/templates/sentinel/statefulset.yaml deleted file mode 100644 index 34b262bc..00000000 --- a/charts/redis/templates/sentinel/statefulset.yaml +++ /dev/null @@ -1,612 +0,0 @@ -{{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} -{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ printf "%s-node" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: node - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.replica.replicaCount }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: node - serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} - {{- if .Values.replica.updateStrategy }} - updateStrategy: {{- toYaml .Values.replica.updateStrategy | nindent 4 }} - {{- end }} - template: - metadata: - labels: {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: node - {{- if .Values.replica.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podLabels "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podLabels "context" $ ) | nindent 8 }} - {{- end }} - annotations: - {{- if (include "redis.createConfigmap" .) }} - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- end }} - checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} - checksum/scripts: {{ include (print $.Template.BasePath "/scripts-configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if .Values.replica.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $ ) | nindent 8 }} - {{- end }} - spec: - {{- include "redis.imagePullSecrets" . | nindent 6 }} - {{- if .Values.replica.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.podSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "redis.serviceAccountName" . }} - {{- if .Values.replica.priorityClassName }} - priorityClassName: {{ .Values.replica.priorityClassName | quote }} - {{- end }} - {{- if .Values.replica.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.replica.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAffinityPreset "component" "node" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAntiAffinityPreset "component" "node" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.replica.nodeAffinityPreset.type "key" .Values.replica.nodeAffinityPreset.key "values" .Values.replica.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.replica.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.replica.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.spreadConstraints }} - topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.replica.spreadConstraints "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.replica.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.replica.shareProcessNamespace }} - {{- end }} - {{- if .Values.replica.schedulerName }} - schedulerName: {{ .Values.replica.schedulerName | quote }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.sentinel.terminationGracePeriodSeconds }} - containers: - - name: redis - image: {{ template "redis.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.replica.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.replica.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.replica.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.replica.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.replica.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.replica.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.replica.args "context" $) | nindent 12 }} - {{- else }} - args: - - -c - - /opt/bitnami/scripts/start-scripts/start-node.sh - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} - - name: REDIS_MASTER_PORT_NUMBER - value: {{ .Values.replica.containerPort | quote }} - - name: ALLOW_EMPTY_PASSWORD - value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - {{- if .Values.auth.enabled }} - {{- if .Values.auth.usePasswordFiles }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - - name: REDIS_MASTER_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - - name: REDIS_MASTER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - - name: REDIS_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_TLS_PORT - value: {{ .Values.replica.containerPort | quote }} - - name: REDIS_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_TLS_DH_PARAMS_FILE - value: {{ template "redis.tlsDHParams" . }} - {{- end }} - {{- else }} - - name: REDIS_PORT - value: {{ .Values.replica.containerPort | quote }} - {{- end }} - - name: REDIS_DATA_DIR - value: {{ .Values.replica.persistence.path }} - {{- if .Values.replica.extraEnvVars }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraEnvVars "context" $ ) | nindent 12 }} - {{- end }} - {{- if or .Values.replica.extraEnvVarsCM .Values.replica.extraEnvVarsSecret }} - envFrom: - {{- if .Values.replica.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.replica.extraEnvVarsCM }} - {{- end }} - {{- if .Values.replica.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.replica.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: redis - containerPort: {{ .Values.replica.containerPort }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.replica.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.replica.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.replica.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.replica.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.replica.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.replica.livenessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_liveness_local.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} - {{- else if .Values.replica.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.replica.customLivenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.replica.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.replica.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.replica.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.replica.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.replica.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.replica.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_readiness_local.sh {{ .Values.replica.livenessProbe.timeoutSeconds }} - {{- else if .Values.replica.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.replica.customReadinessProbe | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.replica.resources }} - resources: {{- toYaml .Values.replica.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: {{ .Values.replica.persistence.path }} - subPath: {{ .Values.replica.persistence.subPath }} - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc - - name: tmp - mountPath: /tmp - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.replica.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - lifecycle: - preStop: - exec: - command: - - /bin/bash - - -c - - /opt/bitnami/scripts/start-scripts/prestop-redis.sh - - name: sentinel - image: {{ template "redis.sentinel.image" . }} - imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} - {{- if .Values.sentinel.lifecycleHooks }} - lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.lifecycleHooks "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.sentinel.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.sentinel.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else if .Values.sentinel.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- else if .Values.sentinel.args }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.args "context" $) | nindent 12 }} - {{- else }} - args: - - -c - - /opt/bitnami/scripts/start-scripts/start-sentinel.sh - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" (or .Values.sentinel.image.debug .Values.diagnosticMode.enabled) | quote }} - {{- if .Values.auth.enabled }} - {{- if .Values.auth.usePasswordFiles }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "yes" - {{- end }} - - name: REDIS_SENTINEL_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_SENTINEL_TLS_PORT_NUMBER - value: {{ .Values.sentinel.containerPort | quote }} - - name: REDIS_SENTINEL_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_SENTINEL_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_SENTINEL_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_SENTINEL_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_SENTINEL_TLS_DH_PARAMS_FILE - value: {{ template "redis.tls.dhParamsFilename" . }} - {{- end }} - {{- else }} - - name: REDIS_SENTINEL_PORT - value: {{ .Values.sentinel.containerPort | quote }} - {{- end }} - {{- if .Values.sentinel.extraEnvVars }} - {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraEnvVars "context" $ ) | nindent 12 }} - {{- end }} - {{- if or .Values.sentinel.extraEnvVarsCM .Values.sentinel.extraEnvVarsSecret }} - envFrom: - {{- if .Values.sentinel.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.sentinel.extraEnvVarsCM }} - {{- end }} - {{- if .Values.sentinel.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.sentinel.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: redis-sentinel - containerPort: {{ .Values.sentinel.containerPort }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.sentinel.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} - {{- else if .Values.sentinel.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.sentinel.customLivenessProbe | nindent 12 }} - {{- end }} - {{- end }} - {{- if not .Values.diagnosticMode.enabled }} - {{- if .Values.sentinel.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} - {{- else if .Values.sentinel.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.sentinel.customReadinessProbe | nindent 12 }} - {{- end }} - {{- end }} - {{- if not .Values.diagnosticMode.enabled }} - lifecycle: - preStop: - exec: - command: - - /bin/bash - - -c - - /opt/bitnami/scripts/start-scripts/prestop-sentinel.sh - {{- end }} - {{- if .Values.sentinel.resources }} - resources: {{- toYaml .Values.sentinel.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: {{ .Values.replica.persistence.path }} - subPath: {{ .Values.replica.persistence.subPath }} - - name: config - mountPath: /opt/bitnami/redis-sentinel/mounted-etc - - name: sentinel-tmp-conf - mountPath: /opt/bitnami/redis-sentinel/etc - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.sentinel.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "redis.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} - {{- else }} - command: - - /bin/bash - - -c - - | - if [[ -f '/secrets/redis-password' ]]; then - export REDIS_PASSWORD=$(cat /secrets/redis-password) - fi - redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} - {{- end }} - {{- if .Values.diagnosticMode.enabled }} - args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} - {{- end }} - env: - - name: REDIS_ALIAS - value: {{ template "common.names.fullname" . }} - {{- if .Values.auth.enabled }} - - name: REDIS_USER - value: default - {{- if (not .Values.auth.usePasswordFiles) }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: REDIS_ADDR - value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.replica.containerPort }} - {{- if .Values.tls.authClients }} - - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE - value: {{ template "redis.tlsCert" . }} - {{- end }} - - name: REDIS_EXPORTER_TLS_CA_CERT_FILE - value: {{ template "redis.tlsCACert" . }} - {{- end }} - ports: - - name: metrics - containerPort: 9121 - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - mountPath: /secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- end }} - {{- if .Values.replica.sidecars }} - {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.replica.persistence.enabled .Values.replica.podSecurityContext.enabled .Values.replica.containerSecurityContext.enabled }} - {{- if or .Values.replica.initContainers $needsVolumePermissions .Values.sysctl.enabled }} - initContainers: - {{- if .Values.replica.initContainers }} - {{- include "common.tplvalues.render" (dict "value" .Values.replica.initContainers "context" $) | nindent 8 }} - {{- end }} - {{- if $needsVolumePermissions }} - - name: volume-permissions - image: {{ include "redis.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - - -ec - - | - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.replica.persistence.path }} - {{- else }} - chown -R {{ .Values.replica.containerSecurityContext.runAsUser }}:{{ .Values.replica.podSecurityContext.fsGroup }} {{ .Values.replica.persistence.path }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.volumePermissions.resources }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} - volumeMounts: - - name: redis-data - mountPath: {{ .Values.replica.persistence.path }} - subPath: {{ .Values.replica.persistence.subPath }} - {{- end }} - {{- if .Values.sysctl.enabled }} - - name: init-sysctl - image: {{ include "redis.sysctl.image" . }} - imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} - securityContext: - privileged: true - runAsUser: 0 - {{- if .Values.sysctl.command }} - command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.sysctl.resources }} - resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} - {{- end }} - {{- if .Values.sysctl.mountHostSys }} - volumeMounts: - - name: host-sys - mountPath: /host-sys - {{- end }} - {{- end }} - {{- end }} - volumes: - - name: start-scripts - configMap: - name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} - defaultMode: 0755 - - name: health - configMap: - name: {{ printf "%s-health" (include "common.names.fullname" .) }} - defaultMode: 0755 - {{- if .Values.auth.usePasswordFiles }} - - name: redis-password - secret: - secretName: {{ template "redis.secretName" . }} - items: - - key: {{ template "redis.secretPasswordKey" . }} - path: redis-password - {{- end }} - - name: config - configMap: - name: {{ include "redis.configmapName" . }} - {{- if .Values.sysctl.mountHostSys }} - - name: host-sys - hostPath: - path: /sys - {{- end }} - - name: sentinel-tmp-conf - {{- if .Values.replica.persistence.medium }} - emptyDir: { - medium: {{ .Values.replica.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - - name: redis-tmp-conf - {{- if .Values.replica.persistence.medium }} - emptyDir: { - medium: {{ .Values.replica.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - - name: tmp - {{- if .Values.replica.persistence.medium }} - emptyDir: { - medium: {{ .Values.replica.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.replica.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.sentinel.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - secret: - secretName: {{ include "redis.tlsSecretName" . }} - defaultMode: 256 - {{- end }} - {{- if not .Values.replica.persistence.enabled }} - - name: redis-data - {{- if .Values.replica.persistence.medium }} - emptyDir: { - medium: {{ .Values.replica.persistence.medium | quote }} - } - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - volumeClaimTemplates: - - metadata: - name: redis-data - labels: {{- include "common.labels.matchLabels" . | nindent 10 }} - app.kubernetes.io/component: node - {{- if .Values.replica.persistence.annotations }} - annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.replica.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.replica.persistence.size | quote }} - {{- if .Values.replica.persistence.selector }} - selector: {{- include "common.tplvalues.render" ( dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} - {{- end }} - {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/redis/templates/serviceaccount.yaml b/charts/redis/templates/serviceaccount.yaml deleted file mode 100644 index 1ce68a76..00000000 --- a/charts/redis/templates/serviceaccount.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -metadata: - name: {{ template "redis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} - annotations: - {{- if or .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.serviceAccount.annotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/redis/templates/servicemonitor.yaml b/charts/redis/templates/servicemonitor.yaml deleted file mode 100644 index 0d94a4b4..00000000 --- a/charts/redis/templates/servicemonitor.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "common.names.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.metrics.serviceMonitor.additionalLabels }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} - {{- end }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - endpoints: - - port: http-metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.honorLabels }} - honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabellings }} - relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} - app.kubernetes.io/component: metrics -{{- end }} diff --git a/charts/redis/templates/tls-secret.yaml b/charts/redis/templates/tls-secret.yaml deleted file mode 100644 index 5b40dff7..00000000 --- a/charts/redis/templates/tls-secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if (include "redis.createTlsSecret" .) }} -{{- $ca := genCA "redis-ca" 365 }} -{{- $releaseNamespace := .Release.Namespace }} -{{- $clusterDomain := .Values.clusterDomain }} -{{- $fullname := include "common.names.fullname" . }} -{{- $serviceName := include "common.names.fullname" . }} -{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }} -{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) "127.0.0.1" "localhost" $fullname }} -{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }}-crt - labels: {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonLabels }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: kubernetes.io/tls -data: - ca.crt: {{ $ca.Cert | b64enc | quote }} - tls.crt: {{ $crt.Cert | b64enc | quote }} - tls.key: {{ $crt.Key | b64enc | quote }} -{{- end }} diff --git a/charts/redis/values.schema.json b/charts/redis/values.schema.json deleted file mode 100644 index 778e1405..00000000 --- a/charts/redis/values.schema.json +++ /dev/null @@ -1,149 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "architecture": { - "type": "string", - "title": "Redis architecture", - "form": true, - "description": "Allowed values: `standalone` or `replication`", - "enum": ["standalone", "replication"] - }, - "auth": { - "type": "object", - "title": "Authentication configuration", - "form": true, - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Use password authentication" - }, - "password": { - "type": "string", - "title": "Redis password", - "form": true, - "description": "Defaults to a random 10-character alphanumeric string if not set", - "hidden": { - "value": false, - "path": "auth/enabled" - } - } - } - }, - "master": { - "type": "object", - "title": "Master replicas settings", - "form": true, - "properties": { - "persistence": { - "type": "object", - "title": "Persistence for master replicas", - "form": true, - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable persistence", - "description": "Enable persistence using Persistent Volume Claims" - }, - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi", - "hidden": { - "value": false, - "path": "master/persistence/enabled" - } - } - } - } - } - }, - "replica": { - "type": "object", - "title": "Redis replicas settings", - "form": true, - "hidden": { - "value": "standalone", - "path": "architecture" - }, - "properties": { - "replicaCount": { - "type": "integer", - "form": true, - "title": "Number of Redis replicas" - }, - "persistence": { - "type": "object", - "title": "Persistence for Redis replicas", - "form": true, - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable persistence", - "description": "Enable persistence using Persistent Volume Claims" - }, - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi", - "hidden": { - "value": false, - "path": "replica/persistence/enabled" - } - } - } - } - } - }, - "volumePermissions": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable Init Containers", - "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" - } - } - }, - "metrics": { - "type": "object", - "form": true, - "title": "Prometheus metrics details", - "properties": { - "enabled": { - "type": "boolean", - "title": "Create Prometheus metrics exporter", - "description": "Create a side-car container to expose Prometheus metrics", - "form": true - }, - "serviceMonitor": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "title": "Create Prometheus Operator ServiceMonitor", - "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", - "form": true, - "hidden": { - "value": false, - "path": "metrics/enabled" - } - } - } - } - } - } - } -} diff --git a/charts/redis/values.yaml b/charts/redis/values.yaml deleted file mode 100644 index 84640d5b..00000000 --- a/charts/redis/values.yaml +++ /dev/null @@ -1,1377 +0,0 @@ -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.storageClass Global StorageClass for Persistent Volume(s) -## @param global.redis.password Global Redis™ password (overrides `auth.password`) -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - storageClass: "" - redis: - password: "" - -## @section Common parameters -## - -## @param kubeVersion Override Kubernetes version -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname -## -fullnameOverride: "" -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} -## @param clusterDomain Kubernetes cluster domain name -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release -## -extraDeploy: [] - -## Enable diagnostic mode in the deployment -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the deployment - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the deployment - ## - args: - - infinity - -## @section Redis™ Image parameters -## - -## Bitnami Redis™ image -## ref: https://hub.docker.com/r/bitnami/redis/tags/ -## @param image.registry Redis™ image registry -## @param image.repository Redis™ image repository -## @param image.tag Redis™ image tag (immutable tags are recommended) -## @param image.pullPolicy Redis™ image pull policy -## @param image.pullSecrets Redis™ image pull secrets -## @param image.debug Enable image debug mode -## -image: - registry: docker.io - repository: bitnami/redis - tag: 6.2.6-debian-10-r97 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Enable debug mode - ## - debug: false - -## @section Redis™ common configuration parameters -## https://github.com/bitnami/bitnami-docker-redis#configuration -## - -## @param architecture Redis™ architecture. Allowed values: `standalone` or `replication` -## -architecture: replication -## Redis™ Authentication parameters -## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run -## -auth: - ## @param auth.enabled Enable password authentication - ## - enabled: true - ## @param auth.sentinel Enable password authentication on sentinels too - ## - sentinel: true - ## @param auth.password Redis™ password - ## Defaults to a random 10-character alphanumeric string if not set - ## - password: "" - ## @param auth.existingSecret The name of an existing secret with Redis™ credentials - ## NOTE: When it's set, the previous `auth.password` parameter is ignored - ## - existingSecret: "" - ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret - ## NOTE: ignored unless `auth.existingSecret` parameter is set - ## - existingSecretPasswordKey: "" - ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable - ## - usePasswordFiles: false -## @param commonConfiguration [string] Common configuration to be added into the ConfigMap -## ref: https://redis.io/topics/config -## -commonConfiguration: |- - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly yes - # Disable RDB persistence, AOF persistence already enabled. - save "" -## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis™ nodes -## -existingConfigmap: "" - -## @section Redis™ master configuration parameters -## - -master: - ## @param master.configuration Configuration for Redis™ master nodes - ## ref: https://redis.io/topics/config - ## - configuration: "" - ## @param master.disableCommands Array with Redis™ commands to disable on master nodes - ## Commands will be completely disabled by renaming each to an empty string. - ## ref: https://redis.io/topics/security#disabling-of-specific-commands - ## - disableCommands: - - FLUSHDB - - FLUSHALL - ## @param master.command Override default container command (useful when using custom images) - ## - command: [] - ## @param master.args Override default container args (useful when using custom images) - ## - args: [] - ## @param master.preExecCmds Additional commands to run prior to starting Redis™ master - ## - preExecCmds: [] - ## @param master.extraFlags Array with additional command line flags for Redis™ master - ## e.g: - ## extraFlags: - ## - "--maxmemory-policy volatile-ttl" - ## - "--repl-backlog-size 1024mb" - ## - extraFlags: [] - ## @param master.extraEnvVars Array with extra environment variables to add to Redis™ master nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ master nodes - ## - extraEnvVarsCM: "" - ## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ master nodes - ## - extraEnvVarsSecret: "" - ## @param master.containerPort Container port to open on Redis™ master nodes - ## - containerPort: 6379 - ## Configure extra options for Redis™ containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param master.livenessProbe.enabled Enable livenessProbe on Redis™ master nodes - ## @param master.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param master.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param master.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param master.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param master.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param master.readinessProbe.enabled Enable readinessProbe on Redis™ master nodes - ## @param master.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param master.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param master.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param master.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param master.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - ## @param master.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param master.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## Redis™ master resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param master.resources.limits The resources limits for the Redis™ master containers - ## @param master.resources.requests The requested resources for the Redis™ master containers - ## - resources: - limits: {} - requests: {} - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param master.podSecurityContext.enabled Enabled Redis™ master pods' Security Context - ## @param master.podSecurityContext.fsGroup Set Redis™ master pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param master.containerSecurityContext.enabled Enabled Redis™ master containers' Security Context - ## @param master.containerSecurityContext.runAsUser Set Redis™ master containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param master.schedulerName Alternate scheduler for Redis™ master pods - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param master.updateStrategy.type Redis™ master statefulset strategy type - ## @skip master.updateStrategy.rollingUpdate - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete - ## - type: RollingUpdate - rollingUpdate: {} - ## @param master.priorityClassName Redis™ master pods' priorityClassName - ## - priorityClassName: "" - ## @param master.hostAliases Redis™ master pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param master.podLabels Extra labels for Redis™ master pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param master.podAnnotations Annotations for Redis™ master pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param master.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ master pods - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ - ## - shareProcessNamespace: false - ## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node master.affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set - ## - key: "" - ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param master.affinity Affinity for Redis™ master pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set - ## - affinity: {} - ## @param master.nodeSelector Node labels for Redis™ master pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param master.tolerations Tolerations for Redis™ master pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param master.spreadConstraints [array] Spread Constraints for Redis™ master pod assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## E.g. - ## spreadConstraints: - ## - maxSkew: 1 - ## topologyKey: node - ## whenUnsatisfiable: DoNotSchedule - ## - spreadConstraints: [] - ## @param master.lifecycleHooks for the Redis™ master container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param master.extraVolumes Optionally specify extra list of additional volumes for the Redis™ master pod(s) - ## - extraVolumes: [] - ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ master container(s) - ## - extraVolumeMounts: [] - ## @param master.sidecars Add additional sidecar containers to the Redis™ master pod(s) - ## e.g: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param master.initContainers Add additional init containers to the Redis™ master pod(s) - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - ## e.g: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## command: ['sh', '-c', 'echo "hello world"'] - ## - initContainers: [] - ## Persistence parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - ## @param master.persistence.enabled Enable persistence on Redis™ master nodes using Persistent Volume Claims - ## - enabled: true - ## @param master.persistence.medium Provide a medium for `emptyDir` volumes. - ## - medium: "" - ## @param master.persistence.path The path the volume will be mounted at on Redis™ master containers - ## NOTE: Useful when using different Redis™ images - ## - path: /data - ## @param master.persistence.subPath The subdirectory of the volume to mount on Redis™ master containers - ## NOTE: Useful in dev environments - ## - subPath: "" - ## @param master.persistence.storageClass Persistent Volume storage class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner - ## - storageClass: "" - ## @param master.persistence.accessModes Persistent Volume access modes - ## - accessModes: - - ReadWriteOnce - ## @param master.persistence.size Persistent Volume size - ## - size: 8Gi - ## @param master.persistence.annotations Additional custom annotations for the PVC - ## - annotations: {} - ## @param master.persistence.selector Additional labels to match for the PVC - ## e.g: - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param master.persistence.dataSource Custom PVC data source - dataSource: {} - ## @param master.persistence.existingClaim Use a existing PVC which must be created manually before bound - ## NOTE: requires master.persistence.enabled: true - ## - existingClaim: "" - ## Redis™ master service parameters - ## - service: - ## @param master.service.type Redis™ master service type - ## - type: ClusterIP - ## @param master.service.port Redis™ master service port - ## - port: 6379 - ## @param master.service.nodePort Node port for Redis™ master - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## NOTE: choose port between <30000-32767> - ## - nodePort: "" - ## @param master.service.externalTrafficPolicy Redis™ master service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param master.service.clusterIP Redis™ master service Cluster IP - ## - clusterIP: "" - ## @param master.service.loadBalancerIP Redis™ master service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param master.service.loadBalancerSourceRanges Redis™ master service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param master.service.annotations Additional custom annotations for Redis™ master service - ## - annotations: {} - ## @param master.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-master pods - ## - terminationGracePeriodSeconds: 30 - -## @section Redis™ replicas configuration parameters -## - -replica: - ## @param replica.replicaCount Number of Redis™ replicas to deploy - ## - replicaCount: 3 - ## @param replica.configuration Configuration for Redis™ replicas nodes - ## ref: https://redis.io/topics/config - ## - configuration: "" - ## @param replica.disableCommands Array with Redis™ commands to disable on replicas nodes - ## Commands will be completely disabled by renaming each to an empty string. - ## ref: https://redis.io/topics/security#disabling-of-specific-commands - ## - disableCommands: - - FLUSHDB - - FLUSHALL - ## @param replica.command Override default container command (useful when using custom images) - ## - command: [] - ## @param replica.args Override default container args (useful when using custom images) - ## - args: [] - ## @param replica.preExecCmds Additional commands to run prior to starting Redis™ replicas - ## - preExecCmds: [] - ## @param replica.extraFlags Array with additional command line flags for Redis™ replicas - ## e.g: - ## extraFlags: - ## - "--maxmemory-policy volatile-ttl" - ## - "--repl-backlog-size 1024mb" - ## - extraFlags: [] - ## @param replica.extraEnvVars Array with extra environment variables to add to Redis™ replicas nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ replicas nodes - ## - extraEnvVarsCM: "" - ## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ replicas nodes - ## - extraEnvVarsSecret: "" - ## @param replica.containerPort Container port to open on Redis™ replicas nodes - ## - containerPort: 6379 - ## Configure extra options for Redis™ containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param replica.livenessProbe.enabled Enable livenessProbe on Redis™ replicas nodes - ## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param replica.readinessProbe.enabled Enable readinessProbe on Redis™ replicas nodes - ## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - ## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## Redis™ replicas resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param replica.resources.limits The resources limits for the Redis™ replicas containers - ## @param replica.resources.requests The requested resources for the Redis™ replicas containers - ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 250m - # memory: 256Mi - requests: {} - # cpu: 250m - # memory: 256Mi - ## Configure Pods Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param replica.podSecurityContext.enabled Enabled Redis™ replicas pods' Security Context - ## @param replica.podSecurityContext.fsGroup Set Redis™ replicas pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroup: 1001 - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param replica.containerSecurityContext.enabled Enabled Redis™ replicas containers' Security Context - ## @param replica.containerSecurityContext.runAsUser Set Redis™ replicas containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param replica.schedulerName Alternate scheduler for Redis™ replicas pods - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - schedulerName: "" - ## @param replica.updateStrategy.type Redis™ replicas statefulset strategy type - ## @skip replica.updateStrategy.rollingUpdate - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies - ## - updateStrategy: - ## StrategyType - ## Can be set to RollingUpdate or OnDelete - ## - type: RollingUpdate - rollingUpdate: {} - ## @param replica.priorityClassName Redis™ replicas pods' priorityClassName - ## - priorityClassName: "" - ## @param replica.hostAliases Redis™ replicas pods host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## @param replica.podLabels Extra labels for Redis™ replicas pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param replica.podAnnotations Annotations for Redis™ replicas pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Redis™ replicas pods - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ - ## - shareProcessNamespace: false - ## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAffinityPreset: "" - ## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## - podAntiAffinityPreset: soft - ## Node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## - nodeAffinityPreset: - ## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set - ## - key: "" - ## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - ## @param replica.affinity Affinity for Redis™ replicas pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set - ## - affinity: {} - ## @param replica.nodeSelector Node labels for Redis™ replicas pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - ## @param replica.tolerations Tolerations for Redis™ replicas pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - ## @param replica.spreadConstraints [array] Spread Constraints for Redis™ replicas pod assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## E.g. - ## spreadConstraints: - ## - maxSkew: 1 - ## topologyKey: node - ## whenUnsatisfiable: DoNotSchedule - ## - spreadConstraints: [] - ## @param replica.lifecycleHooks for the Redis™ replica container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param replica.extraVolumes Optionally specify extra list of additional volumes for the Redis™ replicas pod(s) - ## - extraVolumes: [] - ## @param replica.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ replicas container(s) - ## - extraVolumeMounts: [] - ## @param replica.sidecars Add additional sidecar containers to the Redis™ replicas pod(s) - ## e.g: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param replica.initContainers Add additional init containers to the Redis™ replicas pod(s) - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ - ## e.g: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## command: ['sh', '-c', 'echo "hello world"'] - ## - initContainers: [] - ## Persistence Parameters - ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - ## @param replica.persistence.enabled Enable persistence on Redis™ replicas nodes using Persistent Volume Claims - ## - enabled: true - ## @param replica.persistence.medium Provide a medium for `emptyDir` volumes. - ## - medium: "" - ## @param replica.persistence.path The path the volume will be mounted at on Redis™ replicas containers - ## NOTE: Useful when using different Redis™ images - ## - path: /data - ## @param replica.persistence.subPath The subdirectory of the volume to mount on Redis™ replicas containers - ## NOTE: Useful in dev environments - ## - subPath: "" - ## @param replica.persistence.storageClass Persistent Volume storage class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner - ## - storageClass: "" - ## @param replica.persistence.accessModes Persistent Volume access modes - ## - accessModes: - - ReadWriteOnce - ## @param replica.persistence.size Persistent Volume size - ## - size: 8Gi - ## @param replica.persistence.annotations Additional custom annotations for the PVC - ## - annotations: {} - ## @param replica.persistence.selector Additional labels to match for the PVC - ## e.g: - ## selector: - ## matchLabels: - ## app: my-app - ## - selector: {} - ## @param replica.persistence.dataSource Custom PVC data source - dataSource: {} - ## Redis™ replicas service parameters - ## - service: - ## @param replica.service.type Redis™ replicas service type - ## - type: ClusterIP - ## @param replica.service.port Redis™ replicas service port - ## - port: 6379 - ## @param replica.service.nodePort Node port for Redis™ replicas - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## NOTE: choose port between <30000-32767> - ## - nodePort: "" - ## @param replica.service.externalTrafficPolicy Redis™ replicas service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param replica.service.clusterIP Redis™ replicas service Cluster IP - ## - clusterIP: "" - ## @param replica.service.loadBalancerIP Redis™ replicas service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param replica.service.loadBalancerSourceRanges Redis™ replicas service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param replica.service.annotations Additional custom annotations for Redis™ replicas service - ## - annotations: {} - ## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-replicas pods - ## - terminationGracePeriodSeconds: 30 - ## Autoscaling configuration - ## - autoscaling: - ## @param replica.autoscaling.enabled Enable replica autoscaling settings - ## - enabled: false - ## @param replica.autoscaling.minReplicas Minimum replicas for the pod autoscaling - ## - minReplicas: 1 - ## @param replica.autoscaling.maxReplicas Maximum replicas for the pod autoscaling - ## - maxReplicas: 11 - ## @param replica.autoscaling.targetCPU Percentage of CPU to consider when autoscaling - ## - targetCPU: "" - ## @param replica.autoscaling.targetMemory Percentage of Memory to consider when autoscaling - ## - targetMemory: "" - -## @section Redis™ Sentinel configuration parameters -## - -sentinel: - ## @param sentinel.enabled Use Redis™ Sentinel on Redis™ pods. - ## IMPORTANT: this will disable the master and replicas services and - ## create a single Redis™ service exposing both the Redis and Sentinel ports - ## - enabled: false - ## Bitnami Redis™ Sentinel image version - ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ - ## @param sentinel.image.registry Redis™ Sentinel image registry - ## @param sentinel.image.repository Redis™ Sentinel image repository - ## @param sentinel.image.tag Redis™ Sentinel image tag (immutable tags are recommended) - ## @param sentinel.image.pullPolicy Redis™ Sentinel image pull policy - ## @param sentinel.image.pullSecrets Redis™ Sentinel image pull secrets - ## @param sentinel.image.debug Enable image debug mode - ## - image: - registry: docker.io - repository: bitnami/redis-sentinel - tag: 6.2.6-debian-10-r95 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Enable debug mode - ## - debug: false - ## @param sentinel.masterSet Master set name - ## - masterSet: mymaster - ## @param sentinel.quorum Sentinel Quorum - ## - quorum: 2 - ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. - ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. - ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. - ## - automateClusterRecovery: false - ## Sentinel timing restrictions - ## @param sentinel.downAfterMilliseconds Timeout for detecting a Redis™ node is down - ## @param sentinel.failoverTimeout Timeout for performing a election failover - ## - downAfterMilliseconds: 60000 - failoverTimeout: 18000 - ## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new master after a failover - ## - parallelSyncs: 1 - ## @param sentinel.configuration Configuration for Redis™ Sentinel nodes - ## ref: https://redis.io/topics/sentinel - ## - configuration: "" - ## @param sentinel.command Override default container command (useful when using custom images) - ## - command: [] - ## @param sentinel.args Override default container args (useful when using custom images) - ## - args: [] - ## @param sentinel.preExecCmds Additional commands to run prior to starting Redis™ Sentinel - ## - preExecCmds: [] - ## @param sentinel.extraEnvVars Array with extra environment variables to add to Redis™ Sentinel nodes - ## e.g: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis™ Sentinel nodes - ## - extraEnvVarsCM: "" - ## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis™ Sentinel nodes - ## - extraEnvVarsSecret: "" - ## @param sentinel.containerPort Container port to open on Redis™ Sentinel nodes - ## - containerPort: 26379 - ## Configure extra options for Redis™ containers' liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes - ## @param sentinel.livenessProbe.enabled Enable livenessProbe on Redis™ Sentinel nodes - ## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe - ## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe - ## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe - ## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe - ## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe - ## - livenessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - ## @param sentinel.readinessProbe.enabled Enable readinessProbe on Redis™ Sentinel nodes - ## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe - ## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe - ## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe - ## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe - ## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe - ## - readinessProbe: - enabled: true - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - ## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one - ## - customLivenessProbe: {} - ## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one - ## - customReadinessProbe: {} - ## Redis™ Sentinel resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param sentinel.resources.limits The resources limits for the Redis™ Sentinel containers - ## @param sentinel.resources.requests The requested resources for the Redis™ Sentinel containers - ## - resources: - limits: {} - requests: {} - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param sentinel.containerSecurityContext.enabled Enabled Redis™ Sentinel containers' Security Context - ## @param sentinel.containerSecurityContext.runAsUser Set Redis™ Sentinel containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param sentinel.lifecycleHooks for the Redis™ sentinel container(s) to automate configuration before or after startup - ## - lifecycleHooks: {} - ## @param sentinel.extraVolumes Optionally specify extra list of additional volumes for the Redis™ Sentinel - ## - extraVolumes: [] - ## @param sentinel.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ Sentinel container(s) - ## - extraVolumeMounts: [] - ## Redis™ Sentinel service parameters - ## - service: - ## @param sentinel.service.type Redis™ Sentinel service type - ## - type: ClusterIP - ## @param sentinel.service.port Redis™ service port for Redis™ - ## - port: 6379 - ## @param sentinel.service.sentinelPort Redis™ service port for Sentinel - ## - sentinelPort: 26379 - ## @param sentinel.service.nodePorts.redis Node port for Redis™ - ## @param sentinel.service.nodePorts.sentinel Node port for Sentinel - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## NOTE: choose port between <30000-32767> - ## NOTE: By leaving these values blank, they will be generated by ports-configmap - ## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.redis and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port - ## - nodePorts: - redis: "" - sentinel: "" - ## @param sentinel.service.externalTrafficPolicy Redis™ Sentinel service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param sentinel.service.clusterIP Redis™ Sentinel service Cluster IP - ## - clusterIP: "" - ## @param sentinel.service.loadBalancerIP Redis™ Sentinel service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param sentinel.service.loadBalancerSourceRanges Redis™ Sentinel service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param sentinel.service.annotations Additional custom annotations for Redis™ Sentinel service - ## - annotations: {} - ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods - ## - terminationGracePeriodSeconds: 30 - -## @section Other Parameters -## - -## Network Policy configuration -## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -## -networkPolicy: - ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources - ## - enabled: false - ## @param networkPolicy.allowExternal Don't require client label for connections - ## When set to false, only pods with the correct client label will have network access to the ports - ## Redis™ is listening on. When true, Redis™ will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraIngress: [] - ## @param networkPolicy.extraEgress Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} -## PodSecurityPolicy configuration -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## -podSecurityPolicy: - ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later - ## - create: false - ## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules - ## - enabled: false -## RBAC configuration -## -rbac: - ## @param rbac.create Specifies whether RBAC resources should be created - ## - create: false - ## @param rbac.rules Custom RBAC rules to set - ## e.g: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## ServiceAccount configuration -## -serviceAccount: - ## @param serviceAccount.create Specifies whether a ServiceAccount should be created - ## - create: true - ## @param serviceAccount.name The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the common.names.fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server - ## - automountServiceAccountToken: true - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} -## Redis™ Pod Disruption Budget configuration -## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ -## -pdb: - ## @param pdb.create Specifies whether a PodDisruptionBudget should be created - ## - create: false - ## @param pdb.minAvailable Min number of pods that must still be available after the eviction - ## - minAvailable: 1 - ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction - ## - maxUnavailable: "" -## TLS configuration -## -tls: - ## @param tls.enabled Enable TLS traffic - ## - enabled: false - ## @param tls.authClients Require clients to authenticate - ## - authClients: true - ## @param tls.autoGenerated Enable autogenerated certificates - ## - autoGenerated: false - ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates - ## - existingSecret: "" - ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead. - ## - certificatesSecret: "" - ## @param tls.certFilename Certificate filename - ## - certFilename: "" - ## @param tls.certKeyFilename Certificate Key filename - ## - certKeyFilename: "" - ## @param tls.certCAFilename CA Certificate filename - ## - certCAFilename: "" - ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) - ## - dhParamsFilename: "" - -## @section Metrics Parameters -## - -metrics: - ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis™ metrics - ## - enabled: false - ## Bitnami Redis™ Exporter image - ## ref: https://hub.docker.com/r/bitnami/redis-exporter/tags/ - ## @param metrics.image.registry Redis™ Exporter image registry - ## @param metrics.image.repository Redis™ Exporter image repository - ## @param metrics.image.tag Redis™ Redis™ Exporter image tag (immutable tags are recommended) - ## @param metrics.image.pullPolicy Redis™ Exporter image pull policy - ## @param metrics.image.pullSecrets Redis™ Exporter image pull secrets - ## - image: - registry: docker.io - repository: bitnami/redis-exporter - tag: 1.33.0-debian-10-r21 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param metrics.redisTargetHost A way to specify an alternative Redis™ hostname - ## Useful for certificate CN/SAN matching - ## - redisTargetHost: "localhost" - ## @param metrics.extraArgs Extra arguments for Redis™ exporter, for example: - ## e.g.: - ## extraArgs: - ## check-keys: myKey,myOtherKey - ## - extraArgs: {} - ## Configure Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param metrics.containerSecurityContext.enabled Enabled Redis™ exporter containers' Security Context - ## @param metrics.containerSecurityContext.runAsUser Set Redis™ exporter containers' Security Context runAsUser - ## - containerSecurityContext: - enabled: true - runAsUser: 1001 - ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis™ metrics sidecar - ## - extraVolumes: [] - ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis™ metrics sidecar - ## - extraVolumeMounts: [] - ## Redis™ exporter resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param metrics.resources.limits The resources limits for the Redis™ exporter container - ## @param metrics.resources.requests The requested resources for the Redis™ exporter container - ## - resources: - limits: {} - requests: {} - ## @param metrics.podLabels Extra labels for Redis™ exporter pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param metrics.podAnnotations [object] Annotations for Redis™ exporter pods - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9121" - ## Redis™ exporter service parameters - ## - service: - ## @param metrics.service.type Redis™ exporter service type - ## - type: ClusterIP - ## @param metrics.service.port Redis™ exporter service port - ## - port: 9121 - ## @param metrics.service.externalTrafficPolicy Redis™ exporter service external traffic policy - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param metrics.service.loadBalancerIP Redis™ exporter service Load Balancer IP - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - loadBalancerIP: "" - ## @param metrics.service.loadBalancerSourceRanges Redis™ exporter service Load Balancer sources - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## e.g. - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param metrics.service.annotations Additional custom annotations for Redis™ exporter service - ## - annotations: {} - ## Prometheus Service Monitor - ## ref: https://github.com/coreos/prometheus-operator - ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created - ## - namespace: "" - ## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped - ## - interval: 30s - ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. - ## - relabellings: [] - ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint - ## - honorLabels: false - ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus - ## - additionalLabels: {} - ## Custom PrometheusRule to be defined - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created - ## - namespace: "" - ## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule - ## - additionalLabels: {} - ## @param metrics.prometheusRule.rules Custom Prometheus rules - ## e.g: - ## rules: - ## - alert: RedisDown - ## expr: redis_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0 - ## for: 2m - ## labels: - ## severity: error - ## annotations: - ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} down - ## description: Redis™ instance {{ "{{ $labels.instance }}" }} is down - ## - alert: RedisMemoryHigh - ## expr: > - ## redis_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100 - ## / - ## redis_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"} - ## > 90 - ## for: 2m - ## labels: - ## severity: error - ## annotations: - ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} is using too much memory - ## description: | - ## Redis™ instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. - ## - alert: RedisKeyEviction - ## expr: | - ## increase(redis_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0 - ## for: 1s - ## labels: - ## severity: error - ## annotations: - ## summary: Redis™ instance {{ "{{ $labels.instance }}" }} has evicted keys - ## description: | - ## Redis™ instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. - ## - rules: [] - -## @section Init Container Parameters -## - -## 'volumePermissions' init container parameters -## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values -## based on the *podSecurityContext/*containerSecurityContext parameters -## -volumePermissions: - ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` - ## - enabled: false - ## Bitnami Shell image - ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ - ## @param volumePermissions.image.registry Bitnami Shell image registry - ## @param volumePermissions.image.repository Bitnami Shell image repository - ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) - ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy - ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets - ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10-r307 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param volumePermissions.resources.limits The resources limits for the init container - ## @param volumePermissions.resources.requests The requested resources for the init container - ## - resources: - limits: {} - requests: {} - ## Init container Container Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser - ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the - ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` - ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) - ## - containerSecurityContext: - runAsUser: 0 - -## init-sysctl container parameters -## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) -## -sysctl: - ## @param sysctl.enabled Enable init container to modify Kernel settings - ## - enabled: false - ## Bitnami Shell image - ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ - ## @param sysctl.image.registry Bitnami Shell image registry - ## @param sysctl.image.repository Bitnami Shell image repository - ## @param sysctl.image.tag Bitnami Shell image tag (immutable tags are recommended) - ## @param sysctl.image.pullPolicy Bitnami Shell image pull policy - ## @param sysctl.image.pullSecrets Bitnami Shell image pull secrets - ## - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: 10-debian-10-r307 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param sysctl.command Override default init-sysctl container command (useful when using custom images) - ## - command: [] - ## @param sysctl.mountHostSys Mount the host `/sys` folder to `/host-sys` - ## - mountHostSys: false - ## Init container's resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ - ## @param sysctl.resources.limits The resources limits for the init container - ## @param sysctl.resources.requests The requested resources for the init container - ## - resources: - limits: {} - requests: {} diff --git a/scripts/helm-docs.sh b/scripts/helm-docs.sh new file mode 100755 index 00000000..fce6e49e --- /dev/null +++ b/scripts/helm-docs.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +## Reference: https://github.com/norwoodj/helm-docs +set -eux +REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" +echo "$REPO_ROOT" + +echo "Running Helm-Docs" +docker run \ + --rm \ + -v "$REPO_ROOT:/helm-docs" \ + -u $(id -u) \ + jnorwood/helm-docs:v1.12.0 diff --git a/scripts/lint.sh b/scripts/lint.sh new file mode 100755 index 00000000..dac74bdb --- /dev/null +++ b/scripts/lint.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# Reference: https://github.com/helm/chart-testing +set -eux + +SRCROOT="$(cd "$(dirname "$0")/.." && pwd)" + +echo -e "\n-- Linting all Helm Charts --\n" +docker run \ + --rm \ + -v "$SRCROOT:/workdir" \ + --entrypoint /bin/sh \ + quay.io/helmpack/chart-testing:v3.10.1 \ + -c cd /workdir \ + ct lint \ + --config .github/configs/ct-lint.yaml \ + --lint-conf .github/configs/lintconf.yaml \ + --debug