From 65dfb4ef2ab302ab967045ffb6b08ef46bec4b8d Mon Sep 17 00:00:00 2001 From: Qian Date: Wed, 20 Nov 2024 13:41:30 -0500 Subject: [PATCH 1/8] updated charts --- stable/ckan/Chart.yaml | 55 +- stable/ckan/charts/datapusher/.helmignore | 23 + stable/ckan/charts/datapusher/Chart.yaml | 6 + stable/ckan/charts/datapusher/README.md | 39 + .../charts/datapusher/templates/NOTES.txt | 21 + .../charts/datapusher/templates/_helpers.tpl | 77 + .../datapusher/templates/deployment.yaml | 70 + .../templates/service-headless.yaml | 13 + .../charts/datapusher/templates/service.yaml | 15 + .../datapusher/templates/serviceaccount.yaml | 12 + stable/ckan/charts/datapusher/values.yaml | 85 + stable/ckan/charts/postgresql/.helmignore | 21 + stable/ckan/charts/postgresql/Chart.lock | 6 + stable/ckan/charts/postgresql/Chart.yaml | 29 + stable/ckan/charts/postgresql/README.md | 798 ++++++++ .../postgresql/charts/common/.helmignore | 22 + .../postgresql/charts/common/Chart.yaml | 23 + .../charts/postgresql/charts/common/README.md | 309 +++ .../charts/common/templates/_affinities.tpl | 94 + .../charts/common/templates/_capabilities.tpl | 33 + .../charts/common/templates/_errors.tpl | 20 + .../charts/common/templates/_images.tpl | 43 + .../charts/common/templates/_labels.tpl | 18 + .../charts/common/templates/_names.tpl | 32 + .../charts/common/templates/_secrets.tpl | 57 + .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../charts/common/templates/_utils.tpl | 45 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../templates/validations/_postgresql.tpl | 131 ++ .../common/templates/validations/_redis.tpl | 72 + .../templates/validations/_validations.tpl | 44 + .../postgresql/charts/common/values.yaml | 3 + .../postgresql/ci/commonAnnotations.yaml | 3 + .../charts/postgresql/ci/default-values.yaml | 1 + .../ci/shmvolume-disabled-values.yaml | 2 + stable/ckan/charts/postgresql/files/README.md | 1 + .../charts/postgresql/files/conf.d/README.md | 4 + .../docker-entrypoint-initdb.d/README.md | 3 + .../charts/postgresql/templates/NOTES.txt | 59 + .../charts/postgresql/templates/_helpers.tpl | 330 ++++ .../postgresql/templates/configmap.yaml | 26 + .../templates/extended-config-configmap.yaml | 21 + .../postgresql/templates/extra-list.yaml | 4 + .../templates/initialization-configmap.yaml | 24 + .../templates/metrics-configmap.yaml | 13 + .../postgresql/templates/metrics-svc.yaml | 25 + .../postgresql/templates/networkpolicy.yaml | 38 + .../templates/podsecuritypolicy.yaml | 37 + .../postgresql/templates/prometheusrule.yaml | 23 + .../charts/postgresql/templates/role.yaml | 19 + .../postgresql/templates/rolebinding.yaml | 19 + .../charts/postgresql/templates/secrets.yaml | 21 + .../postgresql/templates/serviceaccount.yaml | 11 + .../postgresql/templates/servicemonitor.yaml | 33 + .../templates/statefulset-readreplicas.yaml | 410 ++++ .../postgresql/templates/statefulset.yaml | 589 ++++++ .../postgresql/templates/svc-headless.yaml | 27 + .../charts/postgresql/templates/svc-read.yaml | 42 + .../ckan/charts/postgresql/templates/svc.yaml | 40 + .../charts/postgresql/values-production.yaml | 791 ++++++++ .../ckan/charts/postgresql/values.schema.json | 103 + stable/ckan/charts/postgresql/values.yaml | 813 ++++++++ stable/ckan/charts/redis/.helmignore | 21 + stable/ckan/charts/redis/Chart.lock | 6 + stable/ckan/charts/redis/Chart.yaml | 29 + stable/ckan/charts/redis/README.md | 738 +++++++ .../charts/redis/charts/common/.helmignore | 22 + .../charts/redis/charts/common/Chart.yaml | 23 + .../ckan/charts/redis/charts/common/README.md | 322 +++ .../charts/common/templates/_affinities.tpl | 94 + .../charts/common/templates/_capabilities.tpl | 95 + .../redis/charts/common/templates/_errors.tpl | 23 + .../redis/charts/common/templates/_images.tpl | 47 + .../charts/common/templates/_ingress.tpl | 42 + .../redis/charts/common/templates/_labels.tpl | 18 + .../redis/charts/common/templates/_names.tpl | 32 + .../charts/common/templates/_secrets.tpl | 129 ++ .../charts/common/templates/_storage.tpl | 23 + .../charts/common/templates/_tplvalues.tpl | 13 + .../redis/charts/common/templates/_utils.tpl | 62 + .../charts/common/templates/_warnings.tpl | 14 + .../templates/validations/_cassandra.tpl | 72 + .../common/templates/validations/_mariadb.tpl | 103 + .../common/templates/validations/_mongodb.tpl | 108 + .../templates/validations/_postgresql.tpl | 131 ++ .../common/templates/validations/_redis.tpl | 72 + .../templates/validations/_validations.tpl | 46 + .../charts/redis/charts/common/values.yaml | 3 + .../ckan/charts/redis/ci/default-values.yaml | 1 + .../charts/redis/ci/extra-flags-values.yaml | 11 + .../redis/ci/production-sentinel-values.yaml | 682 +++++++ .../redis/img/redis-cluster-topology.png | Bin 0 -> 11448 bytes .../ckan/charts/redis/img/redis-topology.png | Bin 0 -> 9709 bytes stable/ckan/charts/redis/templates/NOTES.txt | 136 ++ .../ckan/charts/redis/templates/_helpers.tpl | 445 +++++ .../redis/templates/configmap-scripts.yaml | 430 ++++ .../charts/redis/templates/configmap.yaml | 53 + .../charts/redis/templates/headless-svc.yaml | 28 + .../redis/templates/health-configmap.yaml | 176 ++ .../redis/templates/metrics-prometheus.yaml | 39 + .../metrics-sentinel-prometheus.yaml | 33 + .../redis/templates/metrics-sentinel-svc.yaml | 35 + .../charts/redis/templates/metrics-svc.yaml | 34 + .../charts/redis/templates/networkpolicy.yaml | 74 + stable/ckan/charts/redis/templates/pdb.yaml | 22 + .../redis/templates/prometheusrule.yaml | 25 + stable/ckan/charts/redis/templates/psp.yaml | 43 + .../templates/redis-master-statefulset.yaml | 394 ++++ .../redis/templates/redis-master-svc.yaml | 43 + .../templates/redis-node-statefulset.yaml | 556 ++++++ .../charts/redis/templates/redis-role.yaml | 22 + .../redis/templates/redis-rolebinding.yaml | 19 + .../redis/templates/redis-serviceaccount.yaml | 15 + .../templates/redis-slave-statefulset.yaml | 398 ++++ .../redis/templates/redis-slave-svc.yaml | 43 + .../templates/redis-with-sentinel-svc.yaml | 43 + .../ckan/charts/redis/templates/secret.yaml | 15 + stable/ckan/charts/redis/values.schema.json | 168 ++ stable/ckan/charts/redis/values.yaml | 1008 ++++++++++ stable/ckan/charts/solr/Chart.lock | 6 + stable/ckan/charts/solr/Chart.yaml | 14 + stable/ckan/charts/solr/README.md | 72 + .../charts/solr/charts/zookeeper/.helmignore | 21 + .../charts/solr/charts/zookeeper/Chart.yaml | 17 + .../ckan/charts/solr/charts/zookeeper/OWNERS | 6 + .../charts/solr/charts/zookeeper/README.md | 145 ++ .../solr/charts/zookeeper/templates/NOTES.txt | 7 + .../charts/zookeeper/templates/_helpers.tpl | 46 + .../templates/config-jmx-exporter.yaml | 19 + .../zookeeper/templates/config-script.yaml | 110 ++ .../zookeeper/templates/job-chroots.yaml | 65 + .../templates/poddisruptionbudget.yaml | 17 + .../zookeeper/templates/service-headless.yaml | 25 + .../charts/zookeeper/templates/service.yaml | 41 + .../zookeeper/templates/servicemonitors.yaml | 56 + .../zookeeper/templates/statefulset.yaml | 226 +++ .../charts/solr/charts/zookeeper/values.yaml | 295 +++ stable/ckan/charts/solr/templates/NOTES.txt | 11 + .../ckan/charts/solr/templates/_helpers.tpl | 133 ++ .../solr/templates/exporter-deployment.yaml | 104 + .../solr/templates/poddisruptionbudget.yaml | 14 + .../solr/templates/service-headless.yaml | 17 + .../ckan/charts/solr/templates/service.yaml | 19 + .../solr/templates/solr-custom-script.yaml | 13 + .../solr/templates/solr-xml-configmap.yaml | 29 + .../charts/solr/templates/statefulset.yaml | 234 +++ stable/ckan/charts/solr/values.yaml | 138 ++ stable/ckan/conf/ckan/overlay-production.ini | 9 +- stable/ckan/conf/pgbouncer/pgbouncer.ini | 4 +- stable/ckan/templates/_helpers.tpl | 2 +- stable/ckan/templates/cm/ckan-crontab.yaml | 14 + stable/ckan/templates/cm/ckan-overlay.yaml | 2 +- stable/ckan/templates/cm/ckan-prerun.yaml | 2 +- stable/ckan/templates/cm/psql-init.yaml | 2 +- stable/ckan/templates/cm/solr-configset.yaml | 2 +- stable/ckan/templates/cm/solr-init.yaml | 2 +- stable/ckan/templates/cronjob/ckan.yaml | 6 +- stable/ckan/templates/deploy/ckan.yaml | 43 +- .../templates/secret/ckan-backup-secret.yaml | 10 + stable/ckan/values.yaml | 57 +- stable/fdi-dotstatsuite-keycloak/Chart.yaml | 12 + .../config/realm.json | 1724 ++++++++++++++++ .../templates/NOTES.txt | 0 .../templates/_helpers.tpl | 76 + .../templates/cm/keycloak.yaml | 1731 +++++++++++++++++ .../templates/deploy/keycloak.yaml | 138 ++ .../templates/dr/destrule.yaml | 16 + .../templates/hpa/keycloak.yaml | 30 + .../templates/ing/keycloak.yaml | 46 + .../templates/sa/keycloak.yaml | 14 + .../secret/keycloak-export-secret.yaml | 10 + .../templates/secret/keycloak-pwds.yaml | 8 + .../templates/svc/keycloak.yaml | 18 + stable/fdi-dotstatsuite-keycloak/values.yaml | 118 ++ stable/fdi-dotstatsuite-sfs-solr/Chart.yaml | 33 +- .../templates/deploy/solr.yaml | 2 +- stable/fdi-dotstatsuite-sfs-solr/values.yaml | 4 +- .../values_for_octopus.yaml | 309 +++ stable/fdi-dotstatsuite/Chart.yaml | 51 +- .../charts/mssql-linux/Chart.yaml | 10 + .../charts/mssql-linux/README.md | 263 +++ .../charts/mssql-linux/templates/NOTES.txt | 30 + .../charts/mssql-linux/templates/_helpers.tpl | 59 + .../mssql-linux/templates/deployment.yaml | 168 ++ .../mssql-linux/templates/pvc-backup.yaml | 28 + .../mssql-linux/templates/pvc-data.yaml | 28 + .../mssql-linux/templates/pvc-master.yaml | 28 + .../mssql-linux/templates/pvc-tranlog.yaml | 28 + .../charts/mssql-linux/templates/secret.yaml | 18 + .../charts/mssql-linux/templates/service.yaml | 37 + .../charts/mssql-linux/values.yaml | 79 + .../fdi-dotstatsuite/templates/cm/authz.yaml | 4 +- .../templates/deploy/nsidesign.yaml | 8 +- .../templates/deploy/nsireset.yaml | 8 +- .../templates/deploy/nsistable.yaml | 8 +- .../templates/deploy/nsistaging.yaml | 8 +- .../templates/deploy/transfer.yaml | 44 +- .../templates/secret/sdmx-log-secret.yaml | 2 +- .../secret/sdmx-sdmx-data-loading-secret.yaml | 10 + stable/fdi-dotstatsuite/values.yaml | 21 +- stable/fdi-fmr-chart/.helmignore | 23 + stable/fdi-fmr-chart/Chart.yaml | 33 + stable/fdi-fmr-chart/requirements.yaml | 1 + stable/fdi-fmr-chart/templates/NOTES.txt | 33 + stable/fdi-fmr-chart/templates/_helpers.tpl | 64 + .../fdi-fmr-chart/templates/cm/registry.yaml | 56 + .../fdi-fmr-chart/templates/cm/security.yaml | 80 + .../fdi-fmr-chart/templates/deploy/apps.yaml | 76 + .../fdi-fmr-chart/templates/dr/destrule.yaml | 16 + stable/fdi-fmr-chart/templates/hpa/apps.yaml | 30 + stable/fdi-fmr-chart/templates/ing/apps.yaml | 46 + stable/fdi-fmr-chart/templates/sa/apps.yaml | 14 + .../secret/apps-db-registry-pwd.yaml | 7 + .../secret/apps-tomcat-password.yaml | 7 + stable/fdi-fmr-chart/templates/svc/apps.yaml | 17 + stable/fdi-fmr-chart/values.yaml | 148 ++ .../.helmignore | 23 + .../Chart.yaml | 15 + .../requirements.yaml | 1 + .../templates/NOTES.txt | 0 .../templates/_helpers.tpl | 53 + .../templates/deploy/hfed.yaml | 84 + .../templates/secret/hfed_application_id.yaml | 13 + .../secret/hfed_azure_filesystem-secret.yaml | 8 + .../templates/secret/hfed_client_secret.yaml | 13 + .../templates/secret/hfed_smtp_password.yaml | 13 + .../values.yaml | 65 + 231 files changed, 21401 insertions(+), 182 deletions(-) create mode 100644 stable/ckan/charts/datapusher/.helmignore create mode 100644 stable/ckan/charts/datapusher/Chart.yaml create mode 100644 stable/ckan/charts/datapusher/README.md create mode 100644 stable/ckan/charts/datapusher/templates/NOTES.txt create mode 100644 stable/ckan/charts/datapusher/templates/_helpers.tpl create mode 100644 stable/ckan/charts/datapusher/templates/deployment.yaml create mode 100644 stable/ckan/charts/datapusher/templates/service-headless.yaml create mode 100644 stable/ckan/charts/datapusher/templates/service.yaml create mode 100644 stable/ckan/charts/datapusher/templates/serviceaccount.yaml create mode 100644 stable/ckan/charts/datapusher/values.yaml create mode 100644 stable/ckan/charts/postgresql/.helmignore create mode 100644 stable/ckan/charts/postgresql/Chart.lock create mode 100644 stable/ckan/charts/postgresql/Chart.yaml create mode 100644 stable/ckan/charts/postgresql/README.md create mode 100644 stable/ckan/charts/postgresql/charts/common/.helmignore create mode 100644 stable/ckan/charts/postgresql/charts/common/Chart.yaml create mode 100644 stable/ckan/charts/postgresql/charts/common/README.md create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_images.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_names.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl create mode 100644 stable/ckan/charts/postgresql/charts/common/values.yaml create mode 100644 stable/ckan/charts/postgresql/ci/commonAnnotations.yaml create mode 100644 stable/ckan/charts/postgresql/ci/default-values.yaml create mode 100644 stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml create mode 100644 stable/ckan/charts/postgresql/files/README.md create mode 100644 stable/ckan/charts/postgresql/files/conf.d/README.md create mode 100644 stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md create mode 100644 stable/ckan/charts/postgresql/templates/NOTES.txt create mode 100644 stable/ckan/charts/postgresql/templates/_helpers.tpl create mode 100644 stable/ckan/charts/postgresql/templates/configmap.yaml create mode 100644 stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml create mode 100644 stable/ckan/charts/postgresql/templates/extra-list.yaml create mode 100644 stable/ckan/charts/postgresql/templates/initialization-configmap.yaml create mode 100644 stable/ckan/charts/postgresql/templates/metrics-configmap.yaml create mode 100644 stable/ckan/charts/postgresql/templates/metrics-svc.yaml create mode 100644 stable/ckan/charts/postgresql/templates/networkpolicy.yaml create mode 100644 stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml create mode 100644 stable/ckan/charts/postgresql/templates/prometheusrule.yaml create mode 100644 stable/ckan/charts/postgresql/templates/role.yaml create mode 100644 stable/ckan/charts/postgresql/templates/rolebinding.yaml create mode 100644 stable/ckan/charts/postgresql/templates/secrets.yaml create mode 100644 stable/ckan/charts/postgresql/templates/serviceaccount.yaml create mode 100644 stable/ckan/charts/postgresql/templates/servicemonitor.yaml create mode 100644 stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml create mode 100644 stable/ckan/charts/postgresql/templates/statefulset.yaml create mode 100644 stable/ckan/charts/postgresql/templates/svc-headless.yaml create mode 100644 stable/ckan/charts/postgresql/templates/svc-read.yaml create mode 100644 stable/ckan/charts/postgresql/templates/svc.yaml create mode 100644 stable/ckan/charts/postgresql/values-production.yaml create mode 100644 stable/ckan/charts/postgresql/values.schema.json create mode 100644 stable/ckan/charts/postgresql/values.yaml create mode 100644 stable/ckan/charts/redis/.helmignore create mode 100644 stable/ckan/charts/redis/Chart.lock create mode 100644 stable/ckan/charts/redis/Chart.yaml create mode 100644 stable/ckan/charts/redis/README.md create mode 100644 stable/ckan/charts/redis/charts/common/.helmignore create mode 100644 stable/ckan/charts/redis/charts/common/Chart.yaml create mode 100644 stable/ckan/charts/redis/charts/common/README.md create mode 100644 stable/ckan/charts/redis/charts/common/templates/_affinities.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_errors.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_images.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_ingress.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_labels.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_names.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_secrets.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_storage.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_utils.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/_warnings.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl create mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl create mode 100644 stable/ckan/charts/redis/charts/common/values.yaml create mode 100644 stable/ckan/charts/redis/ci/default-values.yaml create mode 100644 stable/ckan/charts/redis/ci/extra-flags-values.yaml create mode 100644 stable/ckan/charts/redis/ci/production-sentinel-values.yaml create mode 100644 stable/ckan/charts/redis/img/redis-cluster-topology.png create mode 100644 stable/ckan/charts/redis/img/redis-topology.png create mode 100644 stable/ckan/charts/redis/templates/NOTES.txt create mode 100644 stable/ckan/charts/redis/templates/_helpers.tpl create mode 100644 stable/ckan/charts/redis/templates/configmap-scripts.yaml create mode 100644 stable/ckan/charts/redis/templates/configmap.yaml create mode 100644 stable/ckan/charts/redis/templates/headless-svc.yaml create mode 100644 stable/ckan/charts/redis/templates/health-configmap.yaml create mode 100644 stable/ckan/charts/redis/templates/metrics-prometheus.yaml create mode 100644 stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml create mode 100644 stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml create mode 100644 stable/ckan/charts/redis/templates/metrics-svc.yaml create mode 100644 stable/ckan/charts/redis/templates/networkpolicy.yaml create mode 100644 stable/ckan/charts/redis/templates/pdb.yaml create mode 100644 stable/ckan/charts/redis/templates/prometheusrule.yaml create mode 100644 stable/ckan/charts/redis/templates/psp.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-master-statefulset.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-master-svc.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-node-statefulset.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-role.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-rolebinding.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-serviceaccount.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-slave-svc.yaml create mode 100644 stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml create mode 100644 stable/ckan/charts/redis/templates/secret.yaml create mode 100644 stable/ckan/charts/redis/values.schema.json create mode 100644 stable/ckan/charts/redis/values.yaml create mode 100644 stable/ckan/charts/solr/Chart.lock create mode 100644 stable/ckan/charts/solr/Chart.yaml create mode 100644 stable/ckan/charts/solr/README.md create mode 100644 stable/ckan/charts/solr/charts/zookeeper/.helmignore create mode 100644 stable/ckan/charts/solr/charts/zookeeper/Chart.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/OWNERS create mode 100644 stable/ckan/charts/solr/charts/zookeeper/README.md create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml create mode 100644 stable/ckan/charts/solr/charts/zookeeper/values.yaml create mode 100644 stable/ckan/charts/solr/templates/NOTES.txt create mode 100644 stable/ckan/charts/solr/templates/_helpers.tpl create mode 100644 stable/ckan/charts/solr/templates/exporter-deployment.yaml create mode 100644 stable/ckan/charts/solr/templates/poddisruptionbudget.yaml create mode 100644 stable/ckan/charts/solr/templates/service-headless.yaml create mode 100644 stable/ckan/charts/solr/templates/service.yaml create mode 100644 stable/ckan/charts/solr/templates/solr-custom-script.yaml create mode 100644 stable/ckan/charts/solr/templates/solr-xml-configmap.yaml create mode 100644 stable/ckan/charts/solr/templates/statefulset.yaml create mode 100644 stable/ckan/charts/solr/values.yaml create mode 100644 stable/ckan/templates/cm/ckan-crontab.yaml create mode 100644 stable/ckan/templates/secret/ckan-backup-secret.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/Chart.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/config/realm.json create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/NOTES.txt create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/_helpers.tpl create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/cm/keycloak.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/deploy/keycloak.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/dr/destrule.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/hpa/keycloak.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/ing/keycloak.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/sa/keycloak.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-export-secret.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-pwds.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/templates/svc/keycloak.yaml create mode 100644 stable/fdi-dotstatsuite-keycloak/values.yaml create mode 100644 stable/fdi-dotstatsuite-sfs-solr/values_for_octopus.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/Chart.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/README.md create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/NOTES.txt create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/_helpers.tpl create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/deployment.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-backup.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-data.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-master.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-tranlog.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/secret.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/templates/service.yaml create mode 100644 stable/fdi-dotstatsuite/charts/mssql-linux/values.yaml create mode 100644 stable/fdi-dotstatsuite/templates/secret/sdmx-sdmx-data-loading-secret.yaml create mode 100644 stable/fdi-fmr-chart/.helmignore create mode 100644 stable/fdi-fmr-chart/Chart.yaml create mode 100644 stable/fdi-fmr-chart/requirements.yaml create mode 100644 stable/fdi-fmr-chart/templates/NOTES.txt create mode 100644 stable/fdi-fmr-chart/templates/_helpers.tpl create mode 100644 stable/fdi-fmr-chart/templates/cm/registry.yaml create mode 100644 stable/fdi-fmr-chart/templates/cm/security.yaml create mode 100644 stable/fdi-fmr-chart/templates/deploy/apps.yaml create mode 100644 stable/fdi-fmr-chart/templates/dr/destrule.yaml create mode 100644 stable/fdi-fmr-chart/templates/hpa/apps.yaml create mode 100644 stable/fdi-fmr-chart/templates/ing/apps.yaml create mode 100644 stable/fdi-fmr-chart/templates/sa/apps.yaml create mode 100644 stable/fdi-fmr-chart/templates/secret/apps-db-registry-pwd.yaml create mode 100644 stable/fdi-fmr-chart/templates/secret/apps-tomcat-password.yaml create mode 100644 stable/fdi-fmr-chart/templates/svc/apps.yaml create mode 100644 stable/fdi-fmr-chart/values.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/.helmignore create mode 100644 stable/fdi-hfed-scrapping-loading-portal/Chart.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/requirements.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/templates/NOTES.txt create mode 100644 stable/fdi-hfed-scrapping-loading-portal/templates/_helpers.tpl create mode 100644 stable/fdi-hfed-scrapping-loading-portal/templates/deploy/hfed.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_application_id.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_azure_filesystem-secret.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_client_secret.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_smtp_password.yaml create mode 100644 stable/fdi-hfed-scrapping-loading-portal/values.yaml diff --git a/stable/ckan/Chart.yaml b/stable/ckan/Chart.yaml index 1af4201e..e568e0de 100644 --- a/stable/ckan/Chart.yaml +++ b/stable/ckan/Chart.yaml @@ -1,37 +1,38 @@ -name: ckan apiVersion: v2 -type: application -version: 0.0.31 -appVersion: 2.9.5 +appVersion: 2.10.3 +dependencies: +- condition: redis.enabled + name: redis + repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami + version: 12.10.1 +- condition: postgresql.enabled + name: postgresql + repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami + version: 10.2.0 +- condition: solr.enabled + name: solr + repository: https://statcan.github.io/charts + version: 1.5.8 +- condition: datapusher.enabled + name: datapusher + repository: https://statcan.github.io/charts + version: 1.0.0 description: CKAN Helm Chart for Kubernetes. +home: https://ckan.org/ +icon: https://ckan.org/static/img/logo.svg keywords: - ckan - http - web - application - python -home: https://ckan.org/ -icon: https://ckan.org/static/img/logo.svg +maintainers: +- email: william.hearn@canada.ca + name: sylus +- email: zachary.seguin@canada.ca + name: zachomedia +name: ckan sources: - https://github.com/drupalwxt/wxt -maintainers: -- name: Jianlong - email: jianlong.qian@canada.ca -engine: gotpl -dependencies: - - name: redis - version: 12.10.1 - repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami - condition: redis.enabled - - name: postgresql - version: 10.2.0 - repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami - condition: postgresql.enabled - - name: solr - version: 1.5.10 - repository: https://statcan.github.io/charts - condition: solr.enabled - - name: datapusher - version: 1.0.0 - repository: https://statcan.github.io/charts - condition: datapusher.enabled +type: application +version: 0.0.32 diff --git a/stable/ckan/charts/datapusher/.helmignore b/stable/ckan/charts/datapusher/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/stable/ckan/charts/datapusher/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/stable/ckan/charts/datapusher/Chart.yaml b/stable/ckan/charts/datapusher/Chart.yaml new file mode 100644 index 00000000..e6fd31d2 --- /dev/null +++ b/stable/ckan/charts/datapusher/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: 0.0.17 +description: CKAN Datapusher helm chart +name: datapusher +type: application +version: 1.0.0 diff --git a/stable/ckan/charts/datapusher/README.md b/stable/ckan/charts/datapusher/README.md new file mode 100644 index 00000000..0422cdff --- /dev/null +++ b/stable/ckan/charts/datapusher/README.md @@ -0,0 +1,39 @@ +datapusher +========== + +CKAN Datapusher helm chart + +## Chart Values + +| Key | Type | Default | Description | +|---------------------------------------|--------|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| affinity | object | `{}` | | +| datapusher.chunkSize | string | `"16384"` | Size of chunks of the data that is being downloaded in bytes | +| datapusher.datapusherRewriteResources | string | `"True"` | Enable or disable (boolean) whether datapusher should rewrite resources uploaded to CKAN's filestore, since datapusher takes the CKAN Site URL value for generating the resource URL. Default: False | +| datapusher.datapusherRewriteUrl | string | `"http://ckan"` | | +| datapusher.datapusherSslVerify | string | `"False"` | Enable or disable (boolean) verification of SSL when trying to get resources. Default: True | +| datapusher.downloadTimeout | string | `"30"` | Timeout limit of the download request | +| datapusher.insertRows | string | `"250"` | Number of rows to take from the data and upload them as chunks to datastore | +| datapusher.maxContentLength | string | `"10485760"` | Maximum size of content to be uploaded in bytes. | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"keitaro/ckan-datapusher"` | | +| image.tag | string | `"0.0.17"` | | +| imagePullSecrets | list | `[]` | | +| ingress.annotations | object | `{}` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths | list | `[]` | | +| ingress.tls | list | `[]` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| securityContext | object | `{}` | | +| service.port | int | `8000` | | +| service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `nil` | | +| tolerations | list | `[]` | | diff --git a/stable/ckan/charts/datapusher/templates/NOTES.txt b/stable/ckan/charts/datapusher/templates/NOTES.txt new file mode 100644 index 00000000..eb5f2633 --- /dev/null +++ b/stable/ckan/charts/datapusher/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "datapusher.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "datapusher.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "datapusher.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "datapusher.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/stable/ckan/charts/datapusher/templates/_helpers.tpl b/stable/ckan/charts/datapusher/templates/_helpers.tpl new file mode 100644 index 00000000..bc85c157 --- /dev/null +++ b/stable/ckan/charts/datapusher/templates/_helpers.tpl @@ -0,0 +1,77 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "datapusher.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "datapusher.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "datapusher.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "datapusher.labels" -}} +helm.sh/chart: {{ include "datapusher.chart" . }} +{{ include "datapusher.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "datapusher.selectorLabels" -}} +app.kubernetes.io/name: {{ include "datapusher.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Define the name of the headless service for solr +*/}} +{{- define "datapusher.headless-service-name" -}} +{{- printf "%s-%s" (include "datapusher.fullname" .) "headless" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Define the name of the client service for solr +*/}} +{{- define "datapusher.service-name" -}} +{{- printf "%s-%s" (include "datapusher.fullname" .) "svc" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "datapusher.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "datapusher.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/datapusher/templates/deployment.yaml b/stable/ckan/charts/datapusher/templates/deployment.yaml new file mode 100644 index 00000000..56f0e8c2 --- /dev/null +++ b/stable/ckan/charts/datapusher/templates/deployment.yaml @@ -0,0 +1,70 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "datapusher.fullname" . }} + labels: + {{- include "datapusher.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "datapusher.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "datapusher.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "datapusher.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8000 + protocol: TCP + env: + - name: DATAPUSHER_MAX_CONTENT_LENGTH + value: {{ .Values.datapusher.maxContentLength | quote }} + - name: DATAPUSHER_CHUNK_SIZE + value: {{ .Values.datapusher.chunkSize | quote }} + - name: DATAPUSHER_CHUNK_INSERT_ROWS + value: {{ .Values.datapusher.insertRows | quote }} + - name: DATAPUSHER_DOWNLOAD_TIMEOUT + value: {{ .Values.datapusher.downloadTimeout | quote }} + - name: DATAPUSHER_SSL_VERIFY + value: {{ .Values.datapusher.datapusherSslVerify | quote }} + - name: DATAPUSHER_REWRITE_RESOURCES + value: {{ .Values.datapusher.datapusherRewriteResources | quote }} + - name: DATAPUSHER_REWRITE_URL + value: {{ .Values.datapusher.datapusherRewriteUrl | quote }} + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/stable/ckan/charts/datapusher/templates/service-headless.yaml b/stable/ckan/charts/datapusher/templates/service-headless.yaml new file mode 100644 index 00000000..cc68df78 --- /dev/null +++ b/stable/ckan/charts/datapusher/templates/service-headless.yaml @@ -0,0 +1,13 @@ +apiVersion: "v1" +kind: "Service" +metadata: + name: "{{ include "datapusher.headless-service-name" . }}" + labels: + {{- include "datapusher.labels" . | nindent 4 }} +spec: + clusterIP: "None" + ports: + - port: {{ .Values.service.port }} + name: "datapusher-headless" + selector: + {{- include "datapusher.selectorLabels" . | nindent 4 }} diff --git a/stable/ckan/charts/datapusher/templates/service.yaml b/stable/ckan/charts/datapusher/templates/service.yaml new file mode 100644 index 00000000..07ab6eaf --- /dev/null +++ b/stable/ckan/charts/datapusher/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "datapusher.service-name" . }} + labels: + {{- include "datapusher.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "datapusher.selectorLabels" . | nindent 4 }} diff --git a/stable/ckan/charts/datapusher/templates/serviceaccount.yaml b/stable/ckan/charts/datapusher/templates/serviceaccount.yaml new file mode 100644 index 00000000..9d23c1e2 --- /dev/null +++ b/stable/ckan/charts/datapusher/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "datapusher.serviceAccountName" . }} + labels: + {{- include "datapusher.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/datapusher/values.yaml b/stable/ckan/charts/datapusher/values.yaml new file mode 100644 index 00000000..4b130a1c --- /dev/null +++ b/stable/ckan/charts/datapusher/values.yaml @@ -0,0 +1,85 @@ +# Default values for datapusher. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: keitaro/ckan-datapusher + tag: 0.0.17 + pullPolicy: IfNotPresent + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +datapusher: + # datapusher.maxContentLength -- Maximum size of content to be uploaded in bytes. + maxContentLength: "10485760" + # datapusher.chunkSize -- Size of chunks of the data that is being downloaded in bytes + chunkSize: "16384" + # datapusher.insertRows -- Number of rows to take from the data and upload them as chunks to datastore + insertRows: "250" + # datapusher.downloadTimeout -- Timeout limit of the download request + downloadTimeout: "30" + # datapusher.datapusherSslVerify -- Enable or disable (boolean) verification of SSL when trying to get resources. Default: True + datapusherSslVerify: "False" + # datapusher.datapusherRewriteResources -- Enable or disable (boolean) whether datapusher should rewrite resources uploaded to CKAN's filestore, since datapusher takes the CKAN Site URL value for generating the resource URL. Default: False + datapusherRewriteResources: "True" + # Sets the rewrite URL that datapushed will rewrite resources that are uploaded to CKAN's filestore. Default: http://ckan:5000 + datapusherRewriteUrl: http://ckan + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8000 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/stable/ckan/charts/postgresql/.helmignore b/stable/ckan/charts/postgresql/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/stable/ckan/charts/postgresql/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/stable/ckan/charts/postgresql/Chart.lock b/stable/ckan/charts/postgresql/Chart.lock new file mode 100644 index 00000000..00ef8227 --- /dev/null +++ b/stable/ckan/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.1.2 +digest: sha256:5a5d1b6e8a55efef1c07768b6bb264c60c98e230792b9a63f85468b95cf58c45 +generated: "2020-12-11T12:22:28.510708+01:00" diff --git a/stable/ckan/charts/postgresql/Chart.yaml b/stable/ckan/charts/postgresql/Chart.yaml new file mode 100644 index 00000000..332cb965 --- /dev/null +++ b/stable/ckan/charts/postgresql/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 11.10.0 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.x.x +description: Chart for PostgreSQL, an object-relational database management system + (ORDBMS) with an emphasis on extensibility and on standards-compliance. +home: https://github.com/bitnami/charts/tree/master/bitnami/postgresql +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: postgresql +sources: +- https://github.com/bitnami/bitnami-docker-postgresql +- https://www.postgresql.org/ +version: 10.2.0 diff --git a/stable/ckan/charts/postgresql/README.md b/stable/ckan/charts/postgresql/README.md new file mode 100644 index 00000000..9cf7c412 --- /dev/null +++ b/stable/ckan/charts/postgresql/README.md @@ -0,0 +1,798 @@ +# PostgreSQL + +[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) + +## TL;DR + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.0-beta3+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart +To install the chart with the release name `my-release`: + +```console +$ helm install my-release bitnami/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm delete my-release +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `my-release`: + +```console +$ kubectl delete pvc -l release=my-release +``` + +> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. + +## Parameters + +The following tables lists the configurable parameters of the PostgreSQL chart and their default values. + +| Parameter | Description | Default | +|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------| +| `global.imageRegistry` | Global Docker Image registry | `nil` | +| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | +| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | +| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | +| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | +| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | +| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `image.registry` | PostgreSQL Image registry | `docker.io` | +| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | +| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `image.debug` | Specify if debug values should be set | `false` | +| `nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override common.names.fullname template with a string | `nil` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | `0` | +| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` | +| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` | +| `ldap.server` | IP address or name of the LDAP server. | `nil` | +| `ldap.port` | Port number on the LDAP server to connect to | `nil` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` | +| `ldap.tls` | Set to `1` to use TLS encryption | `nil` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` | +| `ldap.search_attr` | Attribute to match against the user name in the search | `nil` | +| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` | +| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` | +| `ldap.bindDN` | DN of user to bind to LDAP | `nil` | +| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` | +| `replication.enabled` | Enable replication | `false` | +| `replication.user` | Replication user | `repl_user` | +| `replication.password` | Replication user password | `repl_password` | +| `replication.readReplicas` | Number of read replicas replicas | `1` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.readReplicas`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` | +| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ | +| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` | +| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ | +| `postgresqlDatabase` | PostgreSQL database | `nil` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | +| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` | +| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `nil` | +| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | +| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | +| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | +| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | +| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `postgresqlMaxConnections` | Maximum total connections | `nil` | +| `postgresqlPostgresConnectionLimit` | Maximum total connections for the postgres user | `nil` | +| `postgresqlDbUserConnectionLimit` | Maximum total connections for the non-admin user | `nil` | +| `postgresqlTcpKeepalivesInterval` | TCP keepalives interval | `nil` | +| `postgresqlTcpKeepalivesIdle` | TCP keepalives idle | `nil` | +| `postgresqlTcpKeepalivesCount` | TCP keepalives count | `nil` | +| `postgresqlStatementTimeout` | Statement timeout | `nil` | +| `postgresqlPghbaRemoveFilters` | Comma-separated list of patterns to remove from the pg_hba.conf file | `nil` | +| `customLivenessProbe` | Override default liveness probe | `nil` | +| `customReadinessProbe` | Override default readiness probe | `nil` | +| `audit.logHostname` | Add client hostnames to the log file | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `nil` | +| `audit.clientMinMessages` | Message log level to share with the user | `nil` | +| `audit.logLinePrefix` | Template string for the log line prefix | `nil` | +| `audit.logTimezone` | Timezone for the log timestamps | `nil` | +| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | +| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | +| `initdbScripts` | Dictionary of initdb scripts | `nil` | +| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | +| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | +| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.port` | PostgreSQL port | `5432` | +| `service.nodePort` | Kubernetes Service nodePort | `nil` | +| `service.annotations` | Annotations for PostgreSQL service | `{}` (evaluated as a template) | +| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | +| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | `[]` (evaluated as a template) | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for primary and read replica(s) Pod(s) | `true` | +| `shmVolume.chmod.enabled` | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`) | `true` | +| `persistence.enabled` | Enable persistence using PVC | `true` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | +| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | +| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `persistence.annotations` | Annotations for the PVC | `{}` | +| `persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` (evaluated as a template) | + +| `primary.anotations` | Map of annotations to add to the statefulset (postgresql primary) | `{}` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `nil` | +| `primary.extraInitContainers` | Additional init containers to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql primary) | `[]` | +| `primary.extraVolumes` | Additional volumes to add to the pods (postgresql primary) | `[]` | +| `primary.sidecars` | Add additional containers to the pod | `[]` | +| `primary.service.type` | Allows using a different service type for primary | `nil` | +| `primary.service.nodePort` | Allows using a different nodePort for primary | `nil` | +| `primary.service.clusterIP` | Allows using a different clusterIP for primary | `nil` | +| `primaryAsStandBy.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not. | `false` | +| `primaryAsStandBy.primaryHost` | The Host of replication primary in the other cluster. | `nil` | +| `primaryAsStandBy.primaryPort ` | The Port of replication primary in the other cluster. | `nil` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | +| `readReplicas.anotations` | Map of annotations to add to the statefulsets (postgresql readReplicas) | `{}` | +| `readReplicas.resources` | CPU/Memory resource requests/limits override for readReplicass. Will fallback to `values.resources` if not defined. | `{}` | +| `readReplicas.labels` | Map of labels to add to the statefulsets (postgresql readReplicas) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (postgresql readReplicas) | `{}` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (postgresql readReplicas) | `nil` | +| `readReplicas.extraInitContainers` | Additional init containers to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.extraVolumes` | Additional volumes to add to the pods (postgresql readReplicas) | `[]` | +| `readReplicas.sidecars` | Add additional containers to the pod | `[]` | +| `readReplicas.service.type` | Allows using a different service type for readReplicas | `nil` | +| `readReplicas.service.nodePort` | Allows using a different nodePort for readReplicas | `nil` | +| `readReplicas.service.clusterIP` | Allows using a different clusterIP for readReplicas | `nil` | +| `readReplicas.persistence.enabled` | Whether to enable readReplicas replicas persistence | `true` | +| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | +| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | +| `securityContext.*` | Other pod security context to be included as-is in the pod spec | `{}` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the pod | `1001` | +| `containerSecurityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `containerSecurityContext.enabled` | Enable container security context | `true` | +| `containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | +| `serviceAccount.name` | Name of existing service account | `nil` | +| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | +| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. | `nil` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `nil` | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | +| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | +| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | +| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql | +| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | +| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `metrics.customMetrics` | Additional custom metrics | `nil` | +| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) | +| `metrics.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | +| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | +| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | +| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | +| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | +| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | +| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | +| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | +| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | +| `psp.create` | Create Pod Security Policy | `false` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `nil` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ + bitnami/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release -f values.yaml bitnami/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Production configuration and horizontal scaling + +This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. + +- Enable replication: +```diff +- replication.enabled: false ++ replication.enabled: true +``` + +- Number of read replicas: +```diff +- replication.readReplicas: 1 ++ replication.readReplicas: 2 +``` + +- Set synchronous commit mode: +```diff +- replication.synchronousCommit: "off" ++ replication.synchronousCommit: "on" +``` + +- Number of replicas that will have synchronous replication: +```diff +- replication.numSynchronousReplicas: 0 ++ replication.numSynchronousReplicas: 1 +``` + +- Start a prometheus exporter: +```diff +- metrics.enabled: false ++ metrics.enabled: true +``` + +To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Change PostgreSQL version + +To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the whole configuration file. + +Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. + +Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. + +### Allow settings to be loaded from files other than the default `postgresql.conf` + +If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. +Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. + +Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. + +In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +* First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +* Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.postgresqlPassword=testtest +subchart1.postgresql.postgresqlPassword=testtest +subchart2.postgresql.postgresqlPassword=testtest +postgresql.postgresqlDatabase=db1 +subchart1.postgresql.postgresqlDatabase=db1 +subchart2.postgresql.postgresqlDatabase=db1 +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.postgresqlPassword=testtest +global.postgresql.postgresqlDatabase=db1 +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```console +$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false + +### Deploy chart using Docker Official PostgreSQL Image + +From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. +Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. + +``` +image.repository=postgres +image.tag=10.6 +postgresqlDataDir=/data/pgdata +persistence.mountPath=/data/ +``` + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` paremeter(s). Find more infomation about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: + +```bash +$ helm upgrade my-release bitnami/postgresql \ + --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ + --set replication.password=[REPLICATION_PASSWORD] +``` + +> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +#### Breaking changes + +- The term `master` has been replaced with `primary` and `slave` with `readReplicas` throughout the chart. Role names have changed from `master` and `slave` to `primary` and `read`. + +To upgrade to `10.0.0`, it should be done reusing the PVCs used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `postgresql`): + +> NOTE: Please, create a backup of your database before running any of those actions. + +Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +$ export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +$ export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +``` + +Delete the PostgreSQL statefulset. Notice the option `--cascade=false`: + +```console +$ kubectl delete statefulsets.apps postgresql-postgresql --cascade=false +``` + +Now the upgrade works: + +```console +$ helm upgrade postgresql bitnami/postgresql --set postgresqlPassword=$POSTGRESQL_PASSWORD --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +You will have to delete the existing MariaDB pod and the new statefulset is going to create a new one + +```console +$ kubectl delete pod postgresql-postgresql-0 +``` + +Finally, you should see the lines below in MariaDB container logs: + +```console +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +### To 9.0.0 + +In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version. + +As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow: + +- Deploy an old version (8.X.X) + +```console +$ helm install postgresql bitnami/postgresql --version 8.10.14 +``` + +- Old version is up and running + +```console +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0 + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 76s +``` + +- The upgrade to the latest one (9.X.X) is going to fail + +```console +$ helm upgrade postgresql bitnami/postgresql +Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden +``` + +- Delete the statefulset + +```console +$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql +statefulset.apps "postgresql-postgresql" deleted +``` + +- Now the upgrade works + +```console +$ helm upgrade postgresql bitnami/postgresql +$ helm ls +NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION +postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0 +``` + +- We can kill the existing pod and the new statefulset is going to create a new one: + +```console +$ kubectl delete pod postgresql-postgresql-0 +pod "postgresql-postgresql-0" deleted + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +postgresql-postgresql-0 1/1 Running 0 19s +``` + +Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command + +### To 8.0.0 + +Prefixes the port names with their protocols to comply with Istio conventions. + +If you depend on the port names in your setup, make sure to update them to reflect this change. + +### To 7.1.0 + +Adds support for LDAP configuration. + +### To 7.0.0 + +Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. + +In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. + +This major version bump signifies this change. + +### To 6.5.7 + +In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies: + +- protobuf +- protobuf-c +- json-c +- geos +- proj + +### To 5.0.0 + +In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). + +For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: + +```console +Welcome to the Bitnami postgresql container +Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql +Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues +Send us your feedback at containers@bitnami.com + +INFO ==> ** Starting PostgreSQL setup ** +NFO ==> Validating settings in POSTGRESQL_* env vars.. +INFO ==> Initializing PostgreSQL database... +INFO ==> postgresql.conf file not detected. Generating it... +INFO ==> pg_hba.conf file not detected. Generating it... +INFO ==> Deploying PostgreSQL with persisted data... +INFO ==> Configuring replication parameters +INFO ==> Loading custom scripts... +INFO ==> Enabling remote connections +INFO ==> Stopping PostgreSQL... +INFO ==> ** PostgreSQL setup finished! ** + +INFO ==> ** Starting PostgreSQL ** + [1] FATAL: database files are incompatible with server + [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. +``` + +In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. + +### To 4.0.0 + +This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. + +IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error + +``` +The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development +``` + +### To 3.0.0 + +This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. +It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. + +#### Breaking changes + +- `affinty` has been renamed to `master.affinity` and `slave.affinity`. +- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. +- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. + +### To 2.0.0 + +In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: + +- Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running + +```console +$ kubectl get svc +``` + +- Install (not upgrade) the new version + +```console +$ helm repo update +$ helm install my-release bitnami/postgresql +``` + +- Connect to the new pod (you can obtain the name by running `kubectl get pods`): + +```console +$ kubectl exec -it NAME bash +``` + +- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: + +```console +$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql +``` + +After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). +This operation could take some time depending on the database size. + +- Once you have the backup file, you can restore it with a command like the one below: + +```console +$ psql -U postgres DATABASE_NAME < /tmp/backup.sql +``` + +In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). + +If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. + +```console +$ psql -U postgres +postgres=# drop database DATABASE_NAME; +postgres=# create database DATABASE_NAME; +postgres=# create user USER_NAME; +postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; +postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; +postgres=# alter database DATABASE_NAME owner to USER_NAME; +``` diff --git a/stable/ckan/charts/postgresql/charts/common/.helmignore b/stable/ckan/charts/postgresql/charts/common/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/stable/ckan/charts/postgresql/charts/common/Chart.yaml b/stable/ckan/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 00000000..1bda8e2d --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.1.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- http://www.bitnami.com/ +type: library +version: 1.1.2 diff --git a/stable/ckan/charts/postgresql/charts/common/README.md b/stable/ckan/charts/postgresql/charts/common/README.md new file mode 100644 index 00000000..a6889536 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/README.md @@ -0,0 +1,309 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 0.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.0-beta3+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | + +### Labels + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Inpput | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | + +### Storage + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "context" $` secret and field are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets. + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possiblity of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 00000000..1ff26d58 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,94 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 00000000..143bef2a --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,33 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 00000000..d6d3ec65 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,20 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: you must provide your current passwords when upgrade the release%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_images.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 00000000..aafde9f3 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,43 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 00000000..252066c7 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_names.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 00000000..adf2a74f --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 00000000..ebfb5d42 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,57 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- $name = .name -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 00000000..60e2a844 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 00000000..2db16685 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 00000000..74774a3c --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,45 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 00000000..ae10fa41 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 00000000..7a274a08 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 00000000..3bf669dd --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 00000000..7e0c1cbc --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 00000000..f25e0ffb --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,131 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 00000000..2ccc04d2 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,72 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $existingSecret := include "common.redis.values.existingSecret" . -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}} + {{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}} + {{- if eq $usePassword "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Redis Auxiliar function to get the right value for existingSecret. + +Usage: +{{ include "common.redis.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.redis.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliar function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 00000000..d4cf32c7 --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,44 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s=$%s' to the command.%s" .valueKey .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/values.yaml b/stable/ckan/charts/postgresql/charts/common/values.yaml new file mode 100644 index 00000000..9ecdc93f --- /dev/null +++ b/stable/ckan/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,3 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +exampleValue: common-chart diff --git a/stable/ckan/charts/postgresql/ci/commonAnnotations.yaml b/stable/ckan/charts/postgresql/ci/commonAnnotations.yaml new file mode 100644 index 00000000..97e18a4c --- /dev/null +++ b/stable/ckan/charts/postgresql/ci/commonAnnotations.yaml @@ -0,0 +1,3 @@ +commonAnnotations: + helm.sh/hook: "\"pre-install, pre-upgrade\"" + helm.sh/hook-weight: "-1" diff --git a/stable/ckan/charts/postgresql/ci/default-values.yaml b/stable/ckan/charts/postgresql/ci/default-values.yaml new file mode 100644 index 00000000..fc2ba605 --- /dev/null +++ b/stable/ckan/charts/postgresql/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml b/stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml new file mode 100644 index 00000000..347d3b40 --- /dev/null +++ b/stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml @@ -0,0 +1,2 @@ +shmVolume: + enabled: false diff --git a/stable/ckan/charts/postgresql/files/README.md b/stable/ckan/charts/postgresql/files/README.md new file mode 100644 index 00000000..1813a2fe --- /dev/null +++ b/stable/ckan/charts/postgresql/files/README.md @@ -0,0 +1 @@ +Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/stable/ckan/charts/postgresql/files/conf.d/README.md b/stable/ckan/charts/postgresql/files/conf.d/README.md new file mode 100644 index 00000000..184c1875 --- /dev/null +++ b/stable/ckan/charts/postgresql/files/conf.d/README.md @@ -0,0 +1,4 @@ +If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. +These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. + +More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md new file mode 100644 index 00000000..cba38091 --- /dev/null +++ b/stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md @@ -0,0 +1,3 @@ +You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. + +More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/stable/ckan/charts/postgresql/templates/NOTES.txt b/stable/ckan/charts/postgresql/templates/NOTES.txt new file mode 100644 index 00000000..4e98958c --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,59 @@ +** Please be patient while the chart is being deployed ** + +PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: + + {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection +{{- if .Values.replication.enabled }} + {{ template "common.names.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection +{{- end }} + +{{- if not (eq (include "postgresql.username" .) "postgres") }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode) +{{- end }} + +To get the password for "{{ template "postgresql.username" . }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) + +To connect to your database run the following command: + + kubectl run {{ template "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} + --labels="{{ template "common.names.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "common.names.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} +Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. +{{- end }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & + {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} + +{{- end }} + +{{- include "postgresql.validateValues" . -}} + +{{- include "common.warnings.rollingTag" .Values.image -}} + +{{- $passwordValidationErrors := include "common.validations.values.postgresql.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}} + +{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} diff --git a/stable/ckan/charts/postgresql/templates/_helpers.tpl b/stable/ckan/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 00000000..7509941c --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,330 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} +{{- if .Values.replication.enabled -}} +{{- printf "%s-%s" $fullname "primary" | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Return PostgreSQL postgres user password +*/}} +{{- define "postgresql.postgres.password" -}} +{{- if .Values.global.postgresql.postgresqlPostgresPassword }} + {{- .Values.global.postgresql.postgresqlPostgresPassword -}} +{{- else if .Values.postgresqlPostgresPassword -}} + {{- .Values.postgresqlPostgresPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL password +*/}} +{{- define "postgresql.password" -}} +{{- if .Values.global.postgresql.postgresqlPassword }} + {{- .Values.global.postgresql.postgresqlPassword -}} +{{- else if .Values.postgresqlPassword -}} + {{- .Values.postgresqlPassword -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication password +*/}} +{{- define "postgresql.replication.password" -}} +{{- if .Values.global.postgresql.replicationPassword }} + {{- .Values.global.postgresql.replicationPassword -}} +{{- else if .Values.replication.password -}} + {{- .Values.replication.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL username +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.postgresqlUsername }} + {{- .Values.global.postgresql.postgresqlUsername -}} +{{- else -}} + {{- .Values.postgresqlUsername -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL replication username +*/}} +{{- define "postgresql.replication.username" -}} +{{- if .Values.global.postgresql.replicationUser }} + {{- .Values.global.postgresql.replicationUser -}} +{{- else -}} + {{- .Values.replication.user -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL port +*/}} +{{- define "postgresql.port" -}} +{{- if .Values.global.postgresql.servicePort }} + {{- .Values.global.postgresql.servicePort -}} +{{- else -}} + {{- .Values.service.port -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL created database +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.postgresqlDatabase }} + {{- .Values.global.postgresql.postgresqlDatabase -}} +{{- else if .Values.postgresqlDatabase -}} + {{- .Values.postgresqlDatabase -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}} +{{- else if .Values.existingSecret -}} + {{- printf "%s" (tpl .Values.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if we should use an existingSecret. +*/}} +{{- define "postgresql.useExistingSecret" -}} +{{- if or .Values.global.postgresql.existingSecret .Values.existingSecret -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if not (include "postgresql.useExistingSecret" .) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the configuration ConfigMap name. +*/}} +{{- define "postgresql.configurationCM" -}} +{{- if .Values.configurationConfigMap -}} +{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} +{{- else -}} +{{- printf "%s-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the extended configuration ConfigMap name. +*/}} +{{- define "postgresql.extendedConfigurationCM" -}} +{{- if .Values.extendedConfConfigMap -}} +{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} +{{- else -}} +{{- printf "%s-extended-configuration" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.mountConfigurationCM" -}} +{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts Secret name. +*/}} +{{- define "postgresql.initdbScriptsSecret" -}} +{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} +{{- end -}} + +{{/* +Get the metrics ConfigMap name. +*/}} +{{- define "postgresql.metricsCM" -}} +{{- printf "%s-metrics" (include "common.names.fullname" .) -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- else }} + exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) }} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for podsecuritypolicy. +*/}} +{{- define "podsecuritypolicy.apiVersion" -}} +{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "postgresql.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"extensions/v1beta1" +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} +"networking.k8s.io/v1" +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions +*/}} +{{- define "postgresql.validateValues.tls" -}} +{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} +postgresql: tls.enabled, volumePermissions.enabled + When TLS is enabled you must enable volumePermissions as well to ensure certificates files have + the right permissions. +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.tlsCert" -}} +{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.tlsCertKey" -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsCACert" -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/templates/configmap.yaml b/stable/ckan/charts/postgresql/templates/configmap.yaml new file mode 100644 index 00000000..4508f95a --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/configmap.yaml @@ -0,0 +1,26 @@ +{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- if (.Files.Glob "files/postgresql.conf") }} +{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} +{{- else if .Values.postgresqlConfiguration }} + postgresql.conf: | +{{- range $key, $value := default dict .Values.postgresqlConfiguration }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- if (.Files.Glob "files/pg_hba.conf") }} +{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} +{{- else if .Values.pgHbaConfiguration }} + pg_hba.conf: | +{{ .Values.pgHbaConfiguration | indent 4 }} +{{- end }} +{{ end }} diff --git a/stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml b/stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml new file mode 100644 index 00000000..5ccdb08f --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-extended-configuration + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- with .Files.Glob "files/conf.d/*.conf" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{ with .Values.postgresqlExtendedConf }} + override.conf: | +{{- range $key, $value := . }} + {{ $key | snakecase }}={{ $value }} +{{- end }} +{{- end }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/extra-list.yaml b/stable/ckan/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 00000000..9ac65f9e --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/initialization-configmap.yaml b/stable/ckan/charts/postgresql/templates/initialization-configmap.yaml new file mode 100644 index 00000000..074ed582 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/initialization-configmap.yaml @@ -0,0 +1,24 @@ +{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-init-scripts + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} +binaryData: +{{- range $path, $bytes := . }} + {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} +{{- end }} +{{- end }} +data: +{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} +{{ .AsConfig | indent 2 }} +{{- end }} +{{- with .Values.initdbScripts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/metrics-configmap.yaml b/stable/ckan/charts/postgresql/templates/metrics-configmap.yaml new file mode 100644 index 00000000..6216eca8 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/metrics-configmap.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "postgresql.metricsCM" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/metrics-svc.yaml b/stable/ckan/charts/postgresql/templates/metrics-svc.yaml new file mode 100644 index 00000000..a8f7b331 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/metrics-svc.yaml @@ -0,0 +1,25 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-metrics + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- toYaml .Values.metrics.service.annotations | nindent 4 }} +spec: + type: {{ .Values.metrics.service.type }} + {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: http-metrics + port: 9187 + targetPort: http-metrics + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/networkpolicy.yaml b/stable/ckan/charts/postgresql/templates/networkpolicy.yaml new file mode 100644 index 00000000..ef48ba18 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/networkpolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + ingress: + # Allow inbound connections + - ports: + - port: {{ template "postgresql.port" . }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: +{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 14 }} + role: read + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes + - ports: + - port: 9187 + {{- end }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml b/stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml new file mode 100644 index 00000000..a79ebf16 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml @@ -0,0 +1,37 @@ +{{- if .Values.psp.create }} +apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/prometheusrule.yaml b/stable/ckan/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 00000000..d0f408c7 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "common.names.fullname" . }} +{{- with .Values.metrics.prometheusRule.namespace }} + namespace: {{ . }} +{{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- with .Values.metrics.prometheusRule.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "postgresql.name" $ }} + rules: {{ tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/role.yaml b/stable/ckan/charts/postgresql/templates/role.yaml new file mode 100644 index 00000000..5a6de335 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + {{- if .Values.psp.create }} + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ template "common.names.fullname" . }} + {{- end }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/rolebinding.yaml b/stable/ckan/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 00000000..2bdb1c5e --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + kind: Role + name: {{ template "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/secrets.yaml b/stable/ckan/charts/postgresql/templates/secrets.yaml new file mode 100644 index 00000000..8351cbe8 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }} + postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} + {{- if .Values.replication.enabled }} + postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} + {{- end }} + {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}} + postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/postgresql/templates/serviceaccount.yaml b/stable/ckan/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 00000000..8cba31e4 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "common.labels.standard" . | nindent 4 }} + name: {{ template "common.names.fullname" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/servicemonitor.yaml b/stable/ckan/charts/postgresql/templates/servicemonitor.yaml new file mode 100644 index 00000000..587ce85b --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/servicemonitor.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- end }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + +spec: + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml b/stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml new file mode 100644 index 00000000..1f5b9704 --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml @@ -0,0 +1,410 @@ +{{- if .Values.replication.enabled }} +{{- $readReplicasResources := coalesce .Values.readReplicas.resources .Values.resources -}} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: "{{ template "common.names.fullname" . }}-read" + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read +{{- with .Values.readReplicas.labels }} +{{ toYaml . | indent 4 }} +{{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.readReplicas.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: {{ .Values.replication.readReplicas }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: read + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: read + role: read +{{- with .Values.readReplicas.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} +{{- with .Values.readReplicas.podAnnotations }} + annotations: +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}} + {{- end }} + {{- if or .Values.readReplicas.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{ if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if $readReplicasResources }} + resources: {{- toYaml $readReplicasResources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ template "common.names.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.port" . | quote }} + {{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeealivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeealivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{ end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- toYaml .Values.readReplicas.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.readReplicas.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} +{{- end }} + volumes: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} + {{- if or (not .Values.persistence.enabled) (not .Values.readReplicas.persistence.enabled) }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.readReplicas.extraVolumes }} + {{- toYaml .Values.readReplicas.extraVolumes | nindent 8 }} + {{- end }} + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} +{{- if and .Values.persistence.enabled .Values.readReplicas.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/statefulset.yaml b/stable/ckan/charts/postgresql/templates/statefulset.yaml new file mode 100644 index 00000000..1c1d2dba --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/statefulset.yaml @@ -0,0 +1,589 @@ +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ template "postgresql.primary.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- with .Values.primary.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- with .Values.primary.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "common.names.fullname" . }}-headless + replicas: 1 + updateStrategy: + type: {{ .Values.updateStrategy.type }} + {{- if (eq "Recreate" .Values.updateStrategy.type) }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: + {{- include "common.labels.matchLabels" . | nindent 6 }} + role: primary + template: + metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 8 }} + role: primary + app.kubernetes.io/component: primary + {{- with .Values.primary.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.primary.podAnnotations }} + annotations: {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} +{{- include "postgresql.imagePullSecrets" . | indent 6 }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.serviceAccount.enabled }} + serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} + {{- end }} + {{- if or .Values.primary.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} + initContainers: + {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} + - name: init-chmod-data + image: {{ template "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -cx + - | + {{- if .Values.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} + {{- else }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} + find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + xargs chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.extraInitContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraInitContainers "context" $ ) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "postgresql.image" . }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: "{{ template "postgresql.port" . }}" + - name: POSTGRESQL_VOLUME_DIR + value: "{{ .Values.persistence.mountPath }}" + {{- if .Values.postgresqlInitdbArgs }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.postgresqlInitdbArgs | quote }} + {{- end }} + {{- if .Values.postgresqlInitdbWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.postgresqlInitdbWalDir | quote }} + {{- end }} + {{- if .Values.initdbUser }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.initdbUser }} + {{- end }} + {{- if .Values.initdbPassword }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.initdbPassword }} + {{- end }} + {{- if .Values.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + {{- if .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primaryAsStandBy.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primaryAsStandBy.primaryPort | quote }} + {{- end }} + {{- if or .Values.replication.enabled .Values.primaryAsStandBy.enabled }} + - name: POSTGRES_REPLICATION_MODE + {{- if .Values.primaryAsStandBy.enabled }} + value: "slave" + {{- else }} + value: "master" + {{- end }} + - name: POSTGRES_REPLICATION_USER + value: {{ include "postgresql.replication.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-replication-password + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off")}} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + {{- if not (eq (include "postgresql.username" .) "postgres") }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-postgres-password + {{- end }} + {{- end }} + - name: POSTGRES_USER + value: {{ include "postgresql.username" . | quote }} + {{- if .Values.usePasswordFile }} + - name: POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + {{- if .Values.extraEnv }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} + {{- end }} + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if .Values.ldap.tls }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ .Values.ldap.baseDN }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ .Values.ldap.bindDN }} + {{- if (not (empty .Values.ldap.bind_password)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-ldap-password + {{- end}} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ .Values.ldap.search_attr }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ .Values.ldap.search_filter }} + - name: POSTGRESQL_LDAP_URL + value: {{ .Values.ldap.url }} + {{- end}} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ template "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.postgresqlMaxConnections }} + - name: POSTGRESQL_MAX_CONNECTIONS + value: {{ .Values.postgresqlMaxConnections | quote }} + {{- end }} + {{- if .Values.postgresqlPostgresConnectionLimit }} + - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT + value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlDbUserConnectionLimit }} + - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT + value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesInterval }} + - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL + value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeepalivesIdle }} + - name: POSTGRESQL_TCP_KEEPALIVES_IDLE + value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} + {{- end }} + {{- if .Values.postgresqlStatementTimeout }} + - name: POSTGRESQL_STATEMENT_TIMEOUT + value: {{ .Values.postgresqlStatementTimeout | quote }} + {{- end }} + {{- if .Values.postgresqlTcpKeealivesCount }} + - name: POSTGRESQL_TCP_KEEPALIVES_COUNT + value: {{ .Values.postgresqlTcpKeealivesCount | quote }} + {{- end }} + {{- if .Values.postgresqlPghbaRemoveFilters }} + - name: POSTGRESQL_PGHBA_REMOVE_FILTERS + value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} + {{- end }} + {{- if .Values.extraEnvVarsCM }} + envFrom: + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ template "postgresql.port" . }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- else }} + - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.persistence.enabled }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- toYaml .Values.primary.extraVolumeMounts | nindent 12 }} + {{- end }} +{{- if .Values.primary.sidecars }} +{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} +{{- end }} +{{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: {{- omit .Values.metrics.securityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} + {{- $sslmode := ternary "require" "disable" .Values.tls.enabled }} + {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} + - name: DATA_SOURCE_NAME + value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.port" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }} + {{- else }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.port" .)) $database $sslmode }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: DATA_SOURCE_PASS_FILE + value: "/opt/bitnami/postgresql/secrets/postgresql-password" + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ template "postgresql.secretName" . }} + key: postgresql-password + {{- end }} + - name: DATA_SOURCE_USER + value: {{ template "postgresql.username" . }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: / + port: http-metrics + initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + ports: + - name: http-metrics + containerPort: 9187 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} +{{- end }} + volumes: + {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} + - name: postgresql-config + configMap: + name: {{ template "postgresql.configurationCM" . }} + {{- end }} + {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} + - name: postgresql-extended-config + configMap: + name: {{ template "postgresql.extendedConfigurationCM" . }} + {{- end }} + {{- if .Values.usePasswordFile }} + - name: postgresql-password + secret: + secretName: {{ template "postgresql.secretName" . }} + {{- end }} + {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "postgresql.initdbScriptsCM" . }} + {{- end }} + {{- if .Values.initdbScriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ template "postgresql.initdbScriptsSecret" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- toYaml .Values.primary.extraVolumes | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ template "postgresql.metricsCM" . }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + sizeLimit: 1Gi + {{- end }} +{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} + - name: data + persistentVolumeClaim: +{{- with .Values.persistence.existingClaim }} + claimName: {{ tpl . $ }} +{{- end }} +{{- else if not .Values.persistence.enabled }} + - name: data + emptyDir: {} +{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + {{- with .Values.persistence.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- if .Values.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} + {{- end -}} +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/svc-headless.yaml b/stable/ckan/charts/postgresql/templates/svc-headless.yaml new file mode 100644 index 00000000..6ad0dd5f --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/svc-headless.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-headless + labels: + {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/stable/ckan/charts/postgresql/templates/svc-read.yaml b/stable/ckan/charts/postgresql/templates/svc-read.yaml new file mode 100644 index 00000000..8c9ea54e --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/svc-read.yaml @@ -0,0 +1,42 @@ +{{- if .Values.replication.enabled }} +{{- $serviceAnnotations := coalesce .Values.readReplicas.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.readReplicas.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.readReplicas.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.readReplicas.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.readReplicas.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.readReplicas.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }}-read + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: read +{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/svc.yaml b/stable/ckan/charts/postgresql/templates/svc.yaml new file mode 100644 index 00000000..5bc2b50e --- /dev/null +++ b/stable/ckan/charts/postgresql/templates/svc.yaml @@ -0,0 +1,40 @@ +{{- $serviceAnnotations := coalesce .Values.primary.service.annotations .Values.service.annotations -}} +{{- $serviceType := coalesce .Values.primary.service.type .Values.service.type -}} +{{- $serviceLoadBalancerIP := coalesce .Values.primary.service.loadBalancerIP .Values.service.loadBalancerIP -}} +{{- $serviceLoadBalancerSourceRanges := coalesce .Values.primary.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} +{{- $serviceClusterIP := coalesce .Values.primary.service.clusterIP .Values.service.clusterIP -}} +{{- $serviceNodePort := coalesce .Values.primary.service.nodePort .Values.service.nodePort -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + labels: + {{- include "common.labels.standard" . | nindent 4 }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if $serviceAnnotations }} + {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $serviceType }} + {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} + loadBalancerIP: {{ $serviceLoadBalancerIP }} + {{- end }} + {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} + {{- end }} + {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} + clusterIP: {{ $serviceClusterIP }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.port" . }} + targetPort: tcp-postgresql + {{- if $serviceNodePort }} + nodePort: {{ $serviceNodePort }} + {{- end }} + selector: + {{- include "common.labels.matchLabels" . | nindent 4 }} + role: primary diff --git a/stable/ckan/charts/postgresql/values-production.yaml b/stable/ckan/charts/postgresql/values-production.yaml new file mode 100644 index 00000000..4e1ee041 --- /dev/null +++ b/stable/ckan/charts/postgresql/values-production.yaml @@ -0,0 +1,791 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.10.0-debian-10-r24 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + ## + debug: false + +## String to partially override common.names.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override common.names.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +containerSecurityContext: + enabled: true + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +psp: + create: false + +## Creates role for ServiceAccount +## Required for PSP +## +rbac: + create: false + +replication: + enabled: true + user: repl_user + password: repl_password + readReplicas: 2 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + ## + synchronousCommit: "on" + ## From the number of `readReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > readReplicas + ## + numSynchronousReplicas: 1 + ## Replication Cluster application name. Useful for defining multiple replication policies + ## + applicationName: my_application + +## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) +# postgresqlPostgresPassword: + +## PostgreSQL user (has superuser privileges if username is `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret +## + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## An array to add extra environment variables +## For example: +## extraEnv: +## - name: FOO +## value: "bar" +## +# extraEnv: +extraEnv: [] + +## Name of a ConfigMap containing extra env vars +## +# extraEnvVarsCM: + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## Configure current cluster's primary server to be the standby server in other cluster. +## This will allow cross cluster replication and provide cross cluster high availability. +## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. +## +primaryAsStandBy: + enabled: false + # primaryHost: + # primaryPort: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## LDAP configuration +## +ldap: + enabled: false + url: "" + server: "" + port: "" + prefix: "" + suffix: "" + baseDN: "" + bindDN: "" + bind_password: + search_attr: "" + search_filter: "" + scheme: "" + tls: {} + +## Audit settings +## https://github.com/bitnami/bitnami-docker-postgresql#auditing +## +audit: + ## Log client hostnames + ## + logHostname: false + ## Log connections to the server + ## + logConnections: false + ## Log disconnections + ## + logDisconnections: false + ## Operation to audit using pgAudit (default if not set) + ## + pgAuditLog: "" + ## Log catalog using pgAudit + ## + pgAuditLogCatalog: "off" + ## Log level for clients + ## + clientMinMessages: error + ## Template for log line prefix (default if not set) + ## + logLinePrefix: "" + ## Log timezone + ## + logTimezone: "" + +## Shared preload libraries +## +postgresqlSharedPreloadLibraries: "pgaudit" + +## Maximum total connections +## +postgresqlMaxConnections: + +## Maximum connections for the postgres user +## +postgresqlPostgresConnectionLimit: + +## Maximum connections for the created user +## +postgresqlDbUserConnectionLimit: + +## TCP keepalives interval +## +postgresqlTcpKeepalivesInterval: + +## TCP keepalives idle +## +postgresqlTcpKeepalivesIdle: + +## TCP keepalives count +## +postgresqlTcpKeepalivesCount: + +## Statement timeout +## +postgresqlStatementTimeout: + +## Remove pg_hba.conf lines with the following comma-separated patterns +## (cannot be used with custom pg_hba.conf) +## +postgresqlPghbaRemoveFilters: + +## PostgreSQL service configuration +## +service: + ## PosgresSQL service type + ## + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. Evaluated as a template. + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + ## Load Balancer sources. Evaluated as a template. + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Start primary and read replica(s) pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) +## limit `/dev/shm` to `64M` (see e.g. the +## [docker issue](https://github.com/docker-library/postgres/issues/416) and the +## [containerd issue](https://github.com/containerd/containerd/issues/3654), +## which could be not enough if PostgreSQL uses parallel workers heavily. +## +shmVolume: + ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove + ## this limitation. + ## + enabled: true + ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. + ## This option is ignored if `volumePermissions.enabled` is `false` + ## + chmod: + enabled: true + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + ## selector can be used to match an existing PersistentVolume + ## selector: + ## matchLabels: + ## app: my-app + selector: {} + +## updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Primary parameters +## +primary: + ## PostgreSQL Primary pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL Primary pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: "" + ## Additional PostgreSQL Primary Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Primary Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for Primary + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## +## PostgreSQL Read Only Replica parameters +## +readReplicas: + ## PostgreSQL read only pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL read only pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: readReplicas.podAffinityPreset, readReplicas.podAntiAffinityPreset, and readReplicas.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: "" + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + ## Additional PostgreSQL Read Replica Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL Read Replica Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for Read Replicas + ## + service: {} + # type: + # nodePort: + # clusterIP: + ## Whether to enable PostgreSQL readReplicas replicas data Persistent + ## + persistence: + enabled: true + + # Override the resource configuration for readReplicas + resources: {} + # requests: + # memory: 256Mi + # cpu: 250m + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Custom Liveness probe +## +customLivenessProbe: {} + +## Custom Rediness probe +## +customReadinessProbe: {} + +## +## TLS configuration +## +tls: + # Enable TLS traffic + enabled: false + # + # Whether to use the server's TLS cipher preferences rather than the client's. + preferServerCiphers: true + # + # Name of the Secret that contains the certificates + certificatesSecret: "" + # + # Certificate filename + certFilename: "" + # + # Certificate Key filename + certKeyFilename: "" + # + # CA Certificate filename + # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + # ref: https://www.postgresql.org/docs/9.6/auth-methods.html + certCAFilename: + # + # File containing a Certificate Revocation List + crlFilename: + +## Configure metrics exporter +## +metrics: + enabled: true + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ template "common.names.fullname" . }}-metrics"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ template "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] + + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.8.0-debian-10-r293 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + # customMetrics: + # pg_database: + # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + # metrics: + # - name: + # usage: "LABEL" + # description: "Name of the database" + # - size_bytes: + # usage: "GAUGE" + # description: "Size of the database in bytes" + ## An array to add extra env vars to configure postgres-exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + # extraEnvVars: + # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + # value: "true" + extraEnvVars: {} + + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 diff --git a/stable/ckan/charts/postgresql/values.schema.json b/stable/ckan/charts/postgresql/values.schema.json new file mode 100644 index 00000000..66a2a9dd --- /dev/null +++ b/stable/ckan/charts/postgresql/values.schema.json @@ -0,0 +1,103 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "postgresqlUsername": { + "type": "string", + "title": "Admin user", + "form": true + }, + "postgresqlPassword": { + "type": "string", + "title": "Password", + "form": true + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": false, + "path": "replication/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/stable/ckan/charts/postgresql/values.yaml b/stable/ckan/charts/postgresql/values.yaml new file mode 100644 index 00000000..cdf5db47 --- /dev/null +++ b/stable/ckan/charts/postgresql/values.yaml @@ -0,0 +1,813 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + postgresql: {} +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 11.10.0-debian-10-r24 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Set to true if you would like to see extra information on logs + ## It turns BASH and NAMI debugging in minideb + ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging + ## + debug: false + +## String to partially override common.names.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override common.names.fullname template +## +# fullnameOverride: + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/minideb + tag: buster + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Init container Security Context + ## Note: the chown of the data folder is done to securityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false + ## + securityContext: + runAsUser: 0 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Pod Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +securityContext: + enabled: true + fsGroup: 1001 + +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +containerSecurityContext: + enabled: true + runAsUser: 1001 + +## Pod Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + enabled: false + ## Name of an already existing service account. Setting this value disables the automatic service account creation. + # name: + +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +psp: + create: false + +## Creates role for ServiceAccount +## Required for PSP +## +rbac: + create: false + +replication: + enabled: false + user: repl_user + password: repl_password + readReplicas: 1 + ## Set synchronous commit mode: on, off, remote_apply, remote_write and local + ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL + synchronousCommit: 'off' + ## From the number of `readReplicas` defined above, set the number of those that will have synchronous replication + ## NOTE: It cannot be > readReplicas + numSynchronousReplicas: 0 + ## Replication Cluster application name. Useful for defining multiple replication policies + ## + applicationName: my_application + +## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) +# postgresqlPostgresPassword: + +## PostgreSQL user (has superuser privileges if username is `postgres`) +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +postgresqlUsername: postgres + +## PostgreSQL password +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run +## +# postgresqlPassword: + +## PostgreSQL password using existing secret +## existingSecret: secret +## + +## Mount PostgreSQL secret as a file instead of passing environment variable +# usePasswordFile: false + +## Create a database +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run +## +# postgresqlDatabase: + +## PostgreSQL data dir +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +postgresqlDataDir: /bitnami/postgresql/data + +## An array to add extra environment variables +## For example: +## extraEnv: +## - name: FOO +## value: "bar" +## +# extraEnv: +extraEnv: [] + +## Name of a ConfigMap containing extra env vars +## +# extraEnvVarsCM: + +## Specify extra initdb args +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbArgs: + +## Specify a custom location for the PostgreSQL transaction log +## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md +## +# postgresqlInitdbWalDir: + +## PostgreSQL configuration +## Specify runtime configuration parameters as a dict, using camelCase, e.g. +## {"sharedBuffers": "500MB"} +## Alternatively, you can put your postgresql.conf under the files/ directory +## ref: https://www.postgresql.org/docs/current/static/runtime-config.html +## +# postgresqlConfiguration: + +## PostgreSQL extended configuration +## As above, but _appended_ to the main configuration +## Alternatively, you can put your *.conf under the files/conf.d/ directory +## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf +## +# postgresqlExtendedConf: + +## Configure current cluster's primary server to be the standby server in other cluster. +## This will allow cross cluster replication and provide cross cluster high availability. +## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. +## +primaryAsStandBy: + enabled: false + # primaryHost: + # primaryPort: + +## PostgreSQL client authentication configuration +## Specify content for pg_hba.conf +## Default: do not create pg_hba.conf +## Alternatively, you can put your pg_hba.conf under the files/ directory +# pgHbaConfiguration: |- +# local all all trust +# host all all localhost trust +# host mydatabase mysuser 192.168.0.0/24 md5 + +## ConfigMap with PostgreSQL configuration +## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration +# configurationConfigMap: + +## ConfigMap with PostgreSQL extended configuration +# extendedConfConfigMap: + +## initdb scripts +## Specify dictionary of scripts to be run at first boot +## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory +## +# initdbScripts: +# my_init_script.sh: | +# #!/bin/sh +# echo "Do something." + +## ConfigMap with scripts to be run at first boot +## NOTE: This will override initdbScripts +# initdbScriptsConfigMap: + +## Secret with scripts to be run at first boot (in case it contains sensitive information) +## NOTE: This can work along initdbScripts or initdbScriptsConfigMap +# initdbScriptsSecret: + +## Specify the PostgreSQL username and password to execute the initdb scripts +# initdbUser: +# initdbPassword: + +## Audit settings +## https://github.com/bitnami/bitnami-docker-postgresql#auditing +## +audit: + ## Log client hostnames + ## + logHostname: false + ## Log connections to the server + ## + logConnections: false + ## Log disconnections + ## + logDisconnections: false + ## Operation to audit using pgAudit (default if not set) + ## + pgAuditLog: "" + ## Log catalog using pgAudit + ## + pgAuditLogCatalog: "off" + ## Log level for clients + ## + clientMinMessages: error + ## Template for log line prefix (default if not set) + ## + logLinePrefix: "" + ## Log timezone + ## + logTimezone: "" + +## Shared preload libraries +## +postgresqlSharedPreloadLibraries: "pgaudit" + +## Maximum total connections +## +postgresqlMaxConnections: + +## Maximum connections for the postgres user +## +postgresqlPostgresConnectionLimit: + +## Maximum connections for the created user +## +postgresqlDbUserConnectionLimit: + +## TCP keepalives interval +## +postgresqlTcpKeepalivesInterval: + +## TCP keepalives idle +## +postgresqlTcpKeepalivesIdle: + +## TCP keepalives count +## +postgresqlTcpKeepalivesCount: + +## Statement timeout +## +postgresqlStatementTimeout: + +## Remove pg_hba.conf lines with the following comma-separated patterns +## (cannot be used with custom pg_hba.conf) +## +postgresqlPghbaRemoveFilters: + +## Optional duration in seconds the pod needs to terminate gracefully. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +# terminationGracePeriodSeconds: 30 + +## LDAP configuration +## +ldap: + enabled: false + url: '' + server: '' + port: '' + prefix: '' + suffix: '' + baseDN: '' + bindDN: '' + bind_password: + search_attr: '' + search_filter: '' + scheme: '' + tls: {} + +## PostgreSQL service configuration +## +service: + ## PosgresSQL service type + ## + type: ClusterIP + # clusterIP: None + port: 5432 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. Evaluated as a template. + ## + annotations: {} + ## Set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + # loadBalancerIP: + ## Load Balancer sources. Evaluated as a template. + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + # loadBalancerSourceRanges: + # - 10.10.10.0/24 + +## Start primary and read(s) pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) +## limit `/dev/shm` to `64M` (see e.g. the +## [docker issue](https://github.com/docker-library/postgres/issues/416) and the +## [containerd issue](https://github.com/containerd/containerd/issues/3654), +## which could be not enough if PostgreSQL uses parallel workers heavily. +## +shmVolume: + ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove + ## this limitation. + ## + enabled: true + ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. + ## This option is ignored if `volumePermissions.enabled` is `false` + ## + chmod: + enabled: true + +## PostgreSQL data Persistent Volume Storage Class +## If defined, storageClassName: +## If set to "-", storageClassName: "", which disables dynamic provisioning +## If undefined (the default) or set to null, no storageClassName spec is +## set, choosing the default provisioner. (gp2 on AWS, standard on +## GKE, AWS & OpenStack) +## +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart + ## + # existingClaim: + + ## The path the volume will be mounted at, useful when using different + ## PostgreSQL images. + ## + mountPath: /bitnami/postgresql + + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: '' + + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + annotations: {} + ## selector can be used to match an existing PersistentVolume + ## selector: + ## matchLabels: + ## app: my-app + selector: {} + +## updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + +## +## PostgreSQL Primary parameters +## +primary: + ## PostgreSQL Primary pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL Primary pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: '' + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + + ## Additional PostgreSQL primary Volume mounts + ## + extraVolumeMounts: [] + ## Additional PostgreSQL primary Volumes + ## + extraVolumes: [] + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for primary + ## + service: {} + # type: + # nodePort: + # clusterIP: + +## +## PostgreSQL read only replica parameters +## +readReplicas: + ## PostgreSQL read only pod affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAffinityPreset: "" + + ## PostgreSQL read only pod anti-affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + + ## Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: readReplicas.podAffinityPreset, readReplicas.podAntiAffinityPreset, and readReplicas.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + + ## Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + labels: {} + annotations: {} + podLabels: {} + podAnnotations: {} + priorityClassName: '' + + ## Extra init containers + ## Example + ## + ## extraInitContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + extraInitContainers: [] + + ## Additional PostgreSQL read replicas Volume mounts + ## + extraVolumeMounts: [] + + ## Additional PostgreSQL read replicas Volumes + ## + extraVolumes: [] + + ## Add sidecars to the pod + ## + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + + ## Override the service configuration for read + ## + service: {} + # type: + # nodePort: + # clusterIP: + + ## Whether to enable PostgreSQL read replicas data Persistent + ## + persistence: + enabled: true + + # Override the resource configuration for read replicas + resources: {} + # requests: + # memory: 256Mi + # cpu: 250m + +## Configure resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + requests: + memory: 256Mi + cpu: 250m + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +networkPolicy: + ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port PostgreSQL is listening + ## on. When true, PostgreSQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + + ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Custom Liveness probe +## +customLivenessProbe: {} + +## Custom Rediness probe +## +customReadinessProbe: {} + +## +## TLS configuration +## +tls: + # Enable TLS traffic + enabled: false + # + # Whether to use the server's TLS cipher preferences rather than the client's. + preferServerCiphers: true + # + # Name of the Secret that contains the certificates + certificatesSecret: '' + # + # Certificate filename + certFilename: '' + # + # Certificate Key filename + certKeyFilename: '' + # + # CA Certificate filename + # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + # ref: https://www.postgresql.org/docs/9.6/auth-methods.html + certCAFilename: + # + # File containing a Certificate Revocation List + crlFilename: + +## Configure metrics exporter +## +metrics: + enabled: false + # resources: {} + service: + type: ClusterIP + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '9187' + loadBalancerIP: + serviceMonitor: + enabled: false + additionalLabels: {} + # namespace: monitoring + # interval: 30s + # scrapeTimeout: 10s + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: '' + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ template "common.names.fullname" . }}-metrics"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ template "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] + + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.8.0-debian-10-r293 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + ## Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + # customMetrics: + # pg_database: + # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + # metrics: + # - name: + # usage: "LABEL" + # description: "Name of the database" + # - size_bytes: + # usage: "GAUGE" + # description: "Size of the database in bytes" + # + ## An array to add extra env vars to configure postgres-exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + # extraEnvVars: + # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + # value: "true" + extraEnvVars: {} + + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: false + runAsUser: 1001 + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## Configure extra options for liveness and readiness probes + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## Array with extra yaml to deploy with the chart. Evaluated as a template +## +extraDeploy: [] diff --git a/stable/ckan/charts/redis/.helmignore b/stable/ckan/charts/redis/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/stable/ckan/charts/redis/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/stable/ckan/charts/redis/Chart.lock b/stable/ckan/charts/redis/Chart.lock new file mode 100644 index 00000000..69cc5b92 --- /dev/null +++ b/stable/ckan/charts/redis/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.4.2 +digest: sha256:4e3ec38e0e27e9fc1defb2a13f67a0aa12374bf0b15f06a6c13b1b46df6bffeb +generated: "2021-04-05T11:40:59.141264592Z" diff --git a/stable/ckan/charts/redis/Chart.yaml b/stable/ckan/charts/redis/Chart.yaml new file mode 100644 index 00000000..dd36c43e --- /dev/null +++ b/stable/ckan/charts/redis/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 6.0.12 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +description: Open source, advanced key-value store. It is often referred to as a data + structure server since keys can contain strings, hashes, lists, sets and sorted + sets. +home: https://github.com/bitnami/charts/tree/master/bitnami/redis +icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png +keywords: +- redis +- keyvalue +- database +maintainers: +- email: containers@bitnami.com + name: Bitnami +- email: cedric@desaintmartin.fr + name: desaintmartin +name: redis +sources: +- https://github.com/bitnami/bitnami-docker-redis +- http://redis.io/ +version: 12.10.1 diff --git a/stable/ckan/charts/redis/README.md b/stable/ckan/charts/redis/README.md new file mode 100644 index 00000000..ef3e2563 --- /dev/null +++ b/stable/ckan/charts/redis/README.md @@ -0,0 +1,738 @@ +# RedisTM Chart packaged by Bitnami + +[RedisTM](http://redis.io/) is an advanced key-value cache and store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets, sorted sets, bitmaps and hyperloglogs. + +Disclaimer: REDIS® is a registered trademark of Redis Labs Ltd.Any rights therein are reserved to Redis Labs Ltd. Any use by Bitnami is for referential purposes only and does not indicate any sponsorship, endorsement, or affiliation between Redis Labs Ltd. + +## TL;DR + +```bash +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/redis +``` + +## Introduction + +This chart bootstraps a [RedisTM](https://github.com/bitnami/bitnami-docker-redis) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). + +### Choose between RedisTM Helm Chart and RedisTM Cluster Helm Chart + +You can choose any of the two RedisTM Helm charts for deploying a RedisTM cluster. +While [RedisTM Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis) will deploy a master-slave cluster using RedisTM Sentinel, the [RedisTM Cluster Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) will deploy a RedisTM Cluster topology with sharding. +The main features of each chart are the following: + +| RedisTM | RedisTM Cluster | +|--------------------------------------------------------|------------------------------------------------------------------------| +| Supports multiple databases | Supports only one database. Better if you have a big dataset | +| Single write point (single master) | Multiple write points (multiple masters) | +| ![RedisTM Topology](img/redis-topology.png) | ![RedisTM Cluster Topology](img/redis-cluster-topology.png) | + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install my-release bitnami/redis +``` + +The command deploys RedisTM on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following table lists the configurable parameters of the RedisTM chart and their default values. + +| Parameter | Description | Default | +|:------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------| +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | +| `global.redis.password` | RedisTM password (overrides `password`) | `nil` | +| `image.registry` | RedisTM Image registry | `docker.io` | +| `image.repository` | RedisTM Image name | `bitnami/redis` | +| `image.tag` | RedisTM Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | +| `nameOverride` | String to partially override redis.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override redis.fullname template with a string | `nil` | +| `cluster.enabled` | Use master-slave topology | `true` | +| `cluster.slaveCount` | Number of slaves | `2` | +| `existingSecret` | Name of existing secret object (for password authentication) | `nil` | +| `existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `nil` | +| `usePassword` | Use password | `true` | +| `usePasswordFile` | Mount passwords as files instead of environment variables | `false` | +| `password` | RedisTM password (ignored if existingSecret set) | Randomly generated | +| `configmap` | Additional common RedisTM node configuration (this value is evaluated as a template) | See values.yaml | +| `clusterDomain` | Kubernetes DNS Domain name to use | `cluster.local` | +| `extraVolumes` | Array of extra volumes to be added to master & slave nodes (evaluated as a template) | `[]` | +| `extraVolumeMounts` | Array of extra volume mounts to be added to master & slave nodes (evaluated as a template) | `[]` | +| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.ingressNSMatchLabels` | Allow connections from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | For other namespaces match by pod labels and namespace labels | `{}` | +| `securityContext.*` | Other pod security context to be included as-is in the pod spec | `{}` | +| `securityContext.enabled` | Enable security context (both redis master and slave pods) | `true` | +| `securityContext.fsGroup` | Group ID for the container (both redis master and slave pods) | `1001` | +| `containerSecurityContext.*` | Other container security context to be included as-is in the container spec | `{}` | +| `containerSecurityContext.enabled` | Enable security context (both redis master and slave containers) | `true` | +| `containerSecurityContext.runAsUser` | User ID for the container (both redis master and slave containers) | `1001` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | +| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template | +| `serviceAccount.annotations` | Specifies annotations to add to ServiceAccount. | `nil` | +| `rbac.create` | Specifies whether RBAC resources should be created | `false` | +| `rbac.role.rules` | Rules to create | `[]` | +| `metrics.enabled` | Start a side-car prometheus exporter | `false` | +| `metrics.image.registry` | RedisTM exporter image registry | `docker.io` | +| `metrics.image.repository` | RedisTM exporter image name | `bitnami/redis-exporter` | +| `metrics.image.tag` | RedisTM exporter image tag | `{TAG_NAME}` | +| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | +| `metrics.extraArgs` | Extra arguments for the binary; possible values [here](https://github.com/oliver006/redis_exporter#flags) | {} | +| `metrics.podLabels` | Additional labels for Metrics exporter pod | {} | +| `metrics.podAnnotations` | Additional annotations for Metrics exporter pod | {} | +| `metrics.resources` | Exporter resource requests/limit | Memory: `256Mi`, CPU: `100m` | +| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | +| `metrics.serviceMonitor.namespace` | Optional namespace which Prometheus is running in | `nil` | +| `metrics.serviceMonitor.interval` | How frequently to scrape metrics (use by default, falling back to Prometheus' default) | `nil` | +| `metrics.serviceMonitor.selector` | Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install | `{ prometheus: kube-prometheus }` | +| `metrics.serviceMonitor.relabelings` | ServiceMonitor relabelings. Value is evaluated as a template | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | ServiceMonitor metricRelabelings. Value is evaluated as a template | `[]` | +| `metrics.service.type` | Kubernetes Service type (redis metrics) | `ClusterIP` | +| `metrics.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | +| `metrics.service.annotations` | Annotations for the services to monitor (redis master and redis slave service) | {} | +| `metrics.service.labels` | Additional labels for the metrics service | {} | +| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `metrics.priorityClassName` | Metrics exporter pod priorityClassName | `nil` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | Same namespace as redis | +| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | +| `metrics.redisTargetHost` | way to specify an alternative redis hostname, if you set a local endpoint in hostAliases to match specific redis server certificate CN/SAN for example. + | `localhost` | +| `persistence.existingClaim` | Provide an existing PersistentVolumeClaim | `nil` | +| `master.persistence.enabled` | Use a PVC to persist data (master node) | `true` | +| `master.hostAliases` | Add deployment host aliases | `[]` | +| `master.persistence.path` | Path to mount the volume at, to use other images | `/data` | +| `master.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `master.persistence.storageClass` | Storage class of backing PVC | `generic` | +| `master.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` | +| `master.persistence.size` | Size of data volume | `8Gi` | +| `master.persistence.matchLabels` | matchLabels persistent volume selector | `{}` | +| `master.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` | +| `master.persistence.volumes` | Additional volumes without creating PVC | `{}` | +| `master.statefulset.labels` | Additional labels for redis master StatefulSet | `{}` | +| `master.statefulset.annotations` | Additional annotations for redis master StatefulSet | `{}` | +| `master.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete | +| `master.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` | +| `master.statefulset.volumeClaimTemplates.labels` | Additional labels for redis master StatefulSet volumeClaimTemplates | `{}` | +| `master.statefulset.volumeClaimTemplates.annotations` | Additional annotations for redis master StatefulSet volumeClaimTemplates | `{}` | +| `master.podLabels` | Additional labels for RedisTM master pod | {} | +| `master.podAnnotations` | Additional annotations for RedisTM master pod | {} | +| `master.extraEnvVars` | Additional Environment Variables passed to the pod of the master's stateful set set | `[]` | +| `master.extraEnvVarCMs` | Additional Environment Variables ConfigMappassed to the pod of the master's stateful set set | `[]` | +| `master.extraEnvVarsSecret` | Additional Environment Variables Secret passed to the master's stateful set | `[]` | +| `master.extraVolumes` | Array of extra volumes to be added to master pod (evaluated as a template) | `[]` | +| `master.extraVolumeMounts` | Array of extra volume mounts to be added to master pod (evaluated as a template) | `[]` | +| `podDisruptionBudget.enabled` | Pod Disruption Budget toggle | `false` | +| `podDisruptionBudget.minAvailable` | Minimum available pods | `1` | +| `podDisruptionBudget.maxUnavailable` | Maximum unavailable | `nil` | +| `redisPort` | RedisTM port (in both master and slaves) | `6379` | +| `tls.enabled` | Enable TLS support for replication traffic | `false` | +| `tls.authClients` | Require clients to authenticate or not | `true` | +| `tls.certificatesSecret` | Name of the secret that contains the certificates | `nil` | +| `tls.certFilename` | Certificate filename | `nil` | +| `tls.certKeyFilename` | Certificate key filename | `nil` | +| `tls.certCAFilename` | CA Certificate filename | `nil` | +| `tls.dhParamsFilename` | DH params (in order to support DH based ciphers) | `nil` | +| `master.command` | RedisTM master entrypoint string. The command `redis-server` is executed if this is not provided. Note this is prepended with `exec` | `/run.sh` | +| `master.preExecCmds` | Text to inset into the startup script immediately prior to `master.command`. Use this if you need to run other ad-hoc commands as part of startup | `nil` | +| `master.configmap` | Additional RedisTM configuration for the master nodes (this value is evaluated as a template) | `nil` | +| `master.disableCommands` | Array of RedisTM commands to disable (master) | `["FLUSHDB", "FLUSHALL"]` | +| `master.extraFlags` | RedisTM master additional command line flags | [] | +| `master.nodeSelector` | RedisTM master Node labels for pod assignment | {"beta.kubernetes.io/arch": "amd64"} | +| `master.tolerations` | Toleration labels for RedisTM master pod assignment | [] | +| `master.affinity` | Affinity settings for RedisTM master pod assignment | {} | +| `master.schedulerName` | Name of an alternate scheduler | `nil` | +| `master.service.type` | Kubernetes Service type (redis master) | `ClusterIP` | +| `master.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | +| `master.service.port` | Kubernetes Service port (redis master) | `6379` | +| `master.service.nodePort` | Kubernetes Service nodePort (redis master) | `nil` | +| `master.service.annotations` | annotations for redis master service | {} | +| `master.service.labels` | Additional labels for redis master service | {} | +| `master.service.loadBalancerIP` | loadBalancerIP if redis master service type is `LoadBalancer` | `nil` | +| `master.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if redis master service type is `LoadBalancer` | `nil` | +| `master.resources` | RedisTM master CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `100m` | +| `master.livenessProbe.enabled` | Turn on and off liveness probe (redis master pod) | `true` | +| `master.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis master pod) | `5` | +| `master.livenessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `5` | +| `master.livenessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `5` | +| `master.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` | +| `master.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `master.readinessProbe.enabled` | Turn on and off readiness probe (redis master pod) | `true` | +| `master.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated (redis master pod) | `5` | +| `master.readinessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `5` | +| `master.readinessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `1` | +| `master.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` | +| `master.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `master.shareProcessNamespace` | RedisTM Master pod `shareProcessNamespace` option. Enables /pause reap zombie PIDs. | `false` | +| `master.priorityClassName` | RedisTM Master pod priorityClassName | `nil` | +| `volumePermissions.enabled` | Enable init container that changes volume permissions in the registry (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `"10"` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `volumePermissions.resources ` | Init container volume-permissions CPU/Memory resource requests/limits | {} | +| `volumePermissions.securityContext.*` | Security context of the init container | `{}` | +| `volumePermissions.securityContext.runAsUser` | UserID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | 0 | +| `slave.hostAliases` | Add deployment host aliases | `[]` | +| `slave.service.type` | Kubernetes Service type (redis slave) | `ClusterIP` | +| `slave.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | +| `slave.service.nodePort` | Kubernetes Service nodePort (redis slave) | `nil` | +| `slave.service.annotations` | annotations for redis slave service | {} | +| `slave.service.labels` | Additional labels for redis slave service | {} | +| `slave.service.port` | Kubernetes Service port (redis slave) | `6379` | +| `slave.service.loadBalancerIP` | LoadBalancerIP if RedisTM slave service type is `LoadBalancer` | `nil` | +| `slave.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if RedisTM slave service type is `LoadBalancer` | `nil` | +| `slave.command` | RedisTM slave entrypoint string. The command `redis-server` is executed if this is not provided. Note this is prepended with `exec` | `/run.sh` | +| `slave.preExecCmds` | Text to inset into the startup script immediately prior to `slave.command`. Use this if you need to run other ad-hoc commands as part of startup | `nil` | +| `slave.configmap` | Additional RedisTM configuration for the slave nodes (this value is evaluated as a template) | `nil` | +| `slave.disableCommands` | Array of RedisTM commands to disable (slave) | `[FLUSHDB, FLUSHALL]` | +| `slave.extraFlags` | RedisTM slave additional command line flags | `[]` | +| `slave.livenessProbe.enabled` | Turn on and off liveness probe (redis slave pod) | `true` | +| `slave.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis slave pod) | `5` | +| `slave.livenessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `5` | +| `slave.livenessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `5` | +| `slave.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` | +| `slave.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `slave.readinessProbe.enabled` | Turn on and off slave.readiness probe (redis slave pod) | `true` | +| `slave.readinessProbe.initialDelaySeconds` | Delay before slave.readiness probe is initiated (redis slave pod) | `5` | +| `slave.readinessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `5` | +| `slave.readinessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `1` | +| `slave.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` | +| `slave.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis slave pod) | `5` | +| `slave.shareProcessNamespace` | RedisTM slave pod `shareProcessNamespace` option. Enables /pause reap zombie PIDs. | `false` | +| `slave.persistence.enabled` | Use a PVC to persist data (slave node) | `true` | +| `slave.persistence.path` | Path to mount the volume at, to use other images | `/data` | +| `slave.persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `slave.persistence.storageClass` | Storage class of backing PVC | `generic` | +| `slave.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` | +| `slave.persistence.size` | Size of data volume | `8Gi` | +| `slave.persistence.matchLabels` | matchLabels persistent volume selector | `{}` | +| `slave.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` | +| `slave.statefulset.labels` | Additional labels for redis slave StatefulSet | `{}` | +| `slave.statefulset.annotations` | Additional annotations for redis slave StatefulSet | `{}` | +| `slave.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete | +| `slave.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` | +| `slave.statefulset.volumeClaimTemplates.labels` | Additional labels for redis slave StatefulSet volumeClaimTemplates | `{}` | +| `slave.statefulset.volumeClaimTemplates.annotations` | Additional annotations for redis slave StatefulSet volumeClaimTemplates | `{}` | +| `slave.extraEnvVars` | Additional Environment Variables passed to the pod of the slave's stateful set set | `[]` | +| `slave.extraEnvVarCMs` | Additional Environment Variables ConfigMappassed to the pod of the slave's stateful set set | `[]` | +| `masslaveter.extraEnvVarsSecret` | Additional Environment Variables Secret passed to the slave's stateful set | `[]` | +| `slave.extraVolumes` | Array of extra volumes to be added to slave pod (evaluated as a template) | `[]` | +| `slave.extraVolumeMounts` | Array of extra volume mounts to be added to slave pod (evaluated as a template) | `[]` | +| `slave.podLabels` | Additional labels for RedisTM slave pod | `master.podLabels` | +| `slave.podAnnotations` | Additional annotations for RedisTM slave pod | `master.podAnnotations` | +| `slave.schedulerName` | Name of an alternate scheduler | `nil` | +| `slave.resources` | RedisTM slave CPU/Memory resource requests/limits | `{}` | +| `slave.affinity` | Enable node/pod affinity for slaves | {} | +| `slave.tolerations` | Toleration labels for RedisTM slave pod assignment | [] | +| `slave.spreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) for RedisTM slave pod | {} | +| `slave.priorityClassName` | RedisTM Slave pod priorityClassName | `nil` | +| `sentinel.enabled` | Enable sentinel containers | `false` | +| `sentinel.usePassword` | Use password for sentinel containers | `true` | +| `sentinel.masterSet` | Name of the sentinel master set | `mymaster` | +| `sentinel.initialCheckTimeout` | Timeout for querying the redis sentinel service for the active sentinel list | `5` | +| `sentinel.quorum` | Quorum for electing a new master | `2` | +| `sentinel.downAfterMilliseconds` | Timeout for detecting a RedisTM node is down | `60000` | +| `sentinel.failoverTimeout` | Timeout for performing a election failover | `18000` | +| `sentinel.parallelSyncs` | Number of parallel syncs in the cluster | `1` | +| `sentinel.port` | RedisTM Sentinel port | `26379` | +| `sentinel.cleanDelaySeconds` | Delay seconds before issuing the the cleaning in the next node | `5` | +| `sentinel.configmap` | Additional RedisTM configuration for the sentinel nodes (this value is evaluated as a template) | `nil` | +| `sentinel.staticID` | Enable static IDs for sentinel replicas (If disabled IDs will be randomly generated on startup) | `false` | +| `sentinel.service.type` | Kubernetes Service type (redis sentinel) | `ClusterIP` | +| `sentinel.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | +| `sentinel.service.nodePort` | Kubernetes Service nodePort (redis sentinel) | `nil` | +| `sentinel.service.annotations` | annotations for redis sentinel service | {} | +| `sentinel.service.labels` | Additional labels for redis sentinel service | {} | +| `sentinel.service.redisPort` | Kubernetes Service port for RedisTM read only operations | `6379` | +| `sentinel.service.sentinelPort` | Kubernetes Service port for RedisTM sentinel | `26379` | +| `sentinel.service.redisNodePort` | Kubernetes Service node port for RedisTM read only operations | `` | +| `sentinel.service.sentinelNodePort` | Kubernetes Service node port for RedisTM sentinel | `` | +| `sentinel.service.loadBalancerIP` | LoadBalancerIP if RedisTM sentinel service type is `LoadBalancer` | `nil` | +| `sentinel.livenessProbe.enabled` | Turn on and off liveness probe (redis sentinel pod) | `true` | +| `sentinel.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis sentinel pod) | `5` | +| `sentinel.livenessProbe.periodSeconds` | How often to perform the probe (redis sentinel container) | `5` | +| `sentinel.livenessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `5` | +| `sentinel.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` | +| `sentinel.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | +| `sentinel.readinessProbe.enabled` | Turn on and off sentinel.readiness probe (redis sentinel pod) | `true` | +| `sentinel.readinessProbe.initialDelaySeconds` | Delay before sentinel.readiness probe is initiated (redis sentinel pod) | `5` | +| `sentinel.readinessProbe.periodSeconds` | How often to perform the probe (redis sentinel pod) | `5` | +| `sentinel.readinessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `1` | +| `sentinel.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` | +| `sentinel.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis sentinel container) | `5` | +| `sentinel.resources` | RedisTM sentinel CPU/Memory resource requests/limits | `{}` | +| `sentinel.image.registry` | RedisTM Sentinel Image registry | `docker.io` | +| `sentinel.image.repository` | RedisTM Sentinel Image name | `bitnami/redis-sentinel` | +| `sentinel.image.tag` | RedisTM Sentinel Image tag | `{TAG_NAME}` | +| `sentinel.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `sentinel.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | +| `sentinel.extraEnvVars` | Additional Environment Variables passed to the pod of the sentinel node stateful set set | `[]` | +| `sentinel.extraEnvVarCMs` | Additional Environment Variables ConfigMappassed to the pod of the sentinel node stateful set set | `[]` | +| `sentinel.extraEnvVarsSecret` | Additional Environment Variables Secret passed to the sentinel node statefulset | `[]` | +| `sentinel.extraVolumes` | Array of extra volumes to be added to sentinel node (evaluated as a template) | `[]` | +| `sentinel.extraVolumeMounts` | Array of extra volume mounts to be added to sentinel node (evaluated as a template) | `[]` | +| `sentinel.preExecCmds` | Text to inset into the startup script immediately prior to `sentinel.command`. Use this if you need to run other ad-hoc commands as part of startup | `nil` | +| `sentinel.metrics.enabled` | Start a side-car prometheus sentinel exporter | `false` | +| `sentinel.metrics.image.registry` | Redis Sentinel exporter image registry | `docker.io` | +| `sentinel.metrics.image.repository` | Redis Sentinel exporter image name | `bitnami/redis-sentinel-exporter` | +| `sentinel.metrics.image.tag` | Redis Sentinel exporter image tag | `{TAG_NAME}` | +| `sentinel.metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `sentinel.metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `sentinel.metrics.extraArgs` | Extra arguments for the binary; possible values [here](https://github.com/leominov/redis_sentinel_exporter#configuration) | `{}` | +| `sentinel.metrics.resources` | Exporter resource requests/limit | `{}` | +| `sentinel.metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `sentinel.metrics.enabled` to be `true`) | `false` | +| `sentinel.metrics.serviceMonitor.namespace` | Optional namespace which Prometheus is running in | `nil` | +| `sentinel.metrics.serviceMonitor.interval` | How frequently to scrape metrics (use by default, falling back to Prometheus' default) | `nil` | +| `sentinel.metrics.serviceMonitor.selector` | Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install | `{ prometheus: kube-prometheus }` | +| `sentinel.metrics.service.type` | Kubernetes Service type (redis sentinel metrics) | `ClusterIP` | +| `sentinel.metrics.service.port` | Kubernetes service port (redis sentinel metrics) | `9355` | +| `sentinel.metrics.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | +| `sentinel.metrics.service.annotations` | Annotations for the services to monitor (redis sentinel metrics service) | {} | +| `sentinel.metrics.service.labels` | Additional labels for the Sentinel metrics service | {} | +| `sentinel.metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | +| `sentinel.metrics.priorityClassName` | Sentinel metrics exporter pod priorityClassName | `nil` | +| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | `false` | +| `sysctlImage.command` | sysctlImage command to execute | [] | +| `sysctlImage.registry` | sysctlImage Init container registry | `docker.io` | +| `sysctlImage.repository` | sysctlImage Init container name | `bitnami/bitnami-shell` | +| `sysctlImage.tag` | sysctlImage Init container tag | `"10"` | +| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | `Always` | +| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctlImage.resources` | sysctlImage Init container CPU/Memory resource requests/limits | {} | +| `podSecurityPolicy.create` | Specifies whether a PodSecurityPolicy should be created | `false` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set password=secretpassword \ + bitnami/redis +``` + +The above command sets the RedisTM server password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm install my-release -f values.yaml bitnami/redis +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +> **Note for minikube users**: Current versions of minikube (v0.24.1 at the time of writing) provision `hostPath` persistent volumes that are only writable by root. Using chart defaults cause pod failure for the RedisTM pod as it attempts to write to the `/bitnami` directory. Consider installing RedisTM with `--set persistence.enabled=false`. See minikube issue [1990](https://github.com/kubernetes/minikube/issues/1990) for more information. + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Change RedisTM version + +To modify the RedisTM version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/redis/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. + +### Cluster topologies + +#### Default: Master-Slave + +When installing the chart with `cluster.enabled=true`, it will deploy a RedisTM master StatefulSet (only one master node allowed) and a RedisTM slave StatefulSet. The slaves will be read-replicas of the master. Two services will be exposed: + + - RedisTM Master service: Points to the master, where read-write operations can be performed + - RedisTM Slave service: Points to the slaves, where only read operations are allowed. + +In case the master crashes, the slaves will wait until the master node is respawned again by the Kubernetes Controller Manager. + +#### Master-Slave with Sentinel + +When installing the chart with `cluster.enabled=true` and `sentinel.enabled=true`, it will deploy a RedisTM master StatefulSet (only one master allowed) and a RedisTM slave StatefulSet. In this case, the pods will contain an extra container with RedisTM Sentinel. This container will form a cluster of RedisTM Sentinel nodes, which will promote a new master in case the actual one fails. In addition to this, only one service is exposed: + + - RedisTM service: Exposes port 6379 for RedisTM read-only operations and port 26379 for accessing RedisTM Sentinel. + +For read-only operations, access the service using port 6379. For write operations, it's necessary to access the RedisTM Sentinel cluster and query the current master using the command below (using redis-cli or similar: + +``` +SENTINEL get-master-addr-by-name +``` +This command will return the address of the current master, which can be accessed from inside the cluster. + +In case the current master crashes, the Sentinel containers will elect a new master node. + +### Using password file +To use a password file for RedisTM you need to create a secret containing the password. + +> *NOTE*: It is important that the file with the password must be called `redis-password` + +And then deploy the Helm Chart using the secret name as parameter: + +```console +usePassword=true +usePasswordFile=true +existingSecret=redis-password-file +sentinels.enabled=true +metrics.enabled=true +``` + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of the secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. +- `tls.certCAFilename`: CA Certificate filename. No defaults. + +For example: + +First, create the secret with the cetificates files: + +```console +kubectl create secret generic certificates-tls-secret --from-file=./cert.pem --from-file=./cert.key --from-file=./ca.pem +``` + +Then, use the following parameters: + +```console +tls.enabled="true" +tls.certificatesSecret="certificates-tls-secret" +tls.certFilename="cert.pem" +tls.certKeyFilename="cert.key" +tls.certCAFilename="ca.pem" +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9121) is exposed in the service. Metrics can be scraped from within the cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). If metrics are to be scraped from outside the cluster, the Kubernetes API proxy can be utilized to access the endpoint. + +If you have enabled TLS by specifying `tls.enabled=true` you also need to specify TLS option to the metrics exporter. You can do that via `metrics.extraArgs`. You can find the metrics exporter CLI flags for TLS [here](https://github.com/oliver006/redis_exporter#command-line-flags). For example: + +You can either specify `metrics.extraArgs.skip-tls-verification=true` to skip TLS verification or providing the following values under `metrics.extraArgs` for TLS client authentication: + +```console +tls-client-key-file +tls-client-cert-file +tls-ca-cert-file +``` + +### Host Kernel Settings + +RedisTM may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. +To do so, you can set up a privileged initContainer with the `sysctlImage` config values, for example: + +``` +sysctlImage: + enabled: true + mountHostSys: true + command: + - /bin/sh + - -c + - |- + sysctl -w net.core.somaxconn=10000 + echo never > /host-sys/kernel/mm/transparent_hugepage/enabled +``` + +Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure sysctls for master and slave pods. Example: + +```yaml +securityContext: + sysctls: + - name: net.core.somaxconn + value: "10000" +``` + +Note that this will not disable transparent huge tables. + +## Persistence + +By default, the chart mounts a [Persistent Volume](http://kubernetes.io/docs/user-guide/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. + +### Existing PersistentVolumeClaim + +1. Create the PersistentVolume +2. Create the PersistentVolumeClaim +3. Install the chart + +```bash +$ helm install my-release --set persistence.existingClaim=PVC_NAME bitnami/redis +``` + +## Backup and restore + +### Backup + +To perform a backup you will need to connect to one of the nodes and execute: + +```bash +$ kubectl exec -it my-redis-master-0 bash + +$ redis-cli +127.0.0.1:6379> auth your_current_redis_password +OK +127.0.0.1:6379> save +OK +``` + +Then you will need to get the created dump file form the redis node: + +```bash +$ kubectl cp my-redis-master-0:/data/dump.rdb dump.rdb -c redis +``` + +### Restore + +To restore in a new cluster, you will need to change a parameter in the redis.conf file and then upload the `dump.rdb` to the volume. + +Follow the following steps: + +- First you will need to set in the `values.yaml` the parameter `appendonly` to `no`, if it is already `no` you can skip this step. + +```yaml +configmap: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly no + # Disable RDB persistence, AOF persistence already enabled. + save "" +``` + +- Start the new cluster to create the PVCs. + +For example, : + +```bash +helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 +``` + +- Now that the PVC were created, stop it and copy the `dump.rdp` on the persisted data by using a helping pod. + +``` +$ helm delete new-redis + +$ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' +{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "redisvolpod" + }, + "spec": { + "containers": [{ + "command": [ + "tail", + "-f", + "/dev/null" + ], + "image": "bitnami/minideb", + "name": "mycontainer", + "volumeMounts": [{ + "mountPath": "/mnt", + "name": "redisdata" + }] + }], + "restartPolicy": "Never", + "volumes": [{ + "name": "redisdata", + "persistentVolumeClaim": { + "claimName": "redis-data-new-redis-master-0" + } + }] + } +}' --image="bitnami/minideb" + +$ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb +$ kubectl delete pod volpod +``` + +- Start again the cluster: + +``` +helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 +``` + +## NetworkPolicy + +To enable network policy for RedisTM, install +[a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), +and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting +the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + + kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" + +With NetworkPolicy enabled, only pods with the generated client label will be +able to connect to RedisTM. This label will be displayed in the output +after a successful install. + +With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: + +``` +networkPolicy: + enabled: true + ingressNSMatchLabels: + redis: external + ingressNSPodMatchLabels: + redis-client: true +``` + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 11.0.0 + +When using sentinel, a new statefulset called `-node` was introduced. This will break upgrading from a previous version where the statefulsets are called master and slave. Hence the PVC will not match the new naming and won't be reused. If you want to keep your data, you will need to perform a backup and then a restore the data in this new version. + +### To 10.0.0 + +For releases with `usePassword: true`, the value `sentinel.usePassword` controls whether the password authentication also applies to the sentinel port. This defaults to `true` for a secure configuration, however it is possible to disable to account for the following cases: + +- Using a version of redis-sentinel prior to `5.0.1` where the authentication feature was introduced. +- Where redis clients need to be updated to support sentinel authentication. + +If using a master/slave topology, or with `usePassword: false`, no action is required. + +### To 8.0.18 + +For releases with `metrics.enabled: true` the default tag for the exporter image is now `v1.x.x`. This introduces many changes including metrics names. You'll want to use [this dashboard](https://github.com/oliver006/redis_exporter/blob/master/contrib/grafana_prometheus_redis_dashboard.json) now. Please see the [redis_exporter github page](https://github.com/oliver006/redis_exporter#upgrading-from-0x-to-1x) for more details. + +### To 7.0.0 + +This version causes a change in the RedisTM Master StatefulSet definition, so the command helm upgrade would not work out of the box. As an alternative, one of the following could be done: + +- Recommended: Create a clone of the RedisTM Master PVC (for example, using projects like [this one](https://github.com/edseymour/pvc-transfer)). Then launch a fresh release reusing this cloned PVC. + + ``` + helm install my-release bitnami/redis --set persistence.existingClaim= + ``` + +- Alternative (not recommended, do at your own risk): `helm delete --purge` does not remove the PVC assigned to the RedisTM Master StatefulSet. As a consequence, the following commands can be done to upgrade the release + + ``` + helm delete --purge + helm install bitnami/redis + ``` + +Previous versions of the chart were not using persistence in the slaves, so this upgrade would add it to them. Another important change is that no values are inherited from master to slaves. For example, in 6.0.0 `slaves.readinessProbe.periodSeconds`, if empty, would be set to `master.readinessProbe.periodSeconds`. This approach lacked transparency and was difficult to maintain. From now on, all the slave parameters must be configured just as it is done with the masters. + +Some values have changed as well: + +- `master.port` and `slave.port` have been changed to `redisPort` (same value for both master and slaves) +- `master.securityContext` and `slave.securityContext` have been changed to `securityContext`(same values for both master and slaves) + +By default, the upgrade will not change the cluster topology. In case you want to use RedisTM Sentinel, you must explicitly set `sentinel.enabled` to `true`. + +### To 6.0.0 + +Previous versions of the chart were using an init-container to change the permissions of the volumes. This was done in case the `securityContext` directive in the template was not enough for that (for example, with cephFS). In this new version of the chart, this container is disabled by default (which should not affect most of the deployments). If your installation still requires that init container, execute `helm upgrade` with the `--set volumePermissions.enabled=true`. + +### To 5.0.0 + +The default image in this release may be switched out for any image containing the `redis-server` +and `redis-cli` binaries. If `redis-server` is not the default image ENTRYPOINT, `master.command` +must be specified. + +#### Breaking changes + +- `master.args` and `slave.args` are removed. Use `master.command` or `slave.command` instead in order to override the image entrypoint, or `master.extraFlags` to pass additional flags to `redis-server`. +- `disableCommands` is now interpreted as an array of strings instead of a string of comma separated values. +- `master.persistence.path` now defaults to `/data`. + +### 4.0.0 + +This version removes the `chart` label from the `spec.selector.matchLabels` +which is immutable since `StatefulSet apps/v1beta2`. It has been inadvertently +added, causing any subsequent upgrade to fail. See https://github.com/helm/charts/issues/7726. + +It also fixes https://github.com/helm/charts/issues/7726 where a deployment `extensions/v1beta1` can not be upgraded if `spec.selector` is not explicitly set. + +Finally, it fixes https://github.com/helm/charts/issues/7803 by removing mutable labels in `spec.VolumeClaimTemplate.metadata.labels` so that it is upgradable. + +In order to upgrade, delete the RedisTM StatefulSet before upgrading: + +```bash +kubectl delete statefulsets.apps --cascade=false my-release-redis-master +``` + +And edit the RedisTM slave (and metrics if enabled) deployment: + +```bash +kubectl patch deployments my-release-redis-slave --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +``` + +## Upgrading + +### To 12.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +### To 11.0.0 + +When deployed with sentinel enabled, only a group of nodes is deployed and the master/slave role is handled in the group. To avoid breaking the compatibility, the settings for this nodes are given through the `slave.xxxx` parameters in `values.yaml` + +### To 9.0.0 + +The metrics exporter has been changed from a separate deployment to a sidecar container, due to the latest changes in the RedisTM exporter code. Check the [official page](https://github.com/oliver006/redis_exporter/) for more information. The metrics container image was changed from oliver006/redis_exporter to bitnami/redis-exporter (Bitnami's maintained package of oliver006/redis_exporter). + +### To 7.0.0 + +In order to improve the performance in case of slave failure, we added persistence to the read-only slaves. That means that we moved from Deployment to StatefulSets. This should not affect upgrades from previous versions of the chart, as the deployments did not contain any persistence at all. + +This version also allows enabling RedisTM Sentinel containers inside of the RedisTM Pods (feature disabled by default). In case the master crashes, a new RedisTM node will be elected as master. In order to query the current master (no redis master service is exposed), you need to query first the Sentinel cluster. Find more information [in this section](#master-slave-with-sentinel). diff --git a/stable/ckan/charts/redis/charts/common/.helmignore b/stable/ckan/charts/redis/charts/common/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/stable/ckan/charts/redis/charts/common/Chart.yaml b/stable/ckan/charts/redis/charts/common/Chart.yaml new file mode 100644 index 00000000..bcc3808d --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 1.4.2 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/master/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- email: containers@bitnami.com + name: Bitnami +name: common +sources: +- https://github.com/bitnami/charts +- http://www.bitnami.com/ +type: library +version: 1.4.2 diff --git a/stable/ckan/charts/redis/charts/common/README.md b/stable/ckan/charts/redis/charts/common/README.md new file mode 100644 index 00000000..7287cbb5 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/README.md @@ -0,0 +1,322 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 0.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|----------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|--------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Inpput | +|-------------------------|------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for RedisTM are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets. + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ diff --git a/stable/ckan/charts/redis/charts/common/templates/_affinities.tpl b/stable/ckan/charts/redis/charts/common/templates/_affinities.tpl new file mode 100644 index 00000000..493a6dc7 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_affinities.tpl @@ -0,0 +1,94 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + namespaces: + - {{ .context.Release.Namespace | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl b/stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl new file mode 100644 index 00000000..4dde56a3 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl @@ -0,0 +1,95 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_errors.tpl b/stable/ckan/charts/redis/charts/common/templates/_errors.tpl new file mode 100644 index 00000000..a79cc2e3 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_images.tpl b/stable/ckan/charts/redis/charts/common/templates/_images.tpl new file mode 100644 index 00000000..60f04fd6 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_images.tpl @@ -0,0 +1,47 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $tag := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if $registryName }} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- else -}} +{{- printf "%s:%s" $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_ingress.tpl b/stable/ckan/charts/redis/charts/common/templates/_ingress.tpl new file mode 100644 index 00000000..622ef50e --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_ingress.tpl @@ -0,0 +1,42 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if typeIs "int" .servicePort }} + number: {{ .servicePort }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_labels.tpl b/stable/ckan/charts/redis/charts/common/templates/_labels.tpl new file mode 100644 index 00000000..252066c7 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_names.tpl b/stable/ckan/charts/redis/charts/common/templates/_names.tpl new file mode 100644 index 00000000..adf2a74f --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_names.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_secrets.tpl b/stable/ckan/charts/redis/charts/common/templates/_secrets.tpl new file mode 100644 index 00000000..60b84a70 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_secrets.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- if index $secret.data .key }} + {{- $password = index $secret.data .key }} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_storage.tpl b/stable/ckan/charts/redis/charts/common/templates/_storage.tpl new file mode 100644 index 00000000..60e2a844 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl b/stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl new file mode 100644 index 00000000..2db16685 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_utils.tpl b/stable/ckan/charts/redis/charts/common/templates/_utils.tpl new file mode 100644 index 00000000..ea083a24 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_warnings.tpl b/stable/ckan/charts/redis/charts/common/templates/_warnings.tpl new file mode 100644 index 00000000..ae10fa41 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 00000000..8679ddff --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 00000000..bb5ed725 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 00000000..7d5ecbcc --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB(R) required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB(R) values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 00000000..992bcd39 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,131 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl new file mode 100644 index 00000000..3e2a47c0 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,72 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis(TM) required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $existingSecret := include "common.redis.values.existingSecret" . -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}} + {{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}} + + {{- if and (not $existingSecret) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}} + {{- if eq $usePassword "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Redis Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.redis.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Redis(TM) is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.redis.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl new file mode 100644 index 00000000..9a814cf4 --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/values.yaml b/stable/ckan/charts/redis/charts/common/values.yaml new file mode 100644 index 00000000..9ecdc93f --- /dev/null +++ b/stable/ckan/charts/redis/charts/common/values.yaml @@ -0,0 +1,3 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +exampleValue: common-chart diff --git a/stable/ckan/charts/redis/ci/default-values.yaml b/stable/ckan/charts/redis/ci/default-values.yaml new file mode 100644 index 00000000..fc2ba605 --- /dev/null +++ b/stable/ckan/charts/redis/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/stable/ckan/charts/redis/ci/extra-flags-values.yaml b/stable/ckan/charts/redis/ci/extra-flags-values.yaml new file mode 100644 index 00000000..71132f76 --- /dev/null +++ b/stable/ckan/charts/redis/ci/extra-flags-values.yaml @@ -0,0 +1,11 @@ +master: + extraFlags: + - --maxmemory-policy allkeys-lru + persistence: + enabled: false +slave: + extraFlags: + - --maxmemory-policy allkeys-lru + persistence: + enabled: false +usePassword: false diff --git a/stable/ckan/charts/redis/ci/production-sentinel-values.yaml b/stable/ckan/charts/redis/ci/production-sentinel-values.yaml new file mode 100644 index 00000000..009a3718 --- /dev/null +++ b/stable/ckan/charts/redis/ci/production-sentinel-values.yaml @@ -0,0 +1,682 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + # imageRegistry: myRegistryName + # imagePullSecrets: + # - myRegistryKeySecretName + # storageClass: myStorageClass + redis: {} + +## Bitnami Redis(TM) image version +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## +image: + registry: docker.io + repository: bitnami/redis + ## Bitnami Redis(TM) image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.9-debian-10-r0 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## String to partially override redis.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override redis.fullname template +## +# fullnameOverride: + +## Cluster settings +cluster: + enabled: true + slaveCount: 3 + +## Use redis sentinel in the redis pod. This will disable the master and slave services and +## create one redis service with ports to the sentinel and the redis instances +sentinel: + enabled: true + ## Require password authentication on the sentinel itself + ## ref: https://redis.io/topics/sentinel + usePassword: true + ## Bitnami Redis(TM) Sentintel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + ## Bitnami Redis(TM) image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links + ## + tag: 5.0.9-debian-10-r0 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + masterSet: mymaster + initialCheckTimeout: 5 + quorum: 2 + downAfterMilliseconds: 60000 + failoverTimeout: 18000 + parallelSyncs: 1 + port: 26379 + ## Additional Redis(TM) configuration for the sentinel nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Enable or disable static sentinel IDs for each replicas + ## If disabled each sentinel will generate a random id at startup + ## If enabled, each replicas will have a constant ID on each start-up + ## + staticID: false + ## Configure extra options for Redis(TM) Sentinel liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + customLivenessProbe: {} + customReadinessProbe: {} + ## Redis(TM) Sentinel resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Redis(TM) Sentinel Service properties + service: + ## Redis(TM) Sentinel Service type + type: ClusterIP + sentinelPort: 26379 + redisPort: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # sentinelNodePort: + # redisNodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + +## Specifies the Kubernetes Cluster's Domain Name. +## +clusterDomain: cluster.local + +networkPolicy: + ## Specifies whether a NetworkPolicy should be created + ## + enabled: true + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port Redis(TM) is listening + ## on. When true, Redis(TM) will accept connections from any source + ## (with the correct destination port). + ## + # allowExternal: true + + ## Allow connections from other namespacess. Just set label for namespace and set label for pods (optional). + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +serviceAccount: + ## Specifies whether a ServiceAccount should be created + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + +rbac: + ## Specifies whether RBAC resources should be created + ## + create: false + + role: + ## Rules to create. It follows the role specification + # rules: + # - apiGroups: + # - extensions + # resources: + # - podsecuritypolicies + # verbs: + # - use + # resourceNames: + # - gce.unprivileged + rules: [] + +## Redis(TM) pod Security Context +securityContext: + enabled: true + fsGroup: 1001 + runAsUser: 1001 + ## sysctl settings for master and slave pods + ## + ## Uncomment the setting below to increase the net.core.somaxconn value + ## + # sysctls: + # - name: net.core.somaxconn + # value: "10000" + +## Use password authentication +usePassword: true +## Redis(TM) password (both master and slave) +## Defaults to a random 10-character alphanumeric string if not set and usePassword is true +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +password: +## Use existing secret (ignores previous password) +# existingSecret: +## Password key to be retrieved from Redis(TM) secret +## +# existingSecretPasswordKey: + +## Mount secrets as files instead of environment variables +usePasswordFile: false + +## Persist data to a persistent volume (Redis(TM) Master) +persistence: + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: + +# Redis(TM) port +redisPort: 6379 + +## +## Redis(TM) Master parameters +## +master: + ## Redis(TM) command arguments + ## + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Additional Redis(TM) configuration for the master nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Redis(TM) additional command line flags + ## + ## Can be used to specify command line flags, for example: + ## + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + extraFlags: [] + ## Comma-separated list of Redis(TM) commands to disable + ## + ## Can be used to disable Redis(TM) commands for security reasons. + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis(TM) Master additional pod labels and annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + podAnnotations: {} + + ## Redis(TM) Master resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Configure extra options for Redis(TM) Master liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + + ## Configure custom probes for images other images like + ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 + ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false + ## + # customLivenessProbe: + # tcpSocket: + # port: 6379 + # initialDelaySeconds: 10 + # periodSeconds: 5 + # customReadinessProbe: + # initialDelaySeconds: 30 + # periodSeconds: 10 + # timeoutSeconds: 5 + # exec: + # command: + # - "container-entrypoint" + # - "bash" + # - "-c" + # - "redis-cli set liveness-probe \"`date`\" | grep OK" + customLivenessProbe: {} + customReadinessProbe: {} + + ## Redis(TM) Master Node selectors and tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + ## Redis(TM) Master pod/node affinity/anti-affinity + ## + affinity: {} + + ## Redis(TM) Master Service properties + service: + ## Redis(TM) Master Service type + type: ClusterIP + port: 6379 + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis(TM) images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + matchExpressions: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + + ## Redis(TM) Master pod priorityClassName + ## + priorityClassName: {} + +## +## Redis(TM) Slave properties +## Note: service.type is a mandatory parameter +## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis(TM) Master +## +slave: + ## Slave Service properties + service: + ## Redis(TM) Slave Service type + type: ClusterIP + ## Redis(TM) port + port: 6379 + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Redis(TM) slave port + port: 6379 + ## Can be used to specify command line arguments, for example: + ## + command: "/run.sh" + ## Additional Redis(TM) configuration for the slave nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Redis(TM) extra flags + extraFlags: [] + ## List of Redis(TM) commands to disable + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis(TM) Slave pod/node affinity/anti-affinity + ## + affinity: {} + + ## Configure extra options for Redis(TM) Slave liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + + ## Configure custom probes for images other images like + ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 + ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false + ## + # customLivenessProbe: + # tcpSocket: + # port: 6379 + # initialDelaySeconds: 10 + # periodSeconds: 5 + # customReadinessProbe: + # initialDelaySeconds: 30 + # periodSeconds: 10 + # timeoutSeconds: 5 + # exec: + # command: + # - "container-entrypoint" + # - "bash" + # - "-c" + # - "redis-cli set liveness-probe \"`date`\" | grep OK" + customLivenessProbe: {} + customReadinessProbe: {} + + ## Redis(TM) slave Resource + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + + ## Redis(TM) slave selectors and tolerations for pod assignment + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Redis(TM) slave pod Annotation and Labels + podLabels: {} + podAnnotations: {} + + ## Redis(TM) slave pod priorityClassName + # priorityClassName: {} + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis(TM) images. + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + matchLabels: {} + matchExpressions: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + statefulset: + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + +## Prometheus Exporter / Metrics +## +metrics: + enabled: true + + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.5.3-debian-10-r14 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + + ## Extra arguments for Metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + + ## Metrics exporter pod Annotation and Labels + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + # podLabels: {} + + # Enable this if you're using https://github.com/coreos/prometheus-operator + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) + selector: + prometheus: kube-prometheus + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + ## Redis(TM) prometheus rules + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current postgresql service. + # rules: + # - alert: RedisDown + # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} down + # description: Redis(TM) instance {{ "{{ $labels.instance }}" }} is down + # - alert: RedisMemoryHigh + # expr: > + # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100 + # / + # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"} + # > 90 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} is using too much memory + # description: | + # Redis(TM) instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + # - alert: RedisKeyEviction + # expr: | + # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0 + # for: 1s + # labels: + # severity: error + # annotations: + # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted keys + # description: | + # Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + rules: [] + + ## Metrics exporter pod priorityClassName + # priorityClassName: {} + service: + type: ClusterIP + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: {} + labels: {} + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## Redis(TM) config file +## ref: https://redis.io/topics/config +## +configmap: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + +## Sysctl InitContainer +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +sysctlImage: + enabled: false + command: [] + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + mountHostSys: false + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## Specifies whether a PodSecurityPolicy should be created + ## + create: false diff --git a/stable/ckan/charts/redis/img/redis-cluster-topology.png b/stable/ckan/charts/redis/img/redis-cluster-topology.png new file mode 100644 index 0000000000000000000000000000000000000000..f0a02a9f8835381302731c9cb000b2835a45e7c9 GIT binary patch literal 11448 zcmeI2cUx22x9_8Zh@yyC0I4cPR3wC|kVp$H5PB1ZB#;m~gf1}_1O)^|QB*Y2#4gyt zMlbeAQxFvp712m>hX{m(GZyaOx!ZkSz`gf*j(>!>GS^(QjWNFCGu9zzC!56!6&9jU zsKs`+R<0=2Tv-%qj{Ji8aAni0vR)KQEHl>HJ2pI#N)HP{sbegEe^b}f4US~Qs$;Cw z_4G(lQ96Ni5-o-l&d`YniiJz?dw66Zok|Z1{M|-RS5J47uKp%8#vQGzjxpCah7XLM zj-j5O@9*{`T2RE_9UAE9LI+xoBnmwuHj)v%{&$O@SQ71bZ+Kl2DH#*!W~guJ6YNcK zHZTeO`>F9kF${WS#P4QkJslGrH2U}5u}M)uzb^*{#nUN4$W@Fr%;@i-!xQO$57ytD z8g7NACsAo=gGf@4U2vq4|L;yBNa25X;tb>6G}|@C+Q2i|iEP41uyWQ#JBJ%4#8?F< zhJ?qHVxj_RUKr=dpkNn9ac?y zjjf4Zb6GNz?1!C-z2!T|`I6FNrJxgzEdNh&X5<(5KrG*81T6sFq zW4#j0(FP$=R0ktuGQKhJ>5aE1x<}i)7{Yf-uoVV+b&Uyx|9F@?Q)9v%9i!kom8xr_ zZyDi8quLlJ$HoMDMv5Etu;N25ccDbf0|Q5Hey zuy9hmyN{lmxi_9+6lmk*8e~ZKun3K`af^yY(`;?=K0&@@N^D4|ZmdgqQerIL%hrxy zM`KVuoedc@Cs*&NU@z}TC!YjoOLVwfgp0XBq^=QOH`LfZDk)yy$}P!&oMd9pNV2eV za19GKbTn|V3?&(oC>TsM-pj)_-XqzO!f>`XcTI{5(F-#P4|eb+*@i_q#RWz9Cb}lU zY#Dly5oBMwdxVb>J|ZxR=Hn2B(esIp*C%@g#keGsV#(gFfsDuqU)z`@qaaF%b3~+m zaCivCJ1!{#Z-OS0%&mNabUj@xDKwK12OC|CUMSr<(LBO6#=*zKmh2FMcXPB0wAZ(G zOLT#y3^MdVd+FN4H&{DMs+$|$6}}_mun)3ByGD6M!*@NGc#37RH*(}cY~w5(g7s}^ zzJ{deP$OjHtPIHRcv})F*daVJ9OLS0Leg`Niu1-BQNyAVy)cG$-t^cQdT5*_#!w#< z6bFATlk}s>LCIl6HxqO;(KpT^F4{I2o&%lvSS5MJQIi?*1e?StBg+V5BGsE18|WMZ zW@PMb;;rjJh)Z(TCxklSlZ>ctaW=Yo)I?_w8+1I}9FDPYfEk{Rp z-ILpbFFK4J$#eW+T6n?W^l5qJZKu}h5eQ&HLB6NEPly?kFMd+9B*;21U%BtZEs%?pK-aOJA&_a1j0}?4#_1KVkJ~ zb1N$=!~T5LHEY(Ki6ShOkvZyUtN}kg)=-p%p8{pGCE=%=k}YB~GBVw%{}0_J=Dl%c zNm&_1!2faZ@ZlzI_bqfh*IP+9=vgI}rUzo0%pyLDCQ>#KFyN?VT{J-WBp zCg)?vCAY`Vo>`JeY8zKB+H+FMc}Q(BfZHZ_r67MSRsc_F7C zywt+dvh}JDW@2iJ{P>7kKAJK=H#hgl*|VFbw_3cM9SuWCQ8xa>xpUb;&rXoK%1McR zdnJ}CDoP!Dk~;a<;97Nc@fy+86}OQmPoC7l)OA^+lzf7Q)M`ViYrc0ZqM~%M)1#Jw zfq};3$}t=HHo0Bw?;rEaU97FebB`UnQf>OC*hZRgcFPL?lreG9^k2lGzd~ZiK3a#p zy)Aj;;m?Kl6GpPH?|86AUw`=-!|+_};cth8N7wOf@{BbUz8)iD>yD^dMsdu3sjgcm zW@l$t760Qj&u4MW_&1NM{x!;Vb#<@w7h9$;X)0sy)@H8k+&6o3!pHoJ>1>urexUjA z{*xzH?Mxn059_{ZJ+&^q>tPZG7Orn-Nb**9*6rK+L&p|ya{?=HmlwBKDP8rsHUCla zcztmWHlwP_c!*J;ZD_dCY!|w?1!4%~4*Dqs@kWrCfWZ=WDk*3@9_9&Rg z5F_^U)4UCdKkmGFRb;&gdi0)Bv?Q|{S_2<>6TK>ZjGG z9{XfuWax&!)fbyTe+?S#0yhM(;#x%99AT%DK(HZO64jEUVl(pL5m;Fr&fwZPdwct( z%F5ZbwcE;A()V1-YtksJyA;;q7Ewg>BpOX=mYSHHB=uG^+sd@U;l8gOmt?7&bDNkM zu3c;-9?ml75dN@2UC14Kwt46Ayu3oYV;XHVV{t*d3K&7wJ2t7s>ig?!V=XEy zTei8u;}z>#O<*5YkYo515Ix`}TT?sxu@^5d`*D}*ybg@r&so3e+v-a$5 zZUo2RH_Wjx%ILh}MVX!$Yom3g3NIn!T+5S?3nT>6XvGdEb=qi07N;DkD{zvz0b5=XcjZ z%dB}4OKjOLo4Fig7=&v@&9~z!vfyUH!r>W8>ohdhn40=cWhIkX&B#nMgdSzQe698C z&HwuHqLib$HKeUX^6As3C7g@0e3~gTl8)Z9$CYK#Xmq|lJ(njRXfx1~)AFtJO6k9w zkVqt3A`$kLt7TxY0_>xW)*>D8sh7e;aXnntiCP%~e12HDO9BW)FCB@FA<~X*CewMZ8<>mEH4zkm8a-`u%DeyvRRBF-r^R>#fZ%=tc?G*uabB8b?O`
    gt0u3YK+3VbZ)7Cr=g*&)YecY;+uHRLladT3#L-cG+Z4CN zKHgdOtr;9@>`b#Ba+WJ_{4yh$6P!auoRD{nC(pX_v#ErxkgbB-IsWFP&W_}s%qJmt z*68S5|2A?sI~z}@uitaVzm50v=e`T{#J^q`x%l~|^x)X1PD%ECQ3)6r7}&pZlW#!x z&7i92f%*0h4r6aaZ}j74CZ$tSQjUNV{3&o&kyxTw>qazFXX3Act31{S^Z5WvqP%;8 zRA3x!@p~>={SD~@*D62Me{9N}gIbv>4iVJ*7S*vcbLjhxnzRda8yg$XpFfY95st75=?aFC9}wq0 zF)@LdjmM0RV|#f>r?%h2M3;$#Pa{fO)5_jR(9T%&W!y0{L3|lv0qAhQ-1KmF^PQ#ZP>O;1`%Dz!7D2~MQU ziWTB2Dk_SwVr4}3^O^Dya_Y^8?nk&h01c(e<# zn#xC@6l4*7aQx)S269E;yL${|OE<2}jM=QQ;)KaRrkkog^P>D`le>${Uf8$b)1Kp> zs|yMWF0X0_-=xd4u&0Y3+CqaAK$nqa%A?fkq#lyJoui-Hen2>X}amW4T zsHl&Pl3-Q+5SF_hB#eanpW7uIe*?#A_w<-e)@q~SyPJD|z&6%iOR!QgO3a%bavc#AD>^6l_mA0H!azv|NZlSo-Y>{7yA@;9CP`qRRbUn%6+e)_JqE@(-#Tj($SLZ+CP~bsy z^z=kD2pv1Nx#8&8SRE{FDJOU-zYL2!Y4}F2TC*4mHh4*NbaWfddEQmOd&^+c{tSn~ z1k|3gva*{asc|0Qw8G!sK8kJ7>0&1%@zj--rXaiP*RVBWzVhzUM4V8cKhnFInYN=G zH(rj*4J;8!8EBy5Shg7(^gc>&AhW&&K%fp5%101T+q}K=U2!!ZR+L`2pe;1(yhCD5 zwZLA;2r!@WQK-ns$WLFsz)Bk!GrmY|iT$d|OtY-O3CYmGMWK8=bZ|_=(b>~egE`;B z&DC`utbzl(e>s=PLdF(@$Qo;F>;K4_clR(EnVF@3${I-&7|nq*XIAU@RjD#F9Ja!- z1gAUx{SAmEZGM?Fa-d@lh@@~DD8%M>?%ZkX;BXAvqz+>)+VLR1jdqa4x`}xGPujwJ zjrkWlZqbNgA0GNlNuA6sD9GCRDA|r(xQNS{?CRYFpMIBcClzE-x)A0>$IUe54MLV{ z5YKI7rd=<`4U$-_CQ(64=M>`}9L2G*vBc3jiKCFeFf-JY%#xS?czdS-j34BuI)Bic zdm|o%rQaRgNkv&y6rbx8JJcqgxpGr3w#j*=j^6?ni&d~S!D(vw4hk!~PV_BJXp*+! z*WgV`k!x(MK7_Aw8b^7^?KuC1QSW&W@?d1=cj}_1HTsUh>3@C-(>ADeNNAuaxTPcrHRdNQYOyka!)+4~pt_Se?%`LR z;xnbVV}q7fEhKKOH~ewy)Ya|Slm*-y!(D7)Ma_K*%o**nUm81s`t?3R<$}}M49N5# zO;E?-RNO8Q>V&^~b0AxTn{2rwaMM6V%>xSL3uu>2xLgQhlQT=!U!rWP1^I{yYZ~lH zCiu;Dr4yU|b(q->0jx?`SqgmC)WAIw&;orf@uOty$OokjUf03z=V70$*Vfi9CpRq= z6BFxuqRFa7_Xe7xHZ?Q6iq)$~_dm)_vy2nS?9xW&ct6KH?@M@!S2w7Qj z=(&&|);AuKJ$mZYdgjW#!lRHK-s#T|KF`4lq}0^Zf;%qCq)Ex|YizU%>b>pm?R_vc zRSXGr(F4tL*c4;KurAeqW_0EIH*LSGYHF$oXUzJ|^&Mz>+qx9d`YfxIVcpv04@u z7P_>TibzHZ0gUm@th>A0*2$^4z=W}M*)l}U-VX0sxfY*Qo3UcUk-WUm9lIV^fIX2} z*E1>gbxsAwdp~^&w6d{TYiukBsv-@H2jbq;uaTU`k8PiyHdu7U^IHAuYulqIMoAFE z)@W)<+`D%Vl!lF+oh0gfNr@P^e{hY~PEJeofU`lfu=n>@z+N=MaRRq@2)rNV)8nJT z@2b%EV~6$~IkFUaoQa9NiHS*l&Du`{aQhXwH+5(=#3Ug)*1bHtRYpZ6C+V**r214z zInzX4$S#&HU5fJe_fOoltD&J`-itFv$e}!K6uCrNS{k|d=FO@(bLK2qw5Xx4Za)P6 z0|_6JB*5sp?lCk$heZuEFCHT1#U4bGY#KpPcA?gW4GpmOE{Mljcuy6aXct?-SY!Dp z3!^+du-4Tf9pP_A2VlmeeOgNzIH%HHIGOnLW(iBYVtfv6^)iTckbN8)b|_e zoVEKYtaXQkm(nQ~GAVfY2Jx!TxY1AzKg z4W8SD1hSHnb$$=x9jC6&zn46&{rZM~PG4U@@aeQd%k+=!L|h&=GXz-6GC}dyXhKH= z2RD-ik+|;JvqhU9@s`~U>t4gmwFDg}4-1F*+3qmBukUG|ofzK+)Lv&ArD)0Pt3LZd z-u1WIs95{?74S@)R;*r~3HkcRiWX(dl$3`&lRqTHrj?s_W*^34BcsF5WXY98Q$y+qe39R*cE(Z(E%W;ALmX4_goK$fL!PTdlU!K_L zGZ#S${GQ0RvabpPh7{k+h|59y-9z+iMMVWtafpeDDIuauU^oMX>B{wQ?}V2ATkEct z1-3xFh3IQt>T@|OYirQg8@QaLu3rBN++g$_kzWV_bX-8s-S9SA)$!xUm-D{1T24vr z2w=Sg{!3!L9JEK2I^=1iqodoX)C;`zI_trjLECF>-h2{kEhacNi=@1UIHQz$az!l| z8)%lcvZ~uaCu?84c=5SCkAqGC7kmLkoDB}^lYD!N{7&jB&RM& zLL_Grvo2fFWDTItH85H@m+%ZR2)7Vtv%1**&5dUws}CJmvmB zGtS1^z4OMP90a2@w6(J{cXmF)lV1!SAerA&p@-{k0=K79n$nUDi8{9rS~df41@yU! zPg8_JTD8h3G71pC{{UNtA{1TRzuwRQ1S%=35%6pHJ^Yjj1%R3w-0SN*GK-4VKt?7H z+!zW;Nl8h@(I3T-s)4h!D)aJ1NHvB;hl3ET%cg*faQRJkm08o#)4X;fbmidWztg>;!#64Q4Gor0j7EW=${<=D*66b5 zujA|8puV!ZCvyl$p>fKDE~*bq0LeZf$BO##)&K#p0HJ_%O}wcQ9Y9h)n8zMKySw-s zXZgX*^dPPxyvOhfvCXxg%sc?h3$;R^(_K(P3*UU9 zmo=l*kS={AxsHB14URAhG(H6XjehrIFNH9@s`H1Z0V^NwC<~Q+g!6yY>m|$gN=Rl^ zC)eE2fUMg+rTS^MrFP;Z-c2n#cY!_uVPeiZze#uwRB7j-`Ucr7 z1d%86&I~B~qfip>kaqztb`AD8{~L0y=zSrD@@I~B`d2Tngq+?T{yoYEXi*LkuBUpH z0H|_0bQSw`DM}TKRR+*p$t3cnann&fH_kwO9H+mvI*@?5h2v`?1mF>%Lx?i#e=%R@ zUH7lahQrdIgA+lKduYc@^~aB7Sa?aW0Ti5oJ6nWrkqTQAxuWOM%e$d(bO`56eWtQ} zAwti*<#NWldf&6c`I?qc=!pDa3fZy)Qd5EY%4(=&UH>3%Ritcc}65Wn3V;U zGj2e~MHl15QJ{w7^`fl(h_e)2ahe3|wfW)bzFeGAc0@N6uhW(&X@lDYn22!P7*?JX zS_5i1OF&7$Q0K$m87KWL`6GbnHRhxCfFD-V(Sg!n$ez3nUTd_q?Wd&9l;h%{m%vmJ zYTjW<6sS6P{@L>DPstVMK}`bn6c@P7#^Y}sX9^jr!V9FNkWys-P#L=!m_#Y3d=bA4 zshnkXunU{T&JRo5MO)*iN!DDV5)vM-K@C$91wg?Pk52;}n%U9eURqOj-w@Jegh-NE zX+Y}we*8ELCNYG$IG^^iz#NJ$PzKfFm-!=I+`%_M==-;pa)8z>^u1K?EVY%s@=l- zy!B2{l-)a99)1PoVKEd^t^nOjr_({?$m#Ja;%i|Y6XALlsj?* z>f2SmNb!5t=79F8f=nm{tq1iagrj;_Mx5oXzuzcQ%oKKJ3r$X3;Sc6QhcC~WWrCv& zXf3jCE0cQ)RgQir2!ajTv5P`MK6d%PFUPe+eHQt}6WlYhv(uo|$me#iWoEQhPkvbq zRiQcH$&UT0Oko%H9MdEgMfO%NSiHCiiXkN&7kd{M8Aw*3GGGEM3_qo)KC5{Der=#X z{~{HX6C8=gD>te$AQ(BYi$kGmp1&nd8(e8RqDB}}dyzL1z;k#dz?_lSAL=Aj`lBCJ~vZaRd#_rNgaC%{d^a1(O*c4V(IEKPIWeu+|! z%s41R;Cpis01Q##f4*n&tq)o>%MwlZf?K7)8x|0Q+B8i-h>9Z>i#>Z#rjwtJ+1lD3 z!9G!kDkObY&CdG<*>PCB)+SAnpzcWopr+1YmyVP=wr>GG+}yaX!FnYg^j|U!I@Z5A*1U%+~3V zCPXPnD)TY4C4fAUv>D!~AU7VA@vb0?g9P~_1vT!1n$8ix_3$2(n1nwesZB`Vk~c;^CATva2ZRgf1zp?(eu{DL2oO*VOmYB7 zBSIoS4h$fnf{?E}XTO9r-rHMl?%cV3-@h+{@KL~<7Y!45Ic+v z^)Lto6Ar$AW@U!Y=x^d~2*j3yWE7t4A3^l?BOoM{bpL#lP?Yxy3?WM>=}9Omx&{Tw zdU(5f2D|!)$OaI|a0%}F2YPrDy$K$F+9=8^${&_jKCGaGRZx&n(pFN24@E^;byWqs zKkZ#T2?2ixRFRd30S=kEx_bwZ14Fzd|Fj^GT|NJdW~Fl2&%!mz$V#6`a8_3jwp5Pr z{?jIm5FFwi81Sc=0*o&UkNX`DIWmaw=duSO%-fy7xT=JLH~JeoJkk4au+G{41$dfjkSY4t(D}p^=!R^ z)U|CKrYmJoGw(?iivqLLdoBFF*ll?<2 z{d}S{4I;xL&BN8)(F%r&3f=@&csYzVH1I;Yo0Ig+@#@xYm`Gbo z6;m~mpLZnL*4@I=+EvXe#N5m`(AL<@!_3GsBE%yyGAcA&UeVCaP}fffP1ZH`@bDwr zhD2D}kpm6o6;)Mze6)RWD3Yg@kB^c!$`GxJM4>$4F##cp{%-QFkw)lnTQgk~MI&8P z9Tk10zyNPEcN7YiN#By}ZyI8$7_3L|v~!E_G_ke}4lu`u==l2t+o5oZCgwN=4ABVf zui&QcjmD~akyP<08^&v>n44=yl98cgJ8fdPxxR9gqDi2sKN3SAn}o{~-Th!}D@b7- zBK+@V8i5Z|Ggr5W#Ca+Q!5y+WQr{-X&)36BG1AnE5r%G*B_;-qhuCJ z3XxYc5B0Jokc_ z1Ak8sy+8wFWt6*~nwd6M)r1rorlJ;Lr9cdJSMxSgQB?OfRkKvnLmDd)4PlJ%D3S^z zavWp#D8Z=u|LmCG+Xw#siwR1ok~bZf5C~C(k)Ad-qG*2D7mHoyXI?BnJ}PN*Kx35p zB0Edh32l>qHgUl2g57l&%5g8&D_%rGS=zPh21n3VO3m93Nq4b_7)maAO;F`;?+;dI z-ItZmu3&nclXqOPbM=E;&Mi0Mw-@mX$2tScS4HKOIzK$%kW*?FHp&rSe6q*<=x6aE zqfMNg>J+N6p7{PeDbDP4JY7#u(T%p7vpxBL@S=FafS-O?m}=Pk;F*MkEia0-M7p}V zc-4c&*_k(Q+Pt~zwx>CH=JnS3p_-(c8nsiWPJNi4&-gY!bOoI+J3VmwAhdCn=amm0 zH+=HsiKwjX&TZSa_22d72@Vdnu(y|9yOvYvO3Uev{k8tx(8%cV+qw`=LBVvVhN#Cw zLjofsBfQ6=l+*S1@0E2(-XWms^8M5B)An}lxHwI-iyCKMzs6v(*hW9q&9zRg+}zxU z4j*ozS(RlK7iSg~34VOnAdr%hg0FI6f)VsHg)^$E+^rb`NfeiQbaZvIb8=46=~7+QAA^@?ael-1x%chcmnFW9`5+-`|sGz2%raXVf(`V0i3#DLBQH>AZa&2a2=T~O^{ytu7 z_ntkdHWCdMm|YOL>og08J_eIBjl3EpgIlwDo-b!G)p3ziNGKycoxO{cpb_=;P-$uD ztGW=+n+|mtvLNPAp49N0p}>*sdv4gE+APmW+f;m@<~!-shs{^TtOj?H z3|;Z`HzvWsiitagQf-_fQFqNX>Wm2l31a7^jLVlr{RVEKU_915DJBHl_U#HDPj~6* z>wl@t^21tLolZ_>-LiFS-A|R;t4C#UO^_=i3k#WFzmmHwvGX4upPufy!86%eET_S? z?FlB-z0B<5sp4XhVsiFCD!23pXetu_(~``!`vi6N+V0)EUqSA2@$jTkN{!B(Ia51V zQC~$G)9 zYeYmwrckuanlL?8u(o4U#qoQEP6w1;y}D)ie&`;d(?ut!bjv*l&7OQ7YeThN*2=zk zF=KHts7t|+D1+M(wcKMT8s+r`Ah^x8yOs<60_c?`zhDLm8KUmT?H?Qdx5)dH!?D_MFWZI#S$rq1v zB+wAf5s2Dv@Q!zXOEuAN&0x^rX?S5=J_%t|iN3u&ey6>3h?*0=V^7W~8OvepuYS zvHk<{P1I<&Q|vMhYh$B!B)(gK|5{m@Ze`yU$NDe^tnu^n1LmgXJ4J2#wb~hfxo<8z zJA2>w50|v&B#yC>B$0n!H2PB=3kroQb^j@GwmkvTY3y#FQ}dUJ=S&XqN==Q8$Nl=N z9^28KV?J*cH)DPl{V#bM3xnx-yaP3}NgPM4mWxYSY)bJ`M(cy1MRT<`7O_ zS&2B8pFj5K*SZ{Z1c=Sb&E4AIlqrGE!&jnn#BbWy?BtPi;`%AH>U+?v==j3B21pOa zB;M3b+DVT{dILn$>>~eRy6ei~_wNR=vB$oA`NG)Rzt$Jxdojmi*OV2Nl$a1Ul};_= z?PobfL^8X}%yo0bV>VW&u2)vJtu9TGzJ0Vs^!+N3k(S<$a8c%02z+;RZdn)^gotVo z1{PsuXUF#J(aM)~Je8T53HibT`LcEE))dMsv7wqkgPC?Jo;qch5&8iSAKyzjefpBwFgiTI=#4{#8O>d{c3I*NgCZ^R;=lN7vkDzJ4lIuE4zn=j{mtZ1sLs$wt;IpVe=%!g!U@8!+H#$KE(3~X|%7FAQ@$q{#L zN##by{X~*Agp7@i5eV4Hd~3^dNv*B=bB{e__HOSjw`YMB+|DC=`QE*~XAhd|!~FR8 z_+V}5F($YMJYDKqp64&E)$u*PG;18L#Q9MizAjh-arydnR*j20Z7LidKR(S;xIVZ6 z`9qfC6LR8|XW>^5JwXc_wE$g%13l{hqmSaUg!# zjYh}&`Q4OqD)UK$IdQm8ZeP>1$Ki0jow>QWBR~`Kg)d)rbbq~dL*S9w4vw^+7aF3! zkFHJ?GeCl|u~BJzRif_|-WkhKd)EjYCZWMRaFR-QW7#R#SmoLb`}iQQq6h2i?(Vw38r1=E|{@#%l6Kh&4Fnyf}Txn9EYy_yX2aTKPy=i-Trn`)RLyG(v zhK7c_{@|1P?E&_{z(9ao{Y#fFy`)T{W&z(%fKUONXTYj9kmY-06sQ9Jpy^lp^iU|^ z0LAml-n%J+>SBPj0Q#Kf$CkM?*S}f;8ZsRT``FlD?GE9vRAW_2tEzTwY-|9`ZT=c{ z%pwhLE@+L(sUPcZ!V|uOw&fy*U)$7l$KXAGX$WZ>8aE~-EzQZxdq{(M z_%cB3^@<9BqoM@rEVGZV@5szd3Zz&vWwaNvnZ+n4Xns%ys5%8Gx%A;fVU3HFHYaZJ z{rfiq)&V~_0LK%VcM2wh{7I&aSeqQ!!@PqZ0ZFKg)XGhCnc65)a zgoMOM$B_j+ZS9lOhYHStf~;_?cLO{ty^@tyjUDbExb4ZgYu5?F^Sl&FsU)adl#7cf z#BvbSMk7YzNlS}%W#3ri$<3u#t`Fur$E64#i*o5IMM3}LGPq5MqN9k1!n+e z_e)6pl}E#Gjx0Pl4U$XfHu0qn3Uy{0nToNtPQ0MxIZ8S5sgaJmq1U$Wj4SPRu^k}) z{qO}!``Lr_>jJN18T%_eU9Ydgu{vtm2Q*m;XfiP%BTeC$MeVN(??rt3D$caHaSF9d zKwei9U-EyQAL8LS_H|dz*|R7Eu`}+p98=Kmy95NbLynjfAvq76H451}^y<|KfM@rn zgl!DbaLv4!^7gGmSGA!8L(+0+{oGYjQsM=YrZt`K^kMsZ*T1!wr>3%rA3V4piR2X) z7UtE8J9^K5=)fO6>rovtWu~X6ciFsHbGo~XgZSe7NsuS3Q=PDH=dT%~(bfJ#swTyn zLf_v-%Q3U_o_PAy@G6y>LeZCM!$=GWX~hYC{`@&&@`C4wxw*7z_ck$QWv=aeWsdv! zNSPHOM_wNVP?x`8!YB|xWi#pyS;zY>5I+7kaR=~nUIjc z$j!yCUlSg?G$wQI-^I;+W_sF-Q5O}e1?m%t2ZBRFEFB!ub8>c{%grqT!P2;VWilVW zf=+8`X?gncB??-p2EI#=T$*%!c1|)mHMI#wk|&Moff5lF6-B@_C8wpGZuih3k*Yr| zuzK^Ma}yZk1x#G+*(odzxtenD(ut%b7Q31N&?2wyhx&q?YM!r!%8uyc zuo|8;&yf(ILG zbEkIiQGtmc`9lgxfZlG4A09InT-@kXem;+WIxneviCsif5Y`&X7x=9Gwef=l3dePQ zZCTdL{EZ;Is5+y(xN@b7j*~ViRNY}~Yg-$$st6kDG*HbIkl*o98z3MS7z00e@W29x zJM-d&38+x+9Pxbz4lu(jg>)U>x5kamb(pQOpGn*yP!RhN*rw)Plr&kxF-^9!t&JuA z$I$zr**7$zh`EW$_%~ynDr~z%z`fjeCT3=4Y1{7_!7$my#qr&pq-Y5n$oTG`J=U{6 zZ=Kq?@pSR}^z`(-{?yW-XbDd@T8>P>TVoc0ml$b($$(06wLB?xy%~FNG<2~9y^?ivgWfk=c}B{*6FA%m-FDSxA0+prtm z^D;;}bVoqtr!+v&f_txje5%j1ry<@t4R1%|n&awoi9}*5WxThx;XddaW|A~cGoW&? z1=Ev!tsI*p9zd09n#V;0eYcfkkJL8!fHpo;o9iP`V-pHWg|!Cry?GuNi>I@NL)jTX zeKL#_phZ?zR%7`&!5sMK_k~k$ zYjgQC^aH5k+XE^`tFeyh_L6mMH8u)(x-2x*8~rwGCxbgUYHe)XJm0g5rz--(;cu6p zu$PqNtg)GLr9B&OEk7rKplz$MiLAy7L8m(jLpP4%>0w@L?H%w}>d=jKJpJ(3q4IND zE$u=<(RYQ=%W^@|689-XzRzn-X$3EdP$akmBmy%x{#;#R6ua5`4Vql!Mdjsp9gF^^ z2Ws%u!`Nsj;l@7IFC@a&3#gx0Wmq4KyFdlthv-uTQ()163ZOn`f}&T)%xou+7wSD$ ztZ+b4q-How;ONn#LEneNo59@xtelE@d;BbQZT(KuMOI#>eqi_xITRU!GkQTtEHg~dIyyQo^1M~xbpWnHeGnJqeQ9*m?c>|JJs|260Rn4DW3Omd2LTs<>rFE= z3VJCkdMu_kPYQjvx*CX~ea*N11k+}D-(H!RpP$f>Muwe6qm^FCZVl3e(v24I?g1Y}sy)|R&dJZ83RVpkhfARl@^9Ewy1_-(ZQD+Y z8}S|qlhIuHuo-x!1u63E@(RXZgEz&jtoe4QW*Q(CUtGk&nc_tTi8AVxt5?N=7*E1@7dcvTXMu>j!0pg8FxbC; zzb;v@gd%(_6|^|{(_22M#<+x%xK1p6mZo+jxfw6d*Sv2nuX&dWf?;g7=LRtNvs`JL z#n))L5=I^NFs2Tu9x*kRDe147kni(vGlYX)|9_Yv!Au-sF>I$ZEbDY_>6sZ%u~&ArBk|wG!P{`p!p2V&BJGweO`jP?z&+k2NdN@ z=E~um(iJY9Y^GA9X5UDztgcGVY7-9QtKGK#TwnhTHB2f+XXl3)WYUePW&*V!E9(Rh zM`>+s|4iQm1soYtpJTY|SZfBT8X=@e$HcSMAR`)VU)~J;GA9;CHNrElKUz}tLrg72 zda`+jI#?6v9J4l4W>z1w)&K?oJFon4GP@5`N79^nv}Tbtop_s1NP~PlAfV!7zG?j7 zBS!?FE`X}0^vWw!$b{g@7$g<@lBo2cp~2GH`oP>oj=!u!EyCQ~{GqskE3DCno2yw3 zSRg-!d>op{9^15OlZCAu4ajB++Su5z$jQldDX7P_fSLuh;v5nU$7R4FWaZ%C5o$h6 z(mZEgv6@B2Izz=R<9Pqgi2QgAI#1>?6lHqg4i#}MXSr(%%J#(m_~yE@II{DMXkXOV zE`!fKHqI&FDN=`B<6Z?!;)(_jq=xYc{#Oz!Vrzt z4GIEprQpe`g;w-ba|OoK+}wanzVp&X|Jl;pkj|0Ck>*l&FSaS&BOfnt)HBLQQ3;8b zYfD**{sXtRa&mJ1_iiEj?jINCu8M%&y?==bKj{lmCfs zt#LEQhx&zwA>xJ4xp{c(7eq}#J}dYSDucg}>*=2i0xT(o|>K{kpItU_V5C|MX{qks>ED zsDof~;xw~jKaZk*{&@c@(X8zD#<`2?AqQsX<_d?s!K+|IfoKE|SRwL@2iPB1=yW!) zR%T{qs_-%qqbUa$flEq3k>!Ywd>puqII*@C^>a+*m&L@7TIc)ZZQxaxx?ks?I=#fy zkEa8^QO0+d-oMYEFXw!3qyE7IL7)j(5cqugNm*z>w3k-!Fbqu-7TqOUmNyjq|z zNO_NS?;>by79U8MmPx^Gr~-4OTrxk1vjtDydRRPY{K6EMscA0PjwuTSkqEzl$Y zJ-h;(7J$EfvxWra8@?e*1;MaFfKS_^7aEeFG>4UhLj#7-4pIT?)WiY5R!|E;FeCZz z%?wCZp@NLqYahGQ0ZkxMY3rNEq1FW}=HbSgFRU*>f=Ye2$pyu&fe%*?fMABIp?qp{ z+aN`v(R5N#qXKd5PhsHEh!sD_6FzTY0MP8JgL>j}^ITB>#Li~07R zRK(H2;^IzgZEdB03XL#@sy7jI$OyopzQ6yxNSq^NC1WmQolBr@-Rt-bTu>L)Lc;So zA8;yLmO8cMes8{wm0QE!ntoC}V5Ydfdk{&19UcXS%3`m5U<#$gr-)w@netuj+x;;pdLBjKx{+OdZa0uW*APf{{ za2?khGuHi;s2zGJ@RaVc@$($E#@vXe z=4OzFV~Z16OCG;{no~i4NUR*oblJWp;E<$bHiHAfpw!M3J_ao2Tf{Mu69OEGLo9yz zqT}dz(J$YCa)U}y z|MqaEnTt3GLA?x;KRLHhalLyc!p{h7GR0SSeQmlFraAspoDzB)_hX*XKuSsqJf(BDZYjPfQr{E)mc(LRZYQC!b6ex; zio0JunJ}i!|Hdq&O z5Dtc3m6?mcerHi4zGyTMiA`Xz7A4FIxVrzIzW~F60?g*w%*+l)KjN=nzt%I@zhg8e z`N|-sp$ps;#`%EfrAX$74<9n>2ylU_T^?_`dhOcilaxKOFRd&r5Mcal-M&{8tfR+| zA5XugZa-jh{siEysGM9UHIh<^>4V=Bg))8%@U(%X=>SF4nmwGI0JnmNqYDSaupM@Q zR%M(P^D1nDl8wPmU}YqkYp!m&aNz>O5h9Tkz+JZh1FxWfAJLb|<^*5CLIUNmAGilv zt&E>FXE?PF0KotMj!{=7h;wQ?rr`omD@a$t=x-mjF__(up9$XG*G6W_iuIu&TKhJ? zT}w-gJlDH}p}=8Fb8>MdfCX0yx(ZaV0LaQ$Am5=B9b=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiVersion" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Redis(TM) image name +*/}} +{{- define "redis.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Redis(TM) Sentinel image name +*/}} +{{- define "sentinel.image" -}} +{{- $registryName := .Values.sentinel.image.registry -}} +{{- $repositoryName := .Values.sentinel.image.repository -}} +{{- $tag := .Values.sentinel.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "redis.metrics.image" -}} +{{- $registryName := .Values.metrics.image.registry -}} +{{- $repositoryName := .Values.metrics.image.repository -}} +{{- $tag := .Values.metrics.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper image name (for the sentinel metrics image) +*/}} +{{- define "sentinel.metrics.image" -}} +{{- $registryName := .Values.sentinel.metrics.image.registry -}} +{{- $repositoryName := .Values.sentinel.metrics.image.repository -}} +{{- $tag := .Values.sentinel.metrics.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "redis.volumePermissions.image" -}} +{{- $registryName := .Values.volumePermissions.image.registry -}} +{{- $repositoryName := .Values.volumePermissions.image.repository -}} +{{- $tag := .Values.volumePermissions.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "redis.tlsCert" -}} +{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "redis.tlsCertKey" -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "redis.tlsCACert" -}} +{{- required "Certificate CA filename is required when TLS in enabled" .Values.tls.certCAFilename | printf "/opt/bitnami/redis/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the DH params file. +*/}} +{{- define "redis.tlsDHParams" -}} +{{- if .Values.tls.dhParamsFilename -}} +{{- printf "/opt/bitnami/redis/certs/%s" .Values.tls.dhParamsFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redis.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "redis.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "redis.secretName" -}} +{{- if .Values.existingSecret -}} +{{- printf "%s" .Values.existingSecret -}} +{{- else -}} +{{- printf "%s" (include "redis.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password key to be retrieved from Redis(TM) secret. +*/}} +{{- define "redis.secretPasswordKey" -}} +{{- if and .Values.existingSecret .Values.existingSecretPasswordKey -}} +{{- printf "%s" .Values.existingSecretPasswordKey -}} +{{- else -}} +{{- printf "redis-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Return Redis(TM) password +*/}} +{{- define "redis.password" -}} +{{- if not (empty .Values.global.redis.password) }} + {{- .Values.global.redis.password -}} +{{- else if not (empty .Values.password) -}} + {{- .Values.password -}} +{{- else -}} + {{- randAlphaNum 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Return sysctl image +*/}} +{{- define "redis.sysctl.image" -}} +{{- $registryName := default "docker.io" .Values.sysctlImage.registry -}} +{{- $repositoryName := .Values.sysctlImage.repository -}} +{{- $tag := default "buster" .Values.sysctlImage.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "redis.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.sysctlImage.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.metrics.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.sysctlImage.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.volumePermissions.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* Check if there are rolling tags in the images */}} +{{- define "redis.checkRollingTags" -}} +{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} +{{- if and (contains "bitnami/" .Values.sentinel.image.repository) (not (.Values.sentinel.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .Values.sentinel.image.repository }}:{{ .Values.sentinel.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} +{{- end -}} + +{{/* +Return the proper Storage Class for master +*/}} +{{- define "redis.master.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.master.persistence.storageClass -}} + {{- if (eq "-" .Values.master.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.master.persistence.storageClass -}} + {{- if (eq "-" .Values.master.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Storage Class for slave +*/}} +{{- define "redis.slave.storageClass" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +*/}} +{{- if .Values.global -}} + {{- if .Values.global.storageClass -}} + {{- if (eq "-" .Values.global.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.global.storageClass -}} + {{- end -}} + {{- else -}} + {{- if .Values.slave.persistence.storageClass -}} + {{- if (eq "-" .Values.slave.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- if .Values.slave.persistence.storageClass -}} + {{- if (eq "-" .Values.slave.persistence.storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "redis.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "redis.validateValues.spreadConstraints" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of Redis(TM) - spreadConstrainsts K8s version */}} +{{- define "redis.validateValues.spreadConstraints" -}} +{{- if and (semverCompare "<1.16-0" .Capabilities.KubeVersion.GitVersion) .Values.slave.spreadConstraints -}} +redis: spreadConstraints + Pod Topology Spread Constraints are only available on K8s >= 1.16 + Find more information at https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +{{- end -}} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "redis.tplValue" (dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "redis.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/redis/templates/configmap-scripts.yaml b/stable/ckan/charts/redis/templates/configmap-scripts.yaml new file mode 100644 index 00000000..6d740272 --- /dev/null +++ b/stable/ckan/charts/redis/templates/configmap-scripts.yaml @@ -0,0 +1,430 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "redis.fullname" . }}-scripts + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: +{{- if and .Values.cluster.enabled .Values.sentinel.enabled }} + start-node.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libvalidations.sh + + not_exists_dns_entry() { + myip=$(hostname -i) + + if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep "^${myip}" )" ]]; then + warn "$HEADLESS_SERVICE does not contain the IP of this pod: ${myip}" + return 1 + fi + info "$HEADLESS_SERVICE has my IP: ${myip}" + return 0 + } + + HEADLESS_SERVICE="{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + # Waits for DNS to add this ip to the service DNS entry + retry_while not_exists_dns_entry + + export REDIS_REPLICATION_MODE="slave" + if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep -v "^$(hostname -i) ")" ]]; then + export REDIS_REPLICATION_MODE="master" + fi + + {{- if and .Values.securityContext.runAsUser (eq (.Values.securityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.slave.persistence.path }} + {{- end }} + + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + + if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` + export REDIS_MASTER_PASSWORD=$password_aux + fi + + if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then + echo "I am master" + if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then + cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf + fi + else + if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + + if is_boolean_yes "$REDIS_TLS_ENABLED"; then + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + REDIS_SENTINEL_INFO=($($sentinel_info_command)) + REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} + REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} + + + # Immediately attempt to connect to the reported master. If it doesn't exist the connection attempt will either hang + # or fail with "port unreachable" and give no data. The liveness check will then timeout waiting for the redis + # container to be ready and restart the it. By then the new master will likely have been elected + if is_boolean_yes "$REDIS_TLS_ENABLED"; then + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + + if [[ ! ($($sentinel_info_command)) ]]; then + # master doesn't actually exist, this probably means the remaining pods haven't elected a new one yet + # and are reporting the old one still. Once this happens the container will get stuck and never see the new + # master. We stop here to allow the container to not pass the liveness check and be restarted. + exit 1 + fi + fi + + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + ARGS+=("--tls-replication" "yes") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + + if [[ "$REDIS_REPLICATION_MODE" == "slave" ]]; then + ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + fi + + {{- if .Values.usePassword }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + + if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then + ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") + else + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + fi + + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + {{- if .Values.slave.extraFlags }} + {{- range .Values.slave.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + + {{- if .Values.slave.preExecCmds }} + {{ .Values.slave.preExecCmds | nindent 4}} + {{- end }} + + {{- if .Values.slave.command }} + exec {{ .Values.slave.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + + start-sentinel.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libos.sh + . /opt/bitnami/scripts/libvalidations.sh + . /opt/bitnami/scripts/libfile.sh + + sentinel_conf_set() { + local -r key="${1:?missing key}" + local value="${2:-}" + + # Sanitize inputs + value="${value//\\/\\\\}" + value="${value//&/\\&}" + value="${value//\?/\\?}" + [[ "$value" = "" ]] && value="\"$value\"" + + replace_in_file "/opt/bitnami/redis-sentinel/etc/sentinel.conf" "^#*\s*${key} .*" "${key} ${value}" false + } + sentinel_conf_add() { + echo $'\n'"$@" >> "/opt/bitnami/redis-sentinel/etc/sentinel.conf" + } + host_id() { + echo "$1" | openssl sha1 | awk '{print $2}' + } + not_exists_dns_entry() { + myip=$(hostname -i) + + if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep "^${myip}" )" ]]; then + warn "$HEADLESS_SERVICE does not contain the IP of this pod: ${myip}" + return 1 + fi + info "$HEADLESS_SERVICE has my IP: ${myip}" + return 0 + } + + HEADLESS_SERVICE="{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + REDIS_SERVICE="{{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + + if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]]; then + cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.usePassword }} + printf "\nsentinel auth-pass %s %s" "{{ .Values.sentinel.masterSet }}" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- if .Values.sentinel.usePassword }} + printf "\nrequirepass %s" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + {{- end }} + {{- if .Values.sentinel.staticID }} + printf "\nsentinel myid %s" "$(host_id "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf + {{- end }} + fi + + export REDIS_REPLICATION_MODE="slave" + + # Waits for DNS to add this ip to the service DNS entry + retry_while not_exists_dns_entry + + if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep -v "^$(hostname -i)")" ]]; then + export REDIS_REPLICATION_MODE="master" + fi + + # Clean sentineles from the current sentinel nodes + for node in $( getent ahosts "$HEADLESS_SERVICE" | grep -v "^$(hostname -i)" | cut -f 1 -d ' ' | uniq ); do + info "Cleaning sentinels in sentinel node: $node" + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $node -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel reset "*" + else + redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $node -p {{ .Values.sentinel.port }} sentinel reset "*" + fi + sleep {{ .Values.sentinel.cleanDelaySeconds }} + done + info "Sentinels clean up done" + + if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then + REDIS_MASTER_HOST="$(hostname -i)" + REDIS_MASTER_PORT_NUMBER="{{ .Values.redisPort }}" + else + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + REDIS_SENTINEL_INFO=($($sentinel_info_command)) + REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} + REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} + + # Immediately attempt to connect to the reported master. If it doesn't exist the connection attempt will either hang + # or fail with "port unreachable" and give no data. The liveness check will then timeout waiting for the sentinel + # container to be ready and restart the it. By then the new master will likely have been elected + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + + if [[ ! ($($sentinel_info_command)) ]]; then + # master doesn't actually exist, this probably means the remaining pods haven't elected a new one yet + # and are reporting the old one still. Once this happens the container will get stuck and never see the new + # master. We stop here to allow the container to not pass the liveness check and be restarted. + exit 1 + fi + fi + sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}" + + add_replica() { + if [[ "$1" != "$REDIS_MASTER_HOST" ]]; then + sentinel_conf_add "sentinel known-replica {{ .Values.sentinel.masterSet }} $1 {{ .Values.redisPort }}" + fi + } + + {{- if .Values.sentinel.staticID }} + # remove generated known sentinels and replicas + tmp="$(sed -e '/^sentinel known-/d' -e '/^$/d' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" + echo "$tmp" > /opt/bitnami/redis-sentinel/etc/sentinel.conf + + for node in $(seq 0 {{ .Values.cluster.slaveCount }}); do + NAME="{{ template "redis.fullname" . }}-node-$node" + IP="$(getent hosts "$NAME.$HEADLESS_SERVICE" | awk ' {print $1 }')" + if [[ "$NAME" != "$HOSTNAME" && -n "$IP" ]]; then + sentinel_conf_add "sentinel known-sentinel {{ .Values.sentinel.masterSet }} $IP {{ .Values.sentinel.port }} $(host_id "$NAME")" + add_replica "$IP" + fi + done + add_replica "$(hostname -i)" + {{- end }} + + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_SENTINEL_TLS_PORT_NUMBER}") + ARGS+=("--tls-cert-file" "${REDIS_SENTINEL_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_SENTINEL_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_SENTINEL_TLS_CA_FILE}") + ARGS+=("--tls-replication" "yes") + ARGS+=("--tls-auth-clients" "${REDIS_SENTINEL_TLS_AUTH_CLIENTS}") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_SENTINEL_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- end }} + {{- if .Values.sentinel.preExecCmds }} + {{ .Values.sentinel.preExecCmds | nindent 4 }} + {{- end }} + exec redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel {{- if .Values.tls.enabled }} "${ARGS[@]}" {{- end }} + prestop-sentinel.sh: | + #!/bin/bash + + . /opt/bitnami/scripts/libvalidations.sh + + REDIS_SERVICE="{{ include "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" + + if [[ -n "$REDIS_PASSWORD_FILE" ]]; then + password_aux=$(cat "$REDIS_PASSWORD_FILE") + export REDIS_PASSWORD="$password_aux" + fi + + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a ${REDIS_PASSWORD} {{- end }} -h ${REDIS_SERVICE} -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + else + sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a ${REDIS_PASSWORD} {{- end }} -h ${REDIS_SERVICE} -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" + fi + REDIS_SENTINEL_INFO=($($sentinel_info_command)) + REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" + + if [[ "$REDIS_MASTER_HOST" == "$(hostname -i)" ]]; then + if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then + redis-cli {{- if .Values.usePassword }} -a "$REDIS_PASSWORD" {{- end }} -h "$REDIS_SERVICE" -p {{ .Values.sentinel.port }} --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel failover mymaster + else + redis-cli {{- if .Values.usePassword }} -a "$REDIS_PASSWORD" {{- end }} -h "$REDIS_SERVICE" -p {{ .Values.sentinel.port }} sentinel failover mymaster + fi + fi +{{- else }} + start-master.sh: | + #!/bin/bash + {{- if and .Values.securityContext.runAsUser (eq (.Values.securityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.master.persistence.path }} + {{- end }} + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then + cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + {{- if .Values.usePassword }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") + {{- if .Values.master.extraFlags }} + {{- range .Values.master.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.master.preExecCmds }} + {{ .Values.master.preExecCmds | nindent 4}} + {{- end }} + {{- if .Values.master.command }} + exec {{ .Values.master.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + {{- if .Values.cluster.enabled }} + start-slave.sh: | + #!/bin/bash + {{- if and .Values.securityContext.runAsUser (eq (.Values.securityContext.runAsUser | int) 0) }} + useradd redis + chown -R redis {{ .Values.slave.persistence.path }} + {{- end }} + if [[ -n $REDIS_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux + fi + if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then + password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` + export REDIS_MASTER_PASSWORD=$password_aux + fi + if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then + cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf + fi + if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then + cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf + fi + {{- if .Values.tls.enabled }} + ARGS=("--port" "0") + ARGS+=("--tls-port" "${REDIS_TLS_PORT}") + ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") + ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") + ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") + ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") + ARGS+=("--tls-replication" "yes") + {{- if .Values.tls.dhParamsFilename }} + ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") + {{- end }} + {{- else }} + ARGS=("--port" "${REDIS_PORT}") + {{- end }} + ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") + {{- if .Values.usePassword }} + ARGS+=("--requirepass" "${REDIS_PASSWORD}") + ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") + {{- else }} + ARGS+=("--protected-mode" "no") + {{- end }} + ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") + ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") + {{- if .Values.slave.extraFlags }} + {{- range .Values.slave.extraFlags }} + ARGS+=({{ . | quote }}) + {{- end }} + {{- end }} + {{- if .Values.slave.preExecCmds }} + {{ .Values.slave.preExecCmds | nindent 4}} + {{- end }} + {{- if .Values.slave.command }} + exec {{ .Values.slave.command }} "${ARGS[@]}" + {{- else }} + exec redis-server "${ARGS[@]}" + {{- end }} + {{- end }} + +{{- end -}} diff --git a/stable/ckan/charts/redis/templates/configmap.yaml b/stable/ckan/charts/redis/templates/configmap.yaml new file mode 100644 index 00000000..77bdc81e --- /dev/null +++ b/stable/ckan/charts/redis/templates/configmap.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + redis.conf: |- +{{- if .Values.configmap }} + # User-supplied configuration: +{{- tpl .Values.configmap . | nindent 4 }} +{{- end }} + master.conf: |- + dir {{ .Values.master.persistence.path }} +{{- if .Values.master.configmap }} + # User-supplied master configuration: +{{- tpl .Values.master.configmap . | nindent 4 }} +{{- end }} +{{- if .Values.master.disableCommands }} +{{- range .Values.master.disableCommands }} + rename-command {{ . }} "" +{{- end }} +{{- end }} + replica.conf: |- + dir {{ .Values.slave.persistence.path }} + slave-read-only yes +{{- if .Values.slave.configmap }} + # User-supplied slave configuration: +{{- tpl .Values.slave.configmap . | nindent 4 }} +{{- end }} +{{- if .Values.slave.disableCommands }} +{{- range .Values.slave.disableCommands }} + rename-command {{ . }} "" +{{- end }} +{{- end }} +{{- if .Values.sentinel.enabled }} + sentinel.conf: |- + dir "/tmp" + bind 0.0.0.0 + port {{ .Values.sentinel.port }} + sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "redis.fullname" . }}-node-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.redisPort }} {{ .Values.sentinel.quorum }} + sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} + sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} + sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} +{{- if .Values.sentinel.configmap }} + # User-supplied sentinel configuration: +{{- tpl .Values.sentinel.configmap . | nindent 4 }} +{{- end }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/headless-svc.yaml b/stable/ckan/charts/redis/templates/headless-svc.yaml new file mode 100644 index 00000000..d758c0d2 --- /dev/null +++ b/stable/ckan/charts/redis/templates/headless-svc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-headless + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: ClusterIP + clusterIP: None + {{- if .Values.sentinel.enabled }} + publishNotReadyAddresses: true + {{- end }} + ports: + - name: tcp-redis + port: {{ .Values.redisPort }} + targetPort: redis + {{- if .Values.sentinel.enabled }} + - name: tcp-sentinel + port: {{ .Values.sentinel.port }} + targetPort: redis-sentinel + {{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} diff --git a/stable/ckan/charts/redis/templates/health-configmap.yaml b/stable/ckan/charts/redis/templates/health-configmap.yaml new file mode 100644 index 00000000..1bb8e74d --- /dev/null +++ b/stable/ckan/charts/redis/templates/health-configmap.yaml @@ -0,0 +1,176 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "redis.fullname" . }}-health + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + ping_readiness_local.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux +{{- end }} + export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_TLS_PORT \ + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- else }} + -p $REDIS_PORT \ +{{- end }} + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_local.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux +{{- end }} + export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_TLS_PORT \ + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- else }} + -p $REDIS_PORT \ +{{- end }} + ping + ) + if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then + echo "$response" + exit 1 + fi +{{- if .Values.sentinel.enabled }} + ping_sentinel.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_PASSWORD_FILE}` + export REDIS_PASSWORD=$password_aux +{{- end }} + export REDISCLI_AUTH="$REDIS_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h localhost \ +{{- if .Values.tls.enabled }} + -p $REDIS_SENTINEL_TLS_PORT_NUMBER \ + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- else }} + -p $REDIS_SENTINEL_PORT \ +{{- end }} + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + parse_sentinels.awk: |- + /ip/ {FOUND_IP=1} + /port/ {FOUND_PORT=1} + /runid/ {FOUND_RUNID=1} + !/ip|port|runid/ { + if (FOUND_IP==1) { + IP=$1; FOUND_IP=0; + } + else if (FOUND_PORT==1) { + PORT=$1; + FOUND_PORT=0; + } else if (FOUND_RUNID==1) { + printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0; + } + } +{{- end }} + ping_readiness_master.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` + export REDIS_MASTER_PASSWORD=$password_aux +{{- end }} + export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ +{{- if .Values.tls.enabled }} + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- end }} + ping + ) + if [ "$response" != "PONG" ]; then + echo "$response" + exit 1 + fi + ping_liveness_master.sh: |- + #!/bin/bash +{{- if .Values.usePasswordFile }} + password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` + export REDIS_MASTER_PASSWORD=$password_aux +{{- end }} + export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" + response=$( + timeout -s 3 $1 \ + redis-cli \ + -h $REDIS_MASTER_HOST \ + -p $REDIS_MASTER_PORT_NUMBER \ +{{- if .Values.tls.enabled }} + --tls \ + --cacert {{ template "redis.tlsCACert" . }} \ + {{- if .Values.tls.authClients }} + --cert {{ template "redis.tlsCert" . }} \ + --key {{ template "redis.tlsCertKey" . }} \ + {{- end }} +{{- end }} + ping + ) + if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then + echo "$response" + exit 1 + fi + ping_readiness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? + "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? + exit $exit_status + ping_liveness_local_and_master.sh: |- + script_dir="$(dirname "$0")" + exit_status=0 + "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? + "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? + exit $exit_status diff --git a/stable/ckan/charts/redis/templates/metrics-prometheus.yaml b/stable/ckan/charts/redis/templates/metrics-prometheus.yaml new file mode 100644 index 00000000..ed53dc6e --- /dev/null +++ b/stable/ckan/charts/redis/templates/metrics-prometheus.yaml @@ -0,0 +1,39 @@ +{{- if and (.Values.metrics.enabled) (.Values.metrics.serviceMonitor.enabled) }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "redis.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- range $key, $value := .Values.metrics.serviceMonitor.selector }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + endpoints: + - port: metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + selector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + app.kubernetes.io/component: "metrics" + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end -}} diff --git a/stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml b/stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml new file mode 100644 index 00000000..43cc2aa3 --- /dev/null +++ b/stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.sentinel.enabled .Values.sentinel.metrics.enabled .Values.sentinel.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "redis.fullname" . }}-sentinel-metrics + {{- if .Values.sentinel.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.sentinel.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: + app: {{ include "redis.name" . }} + chart: {{ include "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- range $key, $value := .Values.sentinel.metrics.serviceMonitor.selector }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + endpoints: + - port: sentinelmetrics + {{- if .Values.sentinel.metrics.serviceMonitor.interval }} + interval: {{ .Values.sentinel.metrics.serviceMonitor.interval }} + {{- end }} + selector: + matchLabels: + app: {{ include "redis.name" . }} + release: {{ .Release.Name }} + app.kubernetes.io/component: "sentinel-metrics" + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end -}} diff --git a/stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml b/stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml new file mode 100644 index 00000000..25f3770d --- /dev/null +++ b/stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.sentinel.enabled .Values.sentinel.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "redis.fullname" . }}-sentinel-metrics + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ include "redis.name" . }} + chart: {{ include "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app.kubernetes.io/component: "sentinel-metrics" + {{- if .Values.sentinel.metrics.service.labels -}} + {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.metrics.service.labels "context" $) | nindent 4 }} + {{- end -}} + {{- if .Values.sentinel.metrics.service.annotations }} + annotations: {{- toYaml .Values.sentinel.metrics.service.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.sentinel.metrics.service.type }} + {{- if eq .Values.sentinel.metrics.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.sentinel.metrics.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.sentinel.metrics.service.type "LoadBalancer") .Values.sentinel.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.sentinel.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - port: {{ .Values.sentinel.metrics.service.port }} + targetPort: sentinelmetrics + protocol: TCP + name: sentinelmetrics + selector: + app: {{ include "redis.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/metrics-svc.yaml b/stable/ckan/charts/redis/templates/metrics-svc.yaml new file mode 100644 index 00000000..767a464e --- /dev/null +++ b/stable/ckan/charts/redis/templates/metrics-svc.yaml @@ -0,0 +1,34 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-metrics + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app.kubernetes.io/component: "metrics" + {{- if .Values.metrics.service.labels -}} + {{- toYaml .Values.metrics.service.labels | nindent 4 }} + {{- end -}} + {{- if .Values.metrics.service.annotations }} + annotations: {{- toYaml .Values.metrics.service.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + {{ if eq .Values.metrics.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy }} + {{- end }} + {{ if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} + {{- end }} + ports: + - name: metrics + port: 9121 + targetPort: metrics + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/networkpolicy.yaml b/stable/ckan/charts/redis/templates/networkpolicy.yaml new file mode 100644 index 00000000..0249bc0e --- /dev/null +++ b/stable/ckan/charts/redis/templates/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "networkPolicy.apiVersion" . }} +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + {{- if .Values.cluster.enabled }} + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.redisPort }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.port }} + {{- end }} + to: + - podSelector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + {{- end }} + ingress: + # Allow inbound connections + - ports: + - port: {{ .Values.redisPort }} + {{- if .Values.sentinel.enabled }} + - port: {{ .Values.sentinel.port }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "redis.fullname" . }}-client: "true" + - podSelector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + # Allow prometheus scrapes for metrics + - ports: + - port: 9121 + {{- end }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/pdb.yaml b/stable/ckan/charts/redis/templates/pdb.yaml new file mode 100644 index 00000000..b9dc54b3 --- /dev/null +++ b/stable/ckan/charts/redis/templates/pdb.yaml @@ -0,0 +1,22 @@ +{{- if .Values.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/prometheusrule.yaml b/stable/ckan/charts/redis/templates/prometheusrule.yaml new file mode 100644 index 00000000..48ae017f --- /dev/null +++ b/stable/ckan/charts/redis/templates/prometheusrule.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "redis.fullname" . }} + {{- if .Values.metrics.prometheusRule.namespace }} + namespace: {{ .Values.metrics.prometheusRule.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +{{- with .Values.metrics.prometheusRule.additionalLabels }} +{{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- with .Values.metrics.prometheusRule.rules }} + groups: + - name: {{ template "redis.name" $ }} + rules: {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/psp.yaml b/stable/ckan/charts/redis/templates/psp.yaml new file mode 100644 index 00000000..eca04c13 --- /dev/null +++ b/stable/ckan/charts/redis/templates/psp.yaml @@ -0,0 +1,43 @@ +{{- if .Values.podSecurityPolicy.create }} +apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + allowPrivilegeEscalation: false + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.securityContext.fsGroup }} + max: {{ .Values.securityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-master-statefulset.yaml b/stable/ckan/charts/redis/templates/redis-master-statefulset.yaml new file mode 100644 index 00000000..80dc112a --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-master-statefulset.yaml @@ -0,0 +1,394 @@ +{{- if or (not .Values.cluster.enabled) (not .Values.sentinel.enabled) }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "redis.fullname" . }}-master + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.master.statefulset.labels }} + {{- toYaml .Values.master.statefulset.labels | nindent 4 }} + {{- end }} +{{- if .Values.master.statefulset.annotations }} + annotations: + {{- toYaml .Values.master.statefulset.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: master + serviceName: {{ template "redis.fullname" . }}-headless + template: + metadata: + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + role: master + {{- if .Values.master.podLabels }} + {{- toYaml .Values.master.podLabels | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- toYaml .Values.metrics.podLabels | nindent 8 }} + {{- end }} + annotations: + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.master.podAnnotations }} + {{- toYaml .Values.master.podAnnotations | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- toYaml .Values.metrics.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.master.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.master.priorityClassName }} + priorityClassName: {{ .Values.master.priorityClassName | quote }} + {{- end }} + {{- with .Values.master.affinity }} + affinity: {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if .Values.master.nodeSelector }} + nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.master.tolerations }} + tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.master.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.master.shareProcessNamespace }} + {{- end }} + {{- if .Values.master.schedulerName }} + schedulerName: {{ .Values.master.schedulerName }} + {{- end }} + containers: + - name: {{ template "redis.name" . }} + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/start-master.sh + env: + - name: REDIS_REPLICATION_MODE + value: master + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.redisPort | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.redisPort | quote }} + {{- end }} + {{- if .Values.master.extraEnvVars }} + {{- include "redis.tplValue" (dict "value" .Values.master.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.master.extraEnvVarsCM .Values.master.extraEnvVarsSecret }} + envFrom: + {{- if .Values.master.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.master.extraEnvVarsCM }} + {{- end }} + {{- if .Values.master.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.master.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.redisPort }} + {{- if .Values.master.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }} + # One second longer than command timeout should prevent generation of zombie processes. + timeoutSeconds: {{ add1 .Values.master.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }} + {{- else if .Values.master.customLivenessProbe }} + livenessProbe: {{- toYaml .Values.master.customLivenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.master.readinessProbe.enabled}} + readinessProbe: + initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.master.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.master.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local.sh {{ .Values.master.readinessProbe.timeoutSeconds }} + {{- else if .Values.master.customReadinessProbe }} + readinessProbe: {{- toYaml .Values.master.customReadinessProbe | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.master.resources | nindent 12 }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc/ + - name: tmp + mountPath: /tmp + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.master.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "redis.fullname" . }} + {{- if .Values.usePassword }} + - name: REDIS_USER + value: default + {{- if (not .Values.usePasswordFile) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.redisPort }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + ports: + - name: metrics + containerPort: 9121 + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.master.persistence.enabled .Values.securityContext.enabled .Values.containerSecurityContext.enabled }} + {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} + initContainers: + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: "{{ template "redis.volumePermissions.image" . }}" + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.master.persistence.path }} + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.master.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto "}} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 10 }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.master.persistence.path }} + subPath: {{ .Values.master.persistence.subPath }} + {{- end }} + {{- if .Values.sysctlImage.enabled }} + - name: init-sysctl + image: {{ template "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} + resources: {{- toYaml .Values.sysctlImage.resources | nindent 10 }} + {{- if .Values.sysctlImage.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + command: {{- toYaml .Values.sysctlImage.command | nindent 10 }} + securityContext: + privileged: true + runAsUser: 0 + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ include "redis.fullname" . }}-scripts + defaultMode: 0755 + - name: health + configMap: + name: {{ template "redis.fullname" . }}-health + defaultMode: 0755 + {{- if .Values.usePasswordFile }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ template "redis.fullname" . }} + {{- if not .Values.master.persistence.enabled }} + - name: "redis-data" + emptyDir: {} + {{- else }} + {{- if .Values.persistence.existingClaim }} + - name: "redis-data" + persistentVolumeClaim: + claimName: {{ include "redis.tplValue" (dict "value" .Values.persistence.existingClaim "context" $) }} + {{- end }} + {{- if .Values.master.persistence.volumes }} + {{- toYaml .Values.master.persistence.volumes | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.sysctlImage.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: redis-tmp-conf + emptyDir: {} + - name: tmp + emptyDir: {} + {{- if .Values.master.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }} + defaultMode: 256 + {{- end }} + {{- if and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) (not .Values.master.persistence.volumes) }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: master + {{- if .Values.master.statefulset.volumeClaimTemplates.labels }} + {{- toYaml .Values.master.statefulset.volumeClaimTemplates.labels | nindent 10 }} + {{- end }} + {{- if .Values.master.statefulset.volumeClaimTemplates.annotations }} + annotations: + {{- toYaml .Values.master.statefulset.volumeClaimTemplates.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.master.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.master.persistence.size | quote }} + {{ include "redis.master.storageClass" . }} + selector: + {{- if .Values.master.persistence.matchLabels }} + matchLabels: {{- toYaml .Values.master.persistence.matchLabels | nindent 12 }} + {{- end -}} + {{- if .Values.master.persistence.matchExpressions }} + matchExpressions: {{- toYaml .Values.master.persistence.matchExpressions | nindent 12 }} + {{- end -}} + {{- end }} + updateStrategy: + type: {{ .Values.master.statefulset.updateStrategy }} + {{- if .Values.master.statefulset.rollingUpdatePartition }} + {{- if (eq "Recreate" .Values.master.statefulset.updateStrategy) }} + rollingUpdate: null + {{- else }} + rollingUpdate: + partition: {{ .Values.master.statefulset.rollingUpdatePartition }} + {{- end }} + {{- end }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-master-svc.yaml b/stable/ckan/charts/redis/templates/redis-master-svc.yaml new file mode 100644 index 00000000..8bd2f8c1 --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-master-svc.yaml @@ -0,0 +1,43 @@ +{{- if not .Values.sentinel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-master + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.master.service.labels -}} + {{- toYaml .Values.master.service.labels | nindent 4 }} + {{- end -}} +{{- if .Values.master.service.annotations }} + annotations: {{- toYaml .Values.master.service.annotations | nindent 4 }} +{{- end }} +spec: + type: {{ .Values.master.service.type }} + {{ if eq .Values.master.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.master.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- with .Values.master.service.loadBalancerSourceRanges }} +{{- toYaml . | nindent 4 }} +{{- end }} + {{- end }} + ports: + - name: tcp-redis + port: {{ .Values.master.service.port }} + targetPort: redis + {{- if .Values.master.service.nodePort }} + nodePort: {{ .Values.master.service.nodePort }} + {{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: master +{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-node-statefulset.yaml b/stable/ckan/charts/redis/templates/redis-node-statefulset.yaml new file mode 100644 index 00000000..9ede6417 --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-node-statefulset.yaml @@ -0,0 +1,556 @@ +{{- if and .Values.cluster.enabled .Values.sentinel.enabled }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "redis.fullname" . }}-node + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.slave.statefulset.labels }} + {{- toYaml .Values.slave.statefulset.labels | nindent 4 }} + {{- end }} +{{- if .Values.slave.statefulset.annotations }} + annotations: + {{- toYaml .Values.slave.statefulset.annotations | nindent 4 }} +{{- end }} +spec: +{{- if .Values.slave.updateStrategy }} + strategy: {{- toYaml .Values.slave.updateStrategy | nindent 4 }} +{{- end }} + replicas: {{ .Values.cluster.slaveCount }} + serviceName: {{ template "redis.fullname" . }}-headless + selector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: node + template: + metadata: + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + chart: {{ template "redis.chart" . }} + role: node + {{- if .Values.slave.podLabels }} + {{- toYaml .Values.slave.podLabels | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- toYaml .Values.metrics.podLabels | nindent 8 }} + {{- end }} + annotations: + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.slave.podAnnotations }} + {{- toYaml .Values.slave.podAnnotations | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- toYaml .Values.metrics.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.slave.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.slave.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.slave.priorityClassName }} + priorityClassName: "{{ .Values.slave.priorityClassName }}" + {{- end }} + {{- if .Values.slave.nodeSelector }} + nodeSelector: {{- toYaml .Values.slave.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.slave.tolerations }} + tolerations: {{- toYaml .Values.slave.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.slave.schedulerName }} + schedulerName: {{ .Values.slave.schedulerName }} + {{- end }} + {{- if .Values.master.spreadConstraints }} + topologySpreadConstraints: {{- toYaml .Values.master.spreadConstraints | nindent 8 }} + {{- end }} + {{- with .Values.slave.affinity }} + affinity: {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + containers: + - name: {{ template "redis.name" . }} + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/start-node.sh + env: + - name: REDIS_MASTER_PORT_NUMBER + value: {{ .Values.redisPort | quote }} + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + - name: REDIS_MASTER_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + - name: REDIS_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.redisPort | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.redisPort | quote }} + {{- end }} + - name: REDIS_DATA_DIR + value: {{ .Values.slave.persistence.path }} + {{- if .Values.sentinel.extraEnvVars }} + {{- include "redis.tplValue" (dict "value" .Values.sentinel.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.sentinel.extraEnvVarsCM .Values.sentinel.extraEnvVarsSecret }} + envFrom: + {{- if .Values.sentinel.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.sentinel.extraEnvVarsCM }} + {{- end }} + {{- if .Values.sentinel.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.sentinel.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.redisPort }} + {{- if .Values.slave.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.slave.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.slave.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}} + exec: + command: + - sh + - -c + {{- if .Values.sentinel.enabled }} + - /health/ping_liveness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- else }} + - /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- end }} + {{- else if .Values.slave.customLivenessProbe }} + livenessProbe: {{- toYaml .Values.slave.customLivenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.slave.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.slave.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.slave.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + {{- if .Values.sentinel.enabled }} + - /health/ping_readiness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- else }} + - /health/ping_readiness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- end }} + {{- else if .Values.slave.customReadinessProbe }} + readinessProbe: {{- toYaml .Values.slave.customReadinessProbe | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.slave.resources | nindent 12 }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.slave.persistence.path }} + subPath: {{ .Values.slave.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + - name: tmp + mountPath: /tmp + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if and .Values.cluster.enabled .Values.sentinel.enabled }} + - name: sentinel + image: {{ template "sentinel.image" . }} + imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/start-sentinel.sh + env: + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_SENTINEL_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_SENTINEL_TLS_PORT_NUMBER + value: {{ .Values.sentinel.port | quote }} + - name: REDIS_SENTINEL_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_SENTINEL_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_SENTINEL_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_SENTINEL_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_SENTINEL_TLS_DH_PARAMS_FILE + value: {{ template "redis.dhParams" . }} + {{- end }} + {{- else }} + - name: REDIS_SENTINEL_PORT + value: {{ .Values.sentinel.port | quote }} + {{- end }} + ports: + - name: redis-sentinel + containerPort: {{ .Values.sentinel.port }} + {{- if .Values.sentinel.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- else if .Values.sentinel.customLivenessProbe }} + livenessProbe: {{- toYaml .Values.sentinel.customLivenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.sentinel.readinessProbe.enabled}} + readinessProbe: + initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- else if .Values.sentinel.customReadinessProbe }} + readinessProbe: {{- toYaml .Values.sentinel.customReadinessProbe | nindent 12 }} + {{- end }} + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/prestop-sentinel.sh + resources: {{- toYaml .Values.sentinel.resources | nindent 12 }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.slave.persistence.path }} + subPath: {{ .Values.slave.persistence.subPath }} + - name: config + mountPath: /opt/bitnami/redis-sentinel/mounted-etc + - name: sentinel-tmp-conf + mountPath: /opt/bitnami/redis-sentinel/etc + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.sentinel.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "redis.fullname" . }} + {{- if .Values.usePassword }} + - name: REDIS_USER + value: default + {{- if (not .Values.usePasswordFile) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.redisPort }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + ports: + - name: metrics + containerPort: 9121 + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- if .Values.sentinel.metrics.enabled }} + - name: sentinel-metrics + image: {{ include "sentinel.metrics.image" . }} + imagePullPolicy: {{ .Values.sentinel.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - redis_sentinel_exporter{{- range $key, $value := .Values.sentinel.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + env: + {{- if and .Values.sentinel.usePassword (and .Values.usePassword (not .Values.usePasswordFile)) }} + - name: SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "redis.secretName" . }} + key: {{ include "redis.secretPasswordKey" . }} + {{- end }} + {{- if and .Values.sentinel.usePassword .Values.usePassword .Values.usePasswordFile }} + - name: SENTINEL_PASSWORD_FILE + value: /secrets/redis-password + {{- end }} + volumeMounts: + {{- if and .Values.sentinel.usePassword .Values.usePassword .Values.usePasswordFile }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + ports: + - name: sentinelmetrics + containerPort: 9355 + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.slave.persistence.enabled .Values.securityContext.enabled .Values.containerSecurityContext.enabled }} + {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} + initContainers: + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ template "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.slave.persistence.path }} + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.slave.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto "}} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.slave.persistence.path }} + subPath: {{ .Values.slave.persistence.subPath }} + {{- end }} + {{- if .Values.sysctlImage.enabled }} + - name: init-sysctl + image: {{ template "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} + resources: {{- toYaml .Values.sysctlImage.resources | nindent 12 }} + {{- if .Values.sysctlImage.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + command: {{- toYaml .Values.sysctlImage.command | nindent 12 }} + securityContext: + privileged: true + runAsUser: 0 + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ include "redis.fullname" . }}-scripts + defaultMode: 0755 + - name: health + configMap: + name: {{ template "redis.fullname" . }}-health + defaultMode: 0755 + {{- if .Values.usePasswordFile }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ template "redis.fullname" . }} + {{- if .Values.sysctlImage.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: sentinel-tmp-conf + emptyDir: {} + - name: redis-tmp-conf + emptyDir: {} + - name: tmp + emptyDir: {} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.sentinel.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }} + defaultMode: 256 + {{- end }} + {{- if not .Values.slave.persistence.enabled }} + - name: redis-data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: slave + {{- if .Values.slave.statefulset.volumeClaimTemplates }} + {{- if .Values.slave.statefulset.volumeClaimTemplates.labels }} + {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.labels | nindent 10 }} + {{- end }} + {{- if .Values.slave.statefulset.volumeClaimTemplates.annotations }} + annotations: + {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.annotations | nindent 10 }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.slave.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.slave.persistence.size | quote }} + {{ include "redis.slave.storageClass" . }} + selector: + {{- if .Values.slave.persistence.matchLabels }} + matchLabels: {{- toYaml .Values.slave.persistence.matchLabels | nindent 12 }} + {{- end -}} + {{- if .Values.slave.persistence.matchExpressions }} + matchExpressions: {{- toYaml .Values.slave.persistence.matchExpressions | nindent 12 }} + {{- end -}} + {{- end }} + updateStrategy: + type: {{ .Values.slave.statefulset.updateStrategy }} + {{- if .Values.slave.statefulset.rollingUpdatePartition }} + {{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }} + rollingUpdate: null + {{- else }} + rollingUpdate: + partition: {{ .Values.slave.statefulset.rollingUpdatePartition }} + {{- end }} + {{- end }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-role.yaml b/stable/ckan/charts/redis/templates/redis-role.yaml new file mode 100644 index 00000000..080a7f96 --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +{{- if .Values.podSecurityPolicy.create }} + - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "redis.fullname" . }}] +{{- end -}} +{{- if .Values.rbac.role.rules }} +{{- toYaml .Values.rbac.role.rules | nindent 2 }} +{{- end -}} +{{- end -}} diff --git a/stable/ckan/charts/redis/templates/redis-rolebinding.yaml b/stable/ckan/charts/redis/templates/redis-rolebinding.yaml new file mode 100644 index 00000000..835aa036 --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "redis.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "redis.serviceAccountName" . }} +{{- end -}} diff --git a/stable/ckan/charts/redis/templates/redis-serviceaccount.yaml b/stable/ckan/charts/redis/templates/redis-serviceaccount.yaml new file mode 100644 index 00000000..081691de --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "redis.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.serviceAccount.annotations }} + annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml b/stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml new file mode 100644 index 00000000..778cac5c --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml @@ -0,0 +1,398 @@ +{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "redis.fullname" . }}-slave + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.slave.statefulset.labels }} + {{- toYaml .Values.slave.statefulset.labels | nindent 4 }} + {{- end }} +{{- if .Values.slave.statefulset.annotations }} + annotations: + {{- toYaml .Values.slave.statefulset.annotations | nindent 4 }} +{{- end }} +spec: +{{- if .Values.slave.updateStrategy }} + strategy: {{- toYaml .Values.slave.updateStrategy | nindent 4 }} +{{- end }} + replicas: {{ .Values.cluster.slaveCount }} + serviceName: {{ template "redis.fullname" . }}-headless + selector: + matchLabels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: slave + template: + metadata: + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + chart: {{ template "redis.chart" . }} + role: slave + {{- if .Values.slave.podLabels }} + {{- toYaml .Values.slave.podLabels | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} + {{- toYaml .Values.metrics.podLabels | nindent 8 }} + {{- end }} + annotations: + checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} + checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.slave.podAnnotations }} + {{- toYaml .Values.slave.podAnnotations | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- toYaml .Values.metrics.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- include "redis.imagePullSecrets" . | nindent 6 }} + {{- if .Values.slave.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.slave.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.slave.priorityClassName }} + priorityClassName: {{ .Values.slave.priorityClassName | quote }} + {{- end }} + {{- if .Values.slave.nodeSelector }} + nodeSelector: {{- toYaml .Values.slave.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.slave.tolerations }} + tolerations: {{- toYaml .Values.slave.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.slave.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.slave.shareProcessNamespace }} + {{- end }} + {{- if .Values.slave.schedulerName }} + schedulerName: {{ .Values.slave.schedulerName }} + {{- end }} + {{- if .Values.master.spreadConstraints }} + topologySpreadConstraints: {{- toYaml .Values.master.spreadConstraints | nindent 8 }} + {{- end }} + {{- with .Values.slave.affinity }} + affinity: {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + containers: + - name: {{ template "redis.name" . }} + image: {{ template "redis.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/start-slave.sh + env: + - name: REDIS_REPLICATION_MODE + value: slave + - name: REDIS_MASTER_HOST + value: {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + - name: REDIS_MASTER_PORT_NUMBER + value: {{ .Values.redisPort | quote }} + {{- if .Values.usePassword }} + {{- if .Values.usePasswordFile }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + - name: REDIS_MASTER_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + - name: REDIS_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_TLS_PORT + value: {{ .Values.redisPort | quote }} + - name: REDIS_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_PORT + value: {{ .Values.redisPort | quote }} + {{- end }} + {{- if .Values.slave.extraEnvVars }} + {{- include "redis.tplValue" (dict "value" .Values.slave.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.slave.extraEnvVarsCM .Values.slave.extraEnvVarsSecret }} + envFrom: + {{- if .Values.slave.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.slave.extraEnvVarsCM }} + {{- end }} + {{- if .Values.slave.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.slave.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.redisPort }} + {{- if .Values.slave.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.slave.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.slave.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}} + exec: + command: + - sh + - -c + - /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} + {{- else if .Values.slave.customLivenessProbe }} + livenessProbe: {{- toYaml .Values.slave.customLivenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.slave.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }} + timeoutSeconds: {{ add1 .Values.slave.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.slave.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_readiness_local_and_master.sh {{ .Values.slave.readinessProbe.timeoutSeconds }} + {{- else if .Values.slave.customReadinessProbe }} + readinessProbe: {{- toYaml .Values.slave.customReadinessProbe | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.slave.resources | nindent 12 }} + volumeMounts: + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: /data + - name: config + mountPath: /opt/bitnami/redis/mounted-etc + - name: redis-tmp-conf + mountPath: /opt/bitnami/redis/etc + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.slave.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.slave.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "redis.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -c + - | + if [[ -f '/secrets/redis-password' ]]; then + export REDIS_PASSWORD=$(cat /secrets/redis-password) + fi + redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} + env: + - name: REDIS_ALIAS + value: {{ template "redis.fullname" . }} + {{- if .Values.usePassword }} + - name: REDIS_USER + value: default + {{- if (not .Values.usePasswordFile) }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: REDIS_ADDR + value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.redisPort }} + {{- if .Values.tls.authClients }} + - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE + value: {{ template "redis.tlsCert" . }} + {{- end }} + - name: REDIS_EXPORTER_TLS_CA_CERT_FILE + value: {{ template "redis.tlsCACert" . }} + {{- end }} + volumeMounts: + {{- if .Values.usePasswordFile }} + - name: redis-password + mountPath: /secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + ports: + - name: metrics + containerPort: 9121 + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.slave.persistence.enabled .Values.securityContext.enabled .Values.containerSecurityContext.enabled }} + {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} + initContainers: + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ template "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.slave.persistence.path }} + {{- else }} + chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.slave.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto "}} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + volumeMounts: + - name: redis-data + mountPath: {{ .Values.slave.persistence.path }} + subPath: {{ .Values.slave.persistence.subPath }} + {{- end }} + {{- if .Values.sysctlImage.enabled }} + - name: init-sysctl + image: {{ template "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} + resources: {{- toYaml .Values.sysctlImage.resources | nindent 12 }} + {{- if .Values.sysctlImage.mountHostSys }} + volumeMounts: + - name: host-sys + mountPath: /host-sys + {{- end }} + command: {{- toYaml .Values.sysctlImage.command | nindent 12 }} + securityContext: + privileged: true + runAsUser: 0 + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ include "redis.fullname" . }}-scripts + defaultMode: 0755 + - name: health + configMap: + name: {{ template "redis.fullname" . }}-health + defaultMode: 0755 + {{- if .Values.usePasswordFile }} + - name: redis-password + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- end }} + - name: config + configMap: + name: {{ template "redis.fullname" . }} + {{- if .Values.sysctlImage.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + - name: redis-tmp-conf + emptyDir: {} + {{- if .Values.slave.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.slave.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }} + defaultMode: 256 + {{- end }} + {{- if not .Values.slave.persistence.enabled }} + - name: redis-data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: redis-data + labels: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: slave + {{- if .Values.slave.statefulset.volumeClaimTemplates }} + {{- if .Values.slave.statefulset.volumeClaimTemplates.labels }} + {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.labels | nindent 10 }} + {{- end }} + {{- if .Values.slave.statefulset.volumeClaimTemplates.annotations }} + annotations: + {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.annotations | nindent 10 }} + {{- end }} + {{- end }} + spec: + accessModes: + {{- range .Values.slave.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.slave.persistence.size | quote }} + {{ include "redis.slave.storageClass" . }} + selector: + {{- if .Values.slave.persistence.matchLabels }} + matchLabels: {{- toYaml .Values.slave.persistence.matchLabels | nindent 12 }} + {{- end -}} + {{- if .Values.slave.persistence.matchExpressions }} + matchExpressions: {{- toYaml .Values.slave.persistence.matchExpressions | nindent 12 }} + {{- end -}} + {{- end }} + updateStrategy: + type: {{ .Values.slave.statefulset.updateStrategy }} + {{- if .Values.slave.statefulset.rollingUpdatePartition }} + {{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }} + rollingUpdate: null + {{- else }} + rollingUpdate: + partition: {{ .Values.slave.statefulset.rollingUpdatePartition }} + {{- end }} + {{- end }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-slave-svc.yaml b/stable/ckan/charts/redis/templates/redis-slave-svc.yaml new file mode 100644 index 00000000..a67ebb05 --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-slave-svc.yaml @@ -0,0 +1,43 @@ +{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }}-slave + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.slave.service.labels -}} + {{- toYaml .Values.slave.service.labels | nindent 4 }} + {{- end -}} +{{- if .Values.slave.service.annotations }} + annotations: {{- toYaml .Values.slave.service.annotations | nindent 4 }} +{{- end }} +spec: + type: {{ .Values.slave.service.type }} + {{ if eq .Values.slave.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.slave.service.externalTrafficPolicy }} + {{- end }} + {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.slave.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- with .Values.slave.service.loadBalancerSourceRanges }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + ports: + - name: tcp-redis + port: {{ .Values.slave.service.port }} + targetPort: redis + {{- if .Values.slave.service.nodePort }} + nodePort: {{ .Values.slave.service.nodePort }} + {{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} + role: slave +{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml b/stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml new file mode 100644 index 00000000..e1c9073a --- /dev/null +++ b/stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml @@ -0,0 +1,43 @@ +{{- if .Values.sentinel.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- if .Values.sentinel.service.labels }} + {{- toYaml .Values.sentinel.service.labels | nindent 4 }} + {{- end }} +{{- if .Values.sentinel.service.annotations }} + annotations: {{- toYaml .Values.sentinel.service.annotations | nindent 4 }} +{{- end }} +spec: + type: {{ .Values.sentinel.service.type }} + {{ if eq .Values.sentinel.service.type "LoadBalancer" }} + externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy }} + {{- end }} + {{ if eq .Values.sentinel.service.type "LoadBalancer" -}} {{ if .Values.sentinel.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} + {{ end -}} + {{- end -}} + ports: + - name: tcp-redis + port: {{ .Values.sentinel.service.redisPort }} + targetPort: redis + {{- if .Values.sentinel.service.redisNodePort }} + nodePort: {{ .Values.sentinel.service.redisNodePort }} + {{- end }} + - name: tcp-sentinel + port: {{ .Values.sentinel.service.sentinelPort }} + targetPort: redis-sentinel + {{- if .Values.sentinel.service.sentinelNodePort }} + nodePort: {{ .Values.sentinel.service.sentinelNodePort }} + {{- end }} + selector: + app: {{ template "redis.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/stable/ckan/charts/redis/templates/secret.yaml b/stable/ckan/charts/redis/templates/secret.yaml new file mode 100644 index 00000000..197aa189 --- /dev/null +++ b/stable/ckan/charts/redis/templates/secret.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.usePassword (not .Values.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + app: {{ template "redis.name" . }} + chart: {{ template "redis.chart" . }} + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +type: Opaque +data: + redis-password: {{ include "redis.password" . | b64enc | quote }} +{{- end -}} diff --git a/stable/ckan/charts/redis/values.schema.json b/stable/ckan/charts/redis/values.schema.json new file mode 100644 index 00000000..3188d0c9 --- /dev/null +++ b/stable/ckan/charts/redis/values.schema.json @@ -0,0 +1,168 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "usePassword": { + "type": "boolean", + "title": "Use password authentication", + "form": true + }, + "password": { + "type": "string", + "title": "Password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "usePassword" + } + }, + "cluster": { + "type": "object", + "title": "Cluster Settings", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable master-slave", + "description": "Enable master-slave architecture" + }, + "slaveCount": { + "type": "integer", + "title": "Slave Replicas", + "form": true, + "hidden": { + "value": false, + "path": "cluster/enabled" + } + } + } + }, + "master": { + "type": "object", + "title": "Master replicas settings", + "form": true, + "properties": { + "persistence": { + "type": "object", + "title": "Persistence for master replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "master/persistence/enabled" + } + }, + "matchLabels": { + "type": "object", + "title": "Persistent Match Labels Selector" + }, + "matchExpressions": { + "type": "object", + "title": "Persistent Match Expressions Selector" + } + } + } + } + }, + "slave": { + "type": "object", + "title": "Slave replicas settings", + "form": true, + "hidden": { + "value": false, + "path": "cluster/enabled" + }, + "properties": { + "persistence": { + "type": "object", + "title": "Persistence for slave replicas", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "slave/persistence/enabled" + } + }, + "matchLabels": { + "type": "object", + "title": "Persistent Match Labels Selector" + }, + "matchExpressions": { + "type": "object", + "title": "Persistent Match Expressions Selector" + } + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/stable/ckan/charts/redis/values.yaml b/stable/ckan/charts/redis/values.yaml new file mode 100644 index 00000000..64e90821 --- /dev/null +++ b/stable/ckan/charts/redis/values.yaml @@ -0,0 +1,1008 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +global: + # imageRegistry: myRegistryName + # imagePullSecrets: + # - myRegistryKeySecretName + # storageClass: myStorageClass + redis: {} + +## Bitnami Redis(TM) image version +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## +image: + registry: docker.io + repository: bitnami/redis + ## Bitnami Redis(TM) image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links + ## + tag: 6.0.12-debian-10-r33 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## String to partially override redis.fullname template (will maintain the release name) +## +# nameOverride: + +## String to fully override redis.fullname template +## +# fullnameOverride: + +## Cluster settings +## +cluster: + enabled: true + slaveCount: 2 + +## Use redis sentinel in the redis pod. This will disable the master and slave services and +## create one redis service with ports to the sentinel and the redis instances +## +sentinel: + enabled: false + ## Require password authentication on the sentinel itself + ## ref: https://redis.io/topics/sentinel + ## + usePassword: true + ## Bitnami Redis(TM) Sentintel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + ## Bitnami Redis(TM) image tag + ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links + ## + tag: 6.0.12-debian-10-r24 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + masterSet: mymaster + initialCheckTimeout: 5 + quorum: 2 + downAfterMilliseconds: 20000 + failoverTimeout: 18000 + parallelSyncs: 1 + port: 26379 + + ## Delay seconds when cleaning nodes IPs + ## When starting it will clean the sentinels IP (RESET "*") in all the nodes + ## This is the delay time before sending the command to the next node + ## + cleanDelaySeconds: 5 + + ## Additional Redis(TM) configuration for the sentinel nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Enable or disable static sentinel IDs for each replicas + ## If disabled each sentinel will generate a random id at startup + ## If enabled, each replicas will have a constant ID on each start-up + ## + staticID: false + ## Configure extra options for Redis(TM) Sentinel liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + customLivenessProbe: {} + customReadinessProbe: {} + ## Redis(TM) Sentinel resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Redis(TM) Sentinel Service properties + ## + service: + ## Redis(TM) Sentinel Service type + ## + type: ClusterIP + sentinelPort: 26379 + redisPort: 6379 + + ## External traffic policy (when service type is LoadBalancer) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # sentinelNodePort: + # redisNodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + + ## Additional commands to run prior to starting Redis(TM) node with sentinel + ## + preExecCmds: "" + + ## An array to add extra env var to the sentinel node configurations + ## For example: + ## extraEnvVars: + ## - name: name + ## value: value + ## - name: other_name + ## valueFrom: + ## fieldRef: + ## fieldPath: fieldPath + ## + extraEnvVars: [] + + ## ConfigMap with extra env vars: + ## + extraEnvVarsCM: [] + + ## Secret with extra env vars: + ## + extraEnvVarsSecret: [] + + ## Prometheus Exporter / Metrics for Redis Sentinel Exporter + ## + metrics: + enabled: false + + ## Bitnami Redis Sentinel Exporter image + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel-exporter/tags/ + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel-exporter + tag: 1.7.1-debian-10-r105 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Sentinel metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## e.g: + ## limits: + ## cpu: 500m + ## memory: 1Gi + ## + limits: {} + requests: {} + + ## Extra arguments for Sentinel metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + + ## Enable this if you're using https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) + ## + selector: + prometheus: kube-prometheus + + service: + type: ClusterIP + + ## Metrics port + ## + port: 9355 + ## External traffic policy (when service type is LoadBalancer) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + + ## Use serviceLoadBalancerIP to request a specific static IP, otherwise leave blank + ## + # loadBalancerIP: + annotations: {} + labels: {} + +## Specifies the Kubernetes Cluster's Domain Name. +## +clusterDomain: cluster.local + +networkPolicy: + ## Specifies whether a NetworkPolicy should be created + ## + enabled: false + + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the port Redis(TM) is listening + ## on. When true, Redis(TM) will accept connections from any source + ## (with the correct destination port). + ## + # allowExternal: true + + ## Allow connections from other namespaces. Just set label for namespace and set label for pods (optional). + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + +serviceAccount: + ## Specifies whether a ServiceAccount should be created + ## + create: false + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + ## Add annotations to service account + # annotations: + # iam.gke.io/gcp-service-account: "sa@project.iam.gserviceaccount.com" + +rbac: + ## Specifies whether RBAC resources should be created + ## + create: false + + role: + ## Rules to create. It follows the role specification + # rules: + # - apiGroups: + # - extensions + # resources: + # - podsecuritypolicies + # verbs: + # - use + # resourceNames: + # - gce.unprivileged + rules: [] + +## Redis(TM) pod Security Context +## +securityContext: + enabled: true + fsGroup: 1001 + ## sysctl settings for master and slave pods + ## + ## Uncomment the setting below to increase the net.core.somaxconn value + ## + # sysctls: + # - name: net.core.somaxconn + # value: "10000" + +## Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +## +containerSecurityContext: + enabled: true + runAsUser: 1001 + +## Use password authentication +## +usePassword: true +## Redis(TM) password (both master and slave) +## Defaults to a random 10-character alphanumeric string if not set and usePassword is true +## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run +## +password: "" +## Use existing secret (ignores previous password) +# existingSecret: +## Password key to be retrieved from Redis(TM) secret +## +# existingSecretPasswordKey: + +## Mount secrets as files instead of environment variables +## +usePasswordFile: false + +## Persist data to a persistent volume (Redis(TM) Master) +## +persistence: + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: + +# Redis(TM) port +redisPort: 6379 + +## +## TLS configuration +## +tls: + # Enable TLS traffic + enabled: false + # + # Whether to require clients to authenticate or not. + authClients: true + # + # Name of the Secret that contains the certificates + certificatesSecret: + # + # Certificate filename + certFilename: + # + # Certificate Key filename + certKeyFilename: + # + # CA Certificate filename + certCAFilename: + # + # File containing DH params (in order to support DH based ciphers) + # dhParamsFilename: + +## +## Redis(TM) Master parameters +## +master: + ## Redis(TM) command arguments + ## + ## Can be used to specify command line arguments, for example: + ## Note `exec` is prepended to command + ## + command: "/run.sh" + ## Additional commands to run prior to starting Redis(TM) + ## + preExecCmds: "" + ## Additional Redis(TM) configuration for the master nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Deployment pod host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## Redis(TM) additional command line flags + ## + ## Can be used to specify command line flags, for example: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## Comma-separated list of Redis(TM) commands to disable + ## + ## Can be used to disable Redis(TM) commands for security reasons. + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis(TM) Master additional pod labels and annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + podAnnotations: {} + + ## Redis(TM) Master resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + # Enable shared process namespace in a pod. + # If set to false (default), each container will run in separate namespace, redis will have PID=1. + # If set to true, the /pause will run as init process and will reap any zombie PIDs, + # for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + # Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + shareProcessNamespace: false + ## Configure extra options for Redis(TM) Master liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + + ## Configure custom probes for images other images like + ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 + ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false + ## + # customLivenessProbe: + # tcpSocket: + # port: 6379 + # initialDelaySeconds: 10 + # periodSeconds: 5 + # customReadinessProbe: + # initialDelaySeconds: 30 + # periodSeconds: 10 + # timeoutSeconds: 5 + # exec: + # command: + # - "container-entrypoint" + # - "bash" + # - "-c" + # - "redis-cli set liveness-probe \"`date`\" | grep OK" + customLivenessProbe: {} + customReadinessProbe: {} + + ## Redis(TM) Master Node selectors and tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature + ## + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + ## Redis(TM) Master pod/node affinity/anti-affinity + ## + affinity: {} + + ## Redis(TM) Master Service properties + ## + service: + ## Redis(TM) Master Service type + ## + type: ClusterIP + port: 6379 + + ## External traffic policy (when service type is LoadBalancer) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis(TM) images. + ## + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + matchLabels: {} + matchExpressions: {} + volumes: + # - name: volume_name + # emptyDir: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + ## + statefulset: + labels: {} + annotations: {} + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + volumeClaimTemplates: + labels: {} + annotations: {} + + ## Redis(TM) Master pod priorityClassName + ## + priorityClassName: null + + ## An array to add extra env vars + ## For example: + ## extraEnvVars: + ## - name: name + ## value: value + ## - name: other_name + ## valueFrom: + ## fieldRef: + ## fieldPath: fieldPath + ## + extraEnvVars: [] + + ## ConfigMap with extra env vars: + ## + extraEnvVarsCM: [] + + ## Secret with extra env vars: + ## + extraEnvVarsSecret: [] + +## +## Redis(TM) Slave properties +## Note: service.type is a mandatory parameter +## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis(TM) Master +## +slave: + ## Slave Service properties + ## + service: + ## Redis(TM) Slave Service type + ## + type: ClusterIP + ## Redis(TM) port + ## + port: 6379 + + ## External traffic policy (when service type is LoadBalancer) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + + ## Specify the nodePort value for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + # nodePort: + + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + labels: {} + loadBalancerIP: + # loadBalancerSourceRanges: ["10.0.0.0/8"] + + ## Redis(TM) slave port + ## + port: 6379 + ## Deployment pod host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## Can be used to specify command line arguments, for example: + ## Note `exec` is prepended to command + ## + command: "/run.sh" + ## Additional commands to run prior to starting Redis(TM) + ## + preExecCmds: "" + ## Additional Redis(TM) configuration for the slave nodes + ## ref: https://redis.io/topics/config + ## + configmap: + ## Redis(TM) extra flags + ## + extraFlags: [] + ## List of Redis(TM) commands to disable + ## + disableCommands: + - FLUSHDB + - FLUSHALL + + ## Redis(TM) Slave pod/node affinity/anti-affinity + ## + affinity: {} + + ## Kubernetes Spread Constraints for pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + # - maxSkew: 1 + # topologyKey: node + # whenUnsatisfiable: DoNotSchedule + spreadConstraints: {} + + # Enable shared process namespace in a pod. + # If set to false (default), each container will run in separate namespace, redis will have PID=1. + # If set to true, the /pause will run as init process and will reap any zombie PIDs, + # for example, generated by a custom exec probe running longer than a probe timeoutSeconds. + # Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + shareProcessNamespace: false + ## Configure extra options for Redis(TM) Slave liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + + ## Configure custom probes for images other images like + ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 + ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false + ## + # customLivenessProbe: + # tcpSocket: + # port: 6379 + # initialDelaySeconds: 10 + # periodSeconds: 5 + # customReadinessProbe: + # initialDelaySeconds: 30 + # periodSeconds: 10 + # timeoutSeconds: 5 + # exec: + # command: + # - "container-entrypoint" + # - "bash" + # - "-c" + # - "redis-cli set liveness-probe \"`date`\" | grep OK" + customLivenessProbe: {} + customReadinessProbe: {} + + ## Redis(TM) slave Resource + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + + ## Redis(TM) slave selectors and tolerations for pod assignment + # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} + # tolerations: [] + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## Redis(TM) slave pod Annotation and Labels + ## + podLabels: {} + podAnnotations: {} + + ## Redis(TM) slave pod priorityClassName + priorityClassName: null + + ## Enable persistence using Persistent Volume Claims + ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + enabled: true + ## The path the volume will be mounted at, useful when using different + ## Redis(TM) images. + ## + path: /data + ## The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + ## redis data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 8Gi + ## Persistent Volume selectors + ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + matchLabels: {} + matchExpressions: {} + + ## Update strategy, can be set to RollingUpdate or onDelete by default. + ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets + ## + statefulset: + labels: {} + annotations: {} + updateStrategy: RollingUpdate + ## Partition update strategy + ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions + # rollingUpdatePartition: + volumeClaimTemplates: + labels: {} + annotations: {} + + ## An array to add extra env vars + ## For example: + ## extraEnvVars: + ## - name: name + ## value: value + ## - name: other_name + ## valueFrom: + ## fieldRef: + ## fieldPath: fieldPath + ## + extraEnvVars: [] + + ## ConfigMap with extra env vars: + ## + extraEnvVarsCM: [] + + ## Secret with extra env vars: + ## + extraEnvVarsSecret: [] + +## Prometheus Exporter / Metrics +## +metrics: + enabled: false + + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.20.0-debian-10-r12 + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + # A way to specify an alternative redis hostname, if you set a local endpoint in hostAliases for example + # Useful for certificate CN/SAN matching + redisTargetHost: "localhost" + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + # resources: {} + + ## Extra arguments for Metrics exporter, for example: + ## extraArgs: + ## check-keys: myKey,myOtherKey + # extraArgs: {} + + ## Metrics exporter pod Annotation and Labels + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + # podLabels: {} + + # Enable this if you're using https://github.com/coreos/prometheus-operator + serviceMonitor: + enabled: false + ## Specify a namespace if needed + # namespace: monitoring + # fallback to the prometheus default unless specified + # interval: 10s + ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) + ## + selector: + prometheus: kube-prometheus + + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] + # - sourceLabels: + # - "__name__" + # targetLabel: "__name__" + # action: replace + # regex: '(.*)' + # replacement: 'example_prefix_$1' + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: "" + ## Redis(TM) prometheus rules + ## These are just examples rules, please adapt them to your needs. + ## Make sure to constraint the rules to the current redis service. + # rules: + # - alert: RedisDown + # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} down + # description: Redis(TM) instance {{ "{{ $labels.instance }}" }} is down + # - alert: RedisMemoryHigh + # expr: > + # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100 + # / + # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"} + # > 90 + # for: 2m + # labels: + # severity: error + # annotations: + # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} is using too much memory + # description: | + # Redis(TM) instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + # - alert: RedisKeyEviction + # expr: | + # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0 + # for: 1s + # labels: + # severity: error + # annotations: + # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted keys + # description: | + # Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + rules: [] + + ## Metrics exporter pod priorityClassName + priorityClassName: null + service: + type: ClusterIP + + ## External traffic policy (when service type is LoadBalancer) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + + ## Use serviceLoadBalancerIP to request a specific static IP, + ## otherwise leave blank + # loadBalancerIP: + annotations: {} + labels: {} + +## +## Init containers parameters: +## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + + ## Init container Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false + ## + securityContext: + runAsUser: 0 + +## Redis(TM) config file +## ref: https://redis.io/topics/config +## +configmap: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" + +## Sysctl InitContainer +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +## +sysctlImage: + enabled: false + command: [] + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + mountHostSys: false + resources: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## Specifies whether a PodSecurityPolicy should be created + ## + create: false + +## Define a disruption budget +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +## +podDisruptionBudget: + enabled: false + minAvailable: 1 + # maxUnavailable: 1 diff --git a/stable/ckan/charts/solr/Chart.lock b/stable/ckan/charts/solr/Chart.lock new file mode 100644 index 00000000..9e56d841 --- /dev/null +++ b/stable/ckan/charts/solr/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: zookeeper + repository: https://charts.helm.sh/incubator + version: 2.1.3 +digest: sha256:498b0ec127bdf20a5317703b58257b7d979ac212b0bfdf4f055a32695895d768 +generated: "2021-06-08T10:17:32.289525-04:00" diff --git a/stable/ckan/charts/solr/Chart.yaml b/stable/ckan/charts/solr/Chart.yaml new file mode 100644 index 00000000..a87911b1 --- /dev/null +++ b/stable/ckan/charts/solr/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: 8.11.1 +dependencies: +- name: zookeeper + repository: https://charts.helm.sh/incubator + version: 2.1.3 +description: A helm chart to install Apache Solr +home: http://lucene.apache.org/solr/ +keywords: +- solr +name: solr +sources: +- https://gitbox.apache.org/repos/asf?p=lucene-solr.git +version: 1.5.8 diff --git a/stable/ckan/charts/solr/README.md b/stable/ckan/charts/solr/README.md new file mode 100644 index 00000000..388641ef --- /dev/null +++ b/stable/ckan/charts/solr/README.md @@ -0,0 +1,72 @@ +# Solr Helm Chart + +> NOTE: This chart was extended from hhttps://github.com/helm/charts/tree/master/incubator/solr. + +This helm chart installs a Solr cluster and its required Zookeeper cluster into a running kubernetes cluster. + +The chart installs the Solr docker image from: https://hub.docker.com/_/solr/ + +## Dependencies + +- The zookeeper incubator helm chart +- Tested on kubernetes 1.10+ + +## Configuration Options + +The following table shows the configuration options for the Solr helm chart: + +| Parameter | Description | Default Value | +|-----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `port` | The port that Solr will listen on | `8983` | +| `replicaCount` | The number of replicas in the Solr statefulset | `3` | +| `javaMem` | JVM memory settings to pass to Solr | `-Xms2g -Xmx3g` | +| `resources` | Resource limits and requests to set on the solr pods | `{}` | +| `extraEnvVars` | Additional environment variables to set on the solr pods (in yaml syntax) | `[]` | +| `initScript` | The file name of the custom script to be run before starting Solr | `""` | +| `terminationGracePeriodSeconds` | The termination grace period of the Solr pods | `180` | +| `image.repository` | The repository to pull the docker image from | `solr` | +| `image.tag` | The tag on the repository to pull | `7.7.2` | +| `image.pullPolicy` | Solr pod pullPolicy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `livenessProbe.initialDelaySeconds` | Initial Delay for Solr pod liveness probe | `20` | +| `livenessProbe.periodSeconds` | Poll rate for liveness probe | `10` | +| `readinessProbe.initialDelaySeconds` | Initial Delay for Solr pod readiness probe | `15` | +| `readinessProbe.periodSeconds` | Poll rate for readiness probe | `5` | +| `podAnnotations` | Annotations to be applied to the solr pods | `{}` | +| `affinity` | Affinity policy to be applied to the Solr pods | `{}` | +| `tolerations` | Tolerations to be applied to the Solr pods | `[]` | +| `updateStrategy` | The update strategy of the solr pods | `{}` | +| `logLevel` | The log level of the solr pods | `INFO` | +| `podDisruptionBudget` | The pod disruption budget for the Solr statefulset | `{"maxUnavailable": 1}` | +| `schedulerName` | The name of the k8s scheduler (other than default) | ` nil` | +| `volumeClaimTemplates.storageClassName` | The name of the storage class for the Solr PVC | `` | +| `volumeClaimTemplates.storageSize` | The size of the PVC | `20Gi` | +| `volumeClaimTemplates.accessModes` | The access mode of the PVC | `[ "ReadWriteOnce" ]` | +| `tls.enabled` | Whether to enable TLS, requires `tls.certSecret.name` to be set to a secret containing cert details, see README for details | `false` | +| `tls.wantClientAuth` | Whether Solr wants client authentication | `false` | +| `tls.needClientAuth` | Whether Solr requires client authentication | `false` | +| `tls.keystorePassword` | Password for the tls java keystore | `changeit` | +| `tls.importKubernetesCA` | Whether to import the kubernetes CA into the Solr truststore | `false` | +| `tls.checkPeerName` | Whether Solr checks the name in the TLS certs | `false` | +| `tls.caSecret.name` | The name of the Kubernetes secret containing the ca bunble to import into the truststore | `` | +| `tls.caSecret.bundlePath` | The key in the Kubernetes secret that contains the CA bundle | `` | +| `tls.certSecret.name` | The name of the Kubernetes secret that contains the TLS certificate and private key | `` | +| `tls.certSecret.keyPath` | The key in the Kubernetes secret that contains the private key | `tls.key` | +| `tls.certSecret.certPath` | The key in the Kubernetes secret that contains the TLS certificate | `tls.crt` | +| `service.type` | The type of service for the solr client service | `ClusterIP` | +| `service.annotations` | Annotations to apply to the solr client service | `{}` | +| `exporter.enabled` | Whether to enable the Solr Prometheus exporter | `false` | +| `exporter.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `exporter.configFile` | The path in the docker image that the exporter loads the config from | `/opt/solr/contrib/prometheus-exporter/conf/solr-exporter-config.xml` | +| `exporter.updateStrategy` | Update strategy for the exporter deployment | `{}` | +| `exporter.podAnnotations` | Annotations to set on the exporter pods | `{}` +| `exporter.resources` | Resource limits to set on the exporter pods | `{}` | +| `exporter.port` | The port that the exporter runs on | `9983` | +| `exporter.threads` | The number of query threads that the exporter runs | `7` | +| `exporter.livenessProbe.initialDelaySeconds` | Initial Delay for the exporter pod liveness| `20` | +| `exporter.livenessProbe.periodSeconds` | Poll rate for liveness probe | `10` | +| `exporter.readinessProbe.initialDelaySeconds` | Initial Delay for the exporter pod readiness | `15` | +| `exporter.readinessProbe.periodSeconds` | Poll rate for readiness probe | `5` | +| `exporter.service.type` | The type of the exporter service | `ClusterIP` | +| `exporter.service.annotations` | Annotations to apply to the exporter service | `{}` | diff --git a/stable/ckan/charts/solr/charts/zookeeper/.helmignore b/stable/ckan/charts/solr/charts/zookeeper/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/stable/ckan/charts/solr/charts/zookeeper/Chart.yaml b/stable/ckan/charts/solr/charts/zookeeper/Chart.yaml new file mode 100644 index 00000000..e82642a5 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +appVersion: 3.5.5 +description: Centralized service for maintaining configuration information, naming, + providing distributed synchronization, and providing group services. +home: https://zookeeper.apache.org/ +icon: https://zookeeper.apache.org/images/zookeeper_small.gif +kubeVersion: ^1.10.0-0 +maintainers: +- email: lachlan.evenson@microsoft.com + name: lachie83 +- email: owensk@google.com + name: kow3ns +name: zookeeper +sources: +- https://github.com/apache/zookeeper +- https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper +version: 2.1.3 diff --git a/stable/ckan/charts/solr/charts/zookeeper/OWNERS b/stable/ckan/charts/solr/charts/zookeeper/OWNERS new file mode 100644 index 00000000..dd9facde --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/OWNERS @@ -0,0 +1,6 @@ +approvers: +- lachie83 +- kow3ns +reviewers: +- lachie83 +- kow3ns diff --git a/stable/ckan/charts/solr/charts/zookeeper/README.md b/stable/ckan/charts/solr/charts/zookeeper/README.md new file mode 100644 index 00000000..c0f060ef --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/README.md @@ -0,0 +1,145 @@ +# incubator/zookeeper + +This helm chart provides an implementation of the ZooKeeper [StatefulSet](http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/) found in Kubernetes Contrib [Zookeeper StatefulSet](https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper). + +## Prerequisites +* Kubernetes 1.10+ +* PersistentVolume support on the underlying infrastructure +* A dynamic provisioner for the PersistentVolumes +* A familiarity with [Apache ZooKeeper 3.5.x](https://zookeeper.apache.org/doc/r3.5.5/) + +## Chart Components +This chart will do the following: + +* Create a fixed size ZooKeeper ensemble using a [StatefulSet](http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/). +* Create a [PodDisruptionBudget](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-disruption-budget/) so kubectl drain will respect the Quorum size of the ensemble. +* Create a [Headless Service](https://kubernetes.io/docs/concepts/services-networking/service/) to control the domain of the ZooKeeper ensemble. +* Create a Service configured to connect to the available ZooKeeper instance on the configured client port. +* Optionally apply a [Pod Anti-Affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity-beta-feature) to spread the ZooKeeper ensemble across nodes. +* Optionally start JMX Exporter and Zookeeper Exporter containers inside Zookeeper pods. +* Optionally create a job which creates Zookeeper chroots (e.g. `/kafka1`). +* Optionally create a Prometheus ServiceMonitor for each enabled exporter container + +## Installing the Chart +You can install the chart with the release name `zookeeper` as below. + +```console +$ helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator +$ helm install --name zookeeper incubator/zookeeper +``` + +If you do not specify a name, helm will select a name for you. + +### Installed Components +You can use `kubectl get` to view all of the installed components. + +```console{%raw} +$ kubectl get all -l app=zookeeper +NAME: zookeeper +LAST DEPLOYED: Wed Apr 11 17:09:48 2018 +NAMESPACE: default +STATUS: DEPLOYED + +RESOURCES: +==> v1beta1/PodDisruptionBudget +NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE +zookeeper N/A 1 1 2m + +==> v1/Service +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +zookeeper-headless ClusterIP None 2181/TCP,3888/TCP,2888/TCP 2m +zookeeper ClusterIP 10.98.179.165 2181/TCP 2m + +==> v1beta1/StatefulSet +NAME DESIRED CURRENT AGE +zookeeper 3 3 2m + +==> monitoring.coreos.com/v1/ServiceMonitor +NAME AGE +zookeeper 2m +zookeeper-exporter 2m +``` + +1. `statefulsets/zookeeper` is the StatefulSet created by the chart. +1. `po/zookeeper-<0|1|2>` are the Pods created by the StatefulSet. Each Pod has a single container running a ZooKeeper server. +1. `svc/zookeeper-headless` is the Headless Service used to control the network domain of the ZooKeeper ensemble. +1. `svc/zookeeper` is a Service that can be used by clients to connect to an available ZooKeeper server. +1. `servicemonitor/zookeeper` is a Prometheus ServiceMonitor which scrapes the jmx-exporter metrics endpoint +1. `servicemonitor/zookeeper-exporter` is a Prometheus ServiceMonitor which scrapes the zookeeper-exporter metrics endpoint + +## Configuration +You can specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +$ helm install --name my-release -f values.yaml incubator/zookeeper +``` + +## Default Values + +- You can find all user-configurable settings, their defaults and commentary about them in [values.yaml](values.yaml). + +## Deep Dive + +## Image Details +The image used for this chart is based on Alpine 3.9.0. + +## JVM Details +The Java Virtual Machine used for this chart is the OpenJDK JVM 8u192 JRE (headless). + +## ZooKeeper Details +The chart defaults to ZooKeeper 3.5 (latest released version). + +## Failover +You can test failover by killing the leader. Insert a key: +```console +$ kubectl exec zookeeper-0 -- bin/zkCli.sh create /foo bar; +$ kubectl exec zookeeper-2 -- bin/zkCli.sh get /foo; +``` + +Watch existing members: +```console +$ kubectl run --attach bbox --image=busybox --restart=Never -- sh -c 'while true; do for i in 0 1 2; do echo zk-${i} $(echo stats | nc -${i}.:2181 | grep Mode); sleep 1; done; done'; + +zk-2 Mode: follower +zk-0 Mode: follower +zk-1 Mode: leader +zk-2 Mode: follower +``` + +Delete Pods and wait for the StatefulSet controller to bring them back up: +```console +$ kubectl delete po -l app=zookeeper +$ kubectl get po --watch-only +NAME READY STATUS RESTARTS AGE +zookeeper-0 0/1 Running 0 35s +zookeeper-0 1/1 Running 0 50s +zookeeper-1 0/1 Pending 0 0s +zookeeper-1 0/1 Pending 0 0s +zookeeper-1 0/1 ContainerCreating 0 0s +zookeeper-1 0/1 Running 0 19s +zookeeper-1 1/1 Running 0 40s +zookeeper-2 0/1 Pending 0 0s +zookeeper-2 0/1 Pending 0 0s +zookeeper-2 0/1 ContainerCreating 0 0s +zookeeper-2 0/1 Running 0 19s +zookeeper-2 1/1 Running 0 41s +``` + +Check the previously inserted key: +```console +$ kubectl exec zookeeper-1 -- bin/zkCli.sh get /foo +ionid = 0x354887858e80035, negotiated timeout = 30000 + +WATCHER:: + +WatchedEvent state:SyncConnected type:None path:null +bar +``` + +## Scaling +ZooKeeper can not be safely scaled in versions prior to 3.5.x + +## Limitations +* Only supports storage options that have backends for persistent volume claims. diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt b/stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt new file mode 100644 index 00000000..6c5da856 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt @@ -0,0 +1,7 @@ +Thank you for installing ZooKeeper on your Kubernetes cluster. More information +about ZooKeeper can be found at https://zookeeper.apache.org/doc/current/ + +Your connection string should look like: + {{ template "zookeeper.fullname" . }}-0.{{ template "zookeeper.fullname" . }}-headless:{{ .Values.service.ports.client.port }},{{ template "zookeeper.fullname" . }}-1.{{ template "zookeeper.fullname" . }}-headless:{{ .Values.service.ports.client.port }},... + +You can also use the client service {{ template "zookeeper.fullname" . }}:{{ .Values.service.ports.client.port }} to connect to an available ZooKeeper server. diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl b/stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl new file mode 100644 index 00000000..0e151072 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "zookeeper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "zookeeper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "zookeeper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The name of the zookeeper headless service. +*/}} +{{- define "zookeeper.headless" -}} +{{- printf "%s-headless" (include "zookeeper.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The name of the zookeeper chroots job. +*/}} +{{- define "zookeeper.chroots" -}} +{{- printf "%s-chroots" (include "zookeeper.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml new file mode 100644 index 00000000..79905e57 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml @@ -0,0 +1,19 @@ +{{- if .Values.exporters.jmx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-jmx-exporter + labels: + app: {{ template "zookeeper.name" . }} + chart: {{ template "zookeeper.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + config.yml: |- + hostPort: 127.0.0.1:{{ .Values.env.JMXPORT }} + lowercaseOutputName: {{ .Values.exporters.jmx.config.lowercaseOutputName }} + rules: +{{ .Values.exporters.jmx.config.rules | toYaml | indent 6 }} + ssl: false + startDelaySeconds: {{ .Values.exporters.jmx.config.startDelaySeconds }} +{{- end }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml new file mode 100644 index 00000000..2b4b44dd --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml @@ -0,0 +1,110 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "zookeeper.fullname" . }} + labels: + app: {{ template "zookeeper.name" . }} + chart: {{ template "zookeeper.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: server +data: + ok: | + #!/bin/sh + zkServer.sh status + + ready: | + #!/bin/sh + echo ruok | nc 127.0.0.1 ${1:-2181} + + run: | + #!/bin/bash + + set -a + ROOT=$(echo /apache-zookeeper-*) + + ZK_USER=${ZK_USER:-"zookeeper"} + ZK_LOG_LEVEL=${ZK_LOG_LEVEL:-"INFO"} + ZK_DATA_DIR=${ZK_DATA_DIR:-"/data"} + ZK_DATA_LOG_DIR=${ZK_DATA_LOG_DIR:-"/data/log"} + ZK_CONF_DIR=${ZK_CONF_DIR:-"/conf"} + ZK_CLIENT_PORT=${ZK_CLIENT_PORT:-2181} + ZK_SERVER_PORT=${ZK_SERVER_PORT:-2888} + ZK_ELECTION_PORT=${ZK_ELECTION_PORT:-3888} + ZK_TICK_TIME=${ZK_TICK_TIME:-2000} + ZK_INIT_LIMIT=${ZK_INIT_LIMIT:-10} + ZK_SYNC_LIMIT=${ZK_SYNC_LIMIT:-5} + ZK_HEAP_SIZE=${ZK_HEAP_SIZE:-2G} + ZK_MAX_CLIENT_CNXNS=${ZK_MAX_CLIENT_CNXNS:-60} + ZK_MIN_SESSION_TIMEOUT=${ZK_MIN_SESSION_TIMEOUT:- $((ZK_TICK_TIME*2))} + ZK_MAX_SESSION_TIMEOUT=${ZK_MAX_SESSION_TIMEOUT:- $((ZK_TICK_TIME*20))} + ZK_SNAP_RETAIN_COUNT=${ZK_SNAP_RETAIN_COUNT:-3} + ZK_PURGE_INTERVAL=${ZK_PURGE_INTERVAL:-0} + ID_FILE="$ZK_DATA_DIR/myid" + ZK_CONFIG_FILE="$ZK_CONF_DIR/zoo.cfg" + LOG4J_PROPERTIES="$ZK_CONF_DIR/log4j.properties" + HOST=$(hostname) + DOMAIN=`hostname -d` + JVMFLAGS="-Xmx$ZK_HEAP_SIZE -Xms$ZK_HEAP_SIZE" + + APPJAR=$(echo $ROOT/*jar) + CLASSPATH="${ROOT}/lib/*:${APPJAR}:${ZK_CONF_DIR}:" + + if [[ $HOST =~ (.*)-([0-9]+)$ ]]; then + NAME=${BASH_REMATCH[1]} + ORD=${BASH_REMATCH[2]} + MY_ID=$((ORD+1)) + else + echo "Failed to extract ordinal from hostname $HOST" + exit 1 + fi + + mkdir -p $ZK_DATA_DIR + mkdir -p $ZK_DATA_LOG_DIR + echo $MY_ID >> $ID_FILE + + echo "clientPort=$ZK_CLIENT_PORT" >> $ZK_CONFIG_FILE + echo "dataDir=$ZK_DATA_DIR" >> $ZK_CONFIG_FILE + echo "dataLogDir=$ZK_DATA_LOG_DIR" >> $ZK_CONFIG_FILE + echo "tickTime=$ZK_TICK_TIME" >> $ZK_CONFIG_FILE + echo "initLimit=$ZK_INIT_LIMIT" >> $ZK_CONFIG_FILE + echo "syncLimit=$ZK_SYNC_LIMIT" >> $ZK_CONFIG_FILE + echo "maxClientCnxns=$ZK_MAX_CLIENT_CNXNS" >> $ZK_CONFIG_FILE + echo "minSessionTimeout=$ZK_MIN_SESSION_TIMEOUT" >> $ZK_CONFIG_FILE + echo "maxSessionTimeout=$ZK_MAX_SESSION_TIMEOUT" >> $ZK_CONFIG_FILE + echo "autopurge.snapRetainCount=$ZK_SNAP_RETAIN_COUNT" >> $ZK_CONFIG_FILE + echo "autopurge.purgeInterval=$ZK_PURGE_INTERVAL" >> $ZK_CONFIG_FILE + echo "4lw.commands.whitelist=*" >> $ZK_CONFIG_FILE + + for (( i=1; i<=$ZK_REPLICAS; i++ )) + do + echo "server.$i=$NAME-$((i-1)).$DOMAIN:$ZK_SERVER_PORT:$ZK_ELECTION_PORT" >> $ZK_CONFIG_FILE + done + + rm -f $LOG4J_PROPERTIES + + echo "zookeeper.root.logger=$ZK_LOG_LEVEL, CONSOLE" >> $LOG4J_PROPERTIES + echo "zookeeper.console.threshold=$ZK_LOG_LEVEL" >> $LOG4J_PROPERTIES + echo "zookeeper.log.threshold=$ZK_LOG_LEVEL" >> $LOG4J_PROPERTIES + echo "zookeeper.log.dir=$ZK_DATA_LOG_DIR" >> $LOG4J_PROPERTIES + echo "zookeeper.log.file=zookeeper.log" >> $LOG4J_PROPERTIES + echo "zookeeper.log.maxfilesize=256MB" >> $LOG4J_PROPERTIES + echo "zookeeper.log.maxbackupindex=10" >> $LOG4J_PROPERTIES + echo "zookeeper.tracelog.dir=$ZK_DATA_LOG_DIR" >> $LOG4J_PROPERTIES + echo "zookeeper.tracelog.file=zookeeper_trace.log" >> $LOG4J_PROPERTIES + echo "log4j.rootLogger=\${zookeeper.root.logger}" >> $LOG4J_PROPERTIES + echo "log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender" >> $LOG4J_PROPERTIES + echo "log4j.appender.CONSOLE.Threshold=\${zookeeper.console.threshold}" >> $LOG4J_PROPERTIES + echo "log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout" >> $LOG4J_PROPERTIES + echo "log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n" >> $LOG4J_PROPERTIES + + if [ -n "$JMXDISABLE" ] + then + MAIN=org.apache.zookeeper.server.quorum.QuorumPeerMain + else + MAIN="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMXPORT -Dcom.sun.management.jmxremote.authenticate=$JMXAUTH -Dcom.sun.management.jmxremote.ssl=$JMXSSL -Dzookeeper.jmx.log4j.disable=$JMXLOG4J org.apache.zookeeper.server.quorum.QuorumPeerMain" + fi + + set -x + exec java -cp "$CLASSPATH" $JVMFLAGS $MAIN $ZK_CONFIG_FILE diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml new file mode 100644 index 00000000..3aa08c90 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml @@ -0,0 +1,65 @@ +{{- if .Values.jobs.chroots.enabled }} +{{- $root := . }} +{{- $job := .Values.jobs.chroots }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "zookeeper.chroots" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: {{ template "zookeeper.name" . }} + chart: {{ template "zookeeper.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: jobs + job: chroots +spec: + activeDeadlineSeconds: {{ $job.activeDeadlineSeconds }} + backoffLimit: {{ $job.backoffLimit }} + completions: {{ $job.completions }} + parallelism: {{ $job.parallelism }} + template: + metadata: + labels: + app: {{ template "zookeeper.name" . }} + release: {{ .Release.Name }} + component: jobs + job: chroots + spec: + restartPolicy: {{ $job.restartPolicy }} +{{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" +{{- end }} + containers: + - name: main + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /bin/bash + - -o + - pipefail + - -euc + {{- $port := .Values.service.ports.client.port }} + - > + sleep 15; + export SERVER={{ template "zookeeper.fullname" $root }}:{{ $port }}; + {{- range $job.config.create }} + echo '==> {{ . }}'; + echo '====> Create chroot if does not exist.'; + zkCli.sh -server {{ template "zookeeper.fullname" $root }}:{{ $port }} get {{ . }} 2>&1 >/dev/null | grep 'cZxid' + || zkCli.sh -server {{ template "zookeeper.fullname" $root }}:{{ $port }} create {{ . }} ""; + echo '====> Confirm chroot exists.'; + zkCli.sh -server {{ template "zookeeper.fullname" $root }}:{{ $port }} get {{ . }} 2>&1 >/dev/null | grep 'cZxid'; + echo '====> Chroot exists.'; + {{- end }} + env: + {{- range $key, $value := $job.env }} + - name: {{ $key | upper | replace "." "_" }} + value: {{ $value | quote }} + {{- end }} + resources: +{{ toYaml $job.resources | indent 12 }} +{{- end -}} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..15ee0080 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml @@ -0,0 +1,17 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "zookeeper.fullname" . }} + labels: + app: {{ template "zookeeper.name" . }} + chart: {{ template "zookeeper.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: server +spec: + selector: + matchLabels: + app: {{ template "zookeeper.name" . }} + release: {{ .Release.Name }} + component: server +{{ toYaml .Values.podDisruptionBudget | indent 2 }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml new file mode 100644 index 00000000..1c0ea3fb --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "zookeeper.headless" . }} + labels: + app: {{ template "zookeeper.name" . }} + chart: {{ template "zookeeper.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.headless.annotations }} + annotations: +{{ .Values.headless.annotations | toYaml | trimSuffix "\n" | indent 4 }} +{{- end }} +spec: + clusterIP: None + ports: +{{- range $key, $port := .Values.ports }} + - name: {{ $key }} + port: {{ $port.containerPort }} + targetPort: {{ $key }} + protocol: {{ $port.protocol }} +{{- end }} + selector: + app: {{ template "zookeeper.name" . }} + release: {{ .Release.Name }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml new file mode 100644 index 00000000..09fc1dcf --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "zookeeper.fullname" . }} + labels: + app: {{ template "zookeeper.name" . }} + chart: {{ template "zookeeper.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.service.annotations }} + annotations: +{{- with .Values.service.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + {{- range $key, $value := .Values.service.ports }} + - name: {{ $key }} +{{ toYaml $value | indent 6 }} + {{- end }} +{{- if .Values.exporters.jmx.enabled }} + {{- range $key, $port := .Values.exporters.jmx.ports }} + - name: {{ $key }} + port: {{ $port.containerPort }} + targetPort: {{ $key }} + protocol: {{ $port.protocol }} + {{- end }} +{{- end}} +{{- if .Values.exporters.zookeeper.enabled }} + {{- range $key, $port := .Values.exporters.zookeeper.ports }} + - name: {{ $key }} + port: {{ $port.containerPort }} + targetPort: {{ $key }} + protocol: {{ $port.protocol }} + {{- end }} +{{- end}} + selector: + app: {{ template "zookeeper.name" . }} + release: {{ .Release.Name }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml new file mode 100644 index 00000000..0a230a23 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.exporters.jmx.enabled .Values.prometheus.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "zookeeper.fullname" . }} + {{- if .Values.prometheus.serviceMonitor.namespace }} + namespace: {{ .Values.prometheus.serviceMonitor.namespace }} + {{- end }} + labels: +{{ toYaml .Values.prometheus.serviceMonitor.selector | indent 4 }} +spec: + endpoints: + {{- range $key, $port := .Values.exporters.jmx.ports }} + - port: {{ $key }} + path: {{ $.Values.exporters.jmx.path }} + interval: {{ $.Values.exporters.jmx.serviceMonitor.interval }} + scrapeTimeout: {{ $.Values.exporters.jmx.serviceMonitor.scrapeTimeout }} + scheme: {{ $.Values.exporters.jmx.serviceMonitor.scheme }} + {{- end }} + selector: + matchLabels: + app: {{ include "zookeeper.name" . }} + release: {{ .Release.Name }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} +--- + +{{- if and .Values.exporters.zookeeper.enabled .Values.prometheus.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "zookeeper.fullname" . }}-exporter + {{- if .Values.prometheus.serviceMonitor.namespace }} + namespace: {{ .Values.prometheus.serviceMonitor.namespace }} + {{- end }} + labels: +{{ toYaml .Values.prometheus.serviceMonitor.selector | indent 4 }} +spec: + endpoints: + {{- range $key, $port := .Values.exporters.zookeeper.ports }} + - port: {{ $key }} + path: {{ $.Values.exporters.zookeeper.path }} + interval: {{ $.Values.exporters.zookeeper.serviceMonitor.interval }} + scrapeTimeout: {{ $.Values.exporters.zookeeper.serviceMonitor.scrapeTimeout }} + scheme: {{ $.Values.exporters.zookeeper.serviceMonitor.scheme }} + {{- end }} + selector: + matchLabels: + app: {{ include "zookeeper.name" . }} + release: {{ .Release.Name }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml new file mode 100644 index 00000000..6d508a69 --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml @@ -0,0 +1,226 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "zookeeper.fullname" . }} + labels: + app: {{ template "zookeeper.name" . }} + chart: {{ template "zookeeper.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: server +spec: + serviceName: {{ template "zookeeper.headless" . }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "zookeeper.name" . }} + release: {{ .Release.Name }} + component: server + updateStrategy: +{{ toYaml .Values.updateStrategy | indent 4 }} + template: + metadata: + labels: + app: {{ template "zookeeper.name" . }} + release: {{ .Release.Name }} + component: server + {{- if .Values.podLabels }} + ## Custom pod labels + {{- range $key, $value := .Values.podLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +{{- if .Values.podAnnotations }} + annotations: + ## Custom pod annotations + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + spec: + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} +{{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" +{{- end }} + securityContext: +{{ toYaml .Values.securityContext | indent 8 }} +{{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" +{{- end }} + containers: + + - name: zookeeper + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.command }} + command: {{ range . }} + - {{ . | quote }} + {{- end }} + {{- end }} + ports: +{{- range $key, $port := .Values.ports }} + - name: {{ $key }} +{{ toYaml $port | indent 14 }} +{{- end }} + livenessProbe: + exec: + command: + - sh + - /config-scripts/ok + initialDelaySeconds: 20 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + readinessProbe: + exec: + command: + - sh + - /config-scripts/ready + initialDelaySeconds: 20 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + env: + - name: ZK_REPLICAS + value: {{ .Values.replicaCount | quote }} + {{- range $key, $value := .Values.env }} + - name: {{ $key | upper | replace "." "_" }} + value: {{ $value | quote }} + {{- end }} + {{- range $secret := .Values.secrets }} + {{- range $key := $secret.keys }} + - name: {{ (print $secret.name "_" $key) | upper }} + valueFrom: + secretKeyRef: + name: {{ $secret.name }} + key: {{ $key }} + {{- end }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 12 }} + volumeMounts: + - name: data + mountPath: /data + {{- range $secret := .Values.secrets }} + {{- if $secret.mountPath }} + {{- range $key := $secret.keys }} + - name: {{ $.Release.Name }}-{{ $secret.name }} + mountPath: {{ $secret.mountPath }}/{{ $key }} + subPath: {{ $key }} + readOnly: true + {{- end }} + {{- end }} + {{- end }} + - name: config + mountPath: /config-scripts + + +{{- if .Values.exporters.jmx.enabled }} + - name: jmx-exporter + image: "{{ .Values.exporters.jmx.image.repository }}:{{ .Values.exporters.jmx.image.tag }}" + imagePullPolicy: {{ .Values.exporters.jmx.image.pullPolicy }} + ports: + {{- range $key, $port := .Values.exporters.jmx.ports }} + - name: {{ $key }} +{{ toYaml $port | indent 14 }} + {{- end }} + livenessProbe: +{{ toYaml .Values.exporters.jmx.livenessProbe | indent 12 }} + readinessProbe: +{{ toYaml .Values.exporters.jmx.readinessProbe | indent 12 }} + env: + - name: SERVICE_PORT + value: {{ .Values.exporters.jmx.ports.jmxxp.containerPort | quote }} + {{- with .Values.exporters.jmx.env }} + {{- range $key, $value := . }} + - name: {{ $key | upper | replace "." "_" }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + resources: +{{ toYaml .Values.exporters.jmx.resources | indent 12 }} + volumeMounts: + - name: config-jmx-exporter + mountPath: /opt/jmx_exporter/config.yml + subPath: config.yml +{{- end }} + +{{- if .Values.exporters.zookeeper.enabled }} + - name: zookeeper-exporter + image: "{{ .Values.exporters.zookeeper.image.repository }}:{{ .Values.exporters.zookeeper.image.tag }}" + imagePullPolicy: {{ .Values.exporters.zookeeper.image.pullPolicy }} + args: + - -bind-addr=:{{ .Values.exporters.zookeeper.ports.zookeeperxp.containerPort }} + - -metrics-path={{ .Values.exporters.zookeeper.path }} + - -zookeeper=localhost:{{ .Values.ports.client.containerPort }} + - -log-level={{ .Values.exporters.zookeeper.config.logLevel }} + - -reset-on-scrape={{ .Values.exporters.zookeeper.config.resetOnScrape }} + ports: + {{- range $key, $port := .Values.exporters.zookeeper.ports }} + - name: {{ $key }} +{{ toYaml $port | indent 14 }} + {{- end }} + livenessProbe: +{{ toYaml .Values.exporters.zookeeper.livenessProbe | indent 12 }} + readinessProbe: +{{ toYaml .Values.exporters.zookeeper.readinessProbe | indent 12 }} + env: + {{- range $key, $value := .Values.exporters.zookeeper.env }} + - name: {{ $key | upper | replace "." "_" }} + value: {{ $value | quote }} + {{- end }} + resources: +{{ toYaml .Values.exporters.zookeeper.resources | indent 12 }} +{{- end }} + + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "zookeeper.fullname" . }} + defaultMode: 0555 + {{- range .Values.secrets }} + - name: {{ $.Release.Name }}-{{ .name }} + secret: + secretName: {{ .name }} + {{- end }} + {{- if .Values.exporters.jmx.enabled }} + - name: config-jmx-exporter + configMap: + name: {{ .Release.Name }}-jmx-exporter + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: data + emptyDir: {} + {{- end }} + {{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" + {{- end }} + {{- end }} + {{- end }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/values.yaml b/stable/ckan/charts/solr/charts/zookeeper/values.yaml new file mode 100644 index 00000000..2fa6286e --- /dev/null +++ b/stable/ckan/charts/solr/charts/zookeeper/values.yaml @@ -0,0 +1,295 @@ +## As weighted quorums are not supported, it is imperative that an odd number of replicas +## be chosen. Moreover, the number of replicas should be either 1, 3, 5, or 7. +## +## ref: https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper#stateful-set +replicaCount: 3 # Desired quantity of ZooKeeper pods. This should always be (1,3,5, or 7) + +podDisruptionBudget: + maxUnavailable: 1 # Limits how many Zokeeper pods may be unavailable due to voluntary disruptions. + +terminationGracePeriodSeconds: 1800 # Duration in seconds a Zokeeper pod needs to terminate gracefully. + +updateStrategy: + type: RollingUpdate + +## refs: +## - https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper +## - https://github.com/kubernetes/contrib/blob/master/statefulsets/zookeeper/Makefile#L1 +image: + repository: zookeeper # Container image repository for zookeeper container. + tag: 3.5.5 # Container image tag for zookeeper container. + pullPolicy: IfNotPresent # Image pull criteria for zookeeper container. + +service: + type: ClusterIP # Exposes zookeeper on a cluster-internal IP. + annotations: {} # Arbitrary non-identifying metadata for zookeeper service. + ## AWS example for use with LoadBalancer service type. + # external-dns.alpha.kubernetes.io/hostname: zookeeper.cluster.local + # service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + ports: + client: + port: 2181 # Service port number for client port. + targetPort: client # Service target port for client port. + protocol: TCP # Service port protocol for client port. + +## Headless service. +## +headless: + annotations: {} + +ports: + client: + containerPort: 2181 # Port number for zookeeper container client port. + protocol: TCP # Protocol for zookeeper container client port. + election: + containerPort: 3888 # Port number for zookeeper container election port. + protocol: TCP # Protocol for zookeeper container election port. + server: + containerPort: 2888 # Port number for zookeeper container server port. + protocol: TCP # Protocol for zookeeper container server port. + +resources: {} # Optionally specify how much CPU and memory (RAM) each zookeeper container needs. + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +priorityClassName: "" + +nodeSelector: {} # Node label-values required to run zookeeper pods. + +tolerations: [] # Node taint overrides for zookeeper pods. + +affinity: {} # Criteria by which pod label-values influence scheduling for zookeeper pods. + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - topologyKey: "kubernetes.io/hostname" + # labelSelector: + # matchLabels: + # release: zookeeper + +podAnnotations: {} # Arbitrary non-identifying metadata for zookeeper pods. + # prometheus.io/scrape: "true" + # prometheus.io/path: "/metrics" + # prometheus.io/port: "9141" + +podLabels: {} # Key/value pairs that are attached to zookeeper pods. + # team: "developers" + # service: "zookeeper" + +securityContext: + fsGroup: 1000 + runAsUser: 1000 + +## Useful, if you want to use an alternate image. +command: + - /bin/bash + - -xec + - /config-scripts/run + +## Useful if using any custom authorizer. +## Pass any secrets to the kafka pods. Each secret will be passed as an +## environment variable by default. The secret can also be mounted to a +## specific path (in addition to environment variable) if required. Environment +## variable names are generated as: `_` (All upper case) +# secrets: +# - name: myKafkaSecret +# keys: +# - username +# - password +# # mountPath: /opt/kafka/secret +# - name: myZkSecret +# keys: +# - user +# - pass +# mountPath: /opt/zookeeper/secret + +persistence: + enabled: true + ## zookeeper data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 5Gi + +## Exporters query apps for metrics and make those metrics available for +## Prometheus to scrape. +exporters: + + jmx: + enabled: false + image: + repository: sscaling/jmx-prometheus-exporter + tag: 0.3.0 + pullPolicy: IfNotPresent + config: + lowercaseOutputName: false + ## ref: https://github.com/prometheus/jmx_exporter/blob/master/example_configs/zookeeper.yaml + rules: + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$2" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$3" + labels: + replicaId: "$2" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4" + labels: + replicaId: "$2" + memberType: "$3" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4_$5" + labels: + replicaId: "$2" + memberType: "$3" + startDelaySeconds: 30 + env: {} + resources: {} + path: /metrics + ports: + jmxxp: + containerPort: 9404 + protocol: TCP + livenessProbe: + httpGet: + path: /metrics + port: jmxxp + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 60 + failureThreshold: 8 + successThreshold: 1 + readinessProbe: + httpGet: + path: /metrics + port: jmxxp + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 60 + failureThreshold: 8 + successThreshold: 1 + serviceMonitor: + interval: 30s + scrapeTimeout: 30s + scheme: http + + zookeeper: + ## refs: + ## - https://github.com/carlpett/zookeeper_exporter + ## - https://hub.docker.com/r/josdotso/zookeeper-exporter/ + ## - https://www.datadoghq.com/blog/monitoring-kafka-performance-metrics/#zookeeper-metrics + enabled: false + image: + repository: josdotso/zookeeper-exporter + tag: v1.1.2 + pullPolicy: IfNotPresent + config: + logLevel: info + resetOnScrape: "true" + env: {} + resources: {} + path: /metrics + ports: + zookeeperxp: + containerPort: 9141 + protocol: TCP + livenessProbe: + httpGet: + path: /metrics + port: zookeeperxp + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 60 + failureThreshold: 8 + successThreshold: 1 + readinessProbe: + httpGet: + path: /metrics + port: zookeeperxp + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 60 + failureThreshold: 8 + successThreshold: 1 + serviceMonitor: + interval: 30s + scrapeTimeout: 30s + scheme: http + +## ServiceMonitor configuration in case you are using Prometheus Operator +prometheus: + serviceMonitor: + ## If true a ServiceMonitor for each enabled exporter will be installed + enabled: false + ## The namespace where the ServiceMonitor(s) will be installed + # namespace: monitoring + ## The selector the Prometheus instance is searching for + ## [Default Prometheus Operator selector] (https://github.com/helm/charts/blob/f5a751f174263971fafd21eee4e35416d6612a3d/stable/prometheus-operator/templates/prometheus/prometheus.yaml#L74) + selector: {} + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## ref: https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper +env: + + ## Options related to JMX exporter. + ## ref: https://github.com/apache/zookeeper/blob/master/bin/zkServer.sh#L36 + JMXAUTH: "false" + JMXDISABLE: "false" + JMXPORT: 1099 + JMXSSL: "false" + + ## The port on which the server will accept client requests. + ZOO_PORT: 2181 + + ## The number of Ticks that an ensemble member is allowed to perform leader + ## election. + ZOO_INIT_LIMIT: 5 + + ZOO_TICK_TIME: 2000 + + ## The maximum number of concurrent client connections that + ## a server in the ensemble will accept. + ZOO_MAX_CLIENT_CNXNS: 60 + + ## The number of Tick by which a follower may lag behind the ensembles leader. + ZK_SYNC_LIMIT: 10 + + ## The number of wall clock ms that corresponds to a Tick for the ensembles + ## internal time. + ZK_TICK_TIME: 2000 + + ZOO_AUTOPURGE_PURGEINTERVAL: 0 + ZOO_AUTOPURGE_SNAPRETAINCOUNT: 3 + ZOO_STANDALONE_ENABLED: false + +jobs: + ## ref: http://zookeeper.apache.org/doc/r3.4.10/zookeeperProgrammers.html#ch_zkSessions + chroots: + enabled: false + activeDeadlineSeconds: 300 + backoffLimit: 5 + completions: 1 + config: + create: [] + # - /kafka + # - /ureplicator + env: [] + parallelism: 1 + resources: {} + restartPolicy: Never diff --git a/stable/ckan/charts/solr/templates/NOTES.txt b/stable/ckan/charts/solr/templates/NOTES.txt new file mode 100644 index 00000000..c152a37c --- /dev/null +++ b/stable/ckan/charts/solr/templates/NOTES.txt @@ -0,0 +1,11 @@ +Your Solr cluster has now been installed, and can be accessed in the following ways: + + * Internally, within the kubernetes cluster on: + +{{ template "solr.service-name" . }}.{{ .Release.Namespace }}:{{ .Values.port }} + + * External to the kubernetes cluster: + +export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "solr.name" . }},component=server,release={{ .Release.Name }}" -o jsonpath="{ .items[0].metadata.name }") +echo "Visit http://127.0.0.1:{{ .Values.port }} to access Solr" +kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.port }}:{{ .Values.port }} diff --git a/stable/ckan/charts/solr/templates/_helpers.tpl b/stable/ckan/charts/solr/templates/_helpers.tpl new file mode 100644 index 00000000..d6f80d6b --- /dev/null +++ b/stable/ckan/charts/solr/templates/_helpers.tpl @@ -0,0 +1,133 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "solr.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "solr.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Define the name of the headless service for solr +*/}} +{{- define "solr.headless-service-name" -}} +{{- printf "%s-%s" (include "solr.fullname" .) "headless" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Define the name of the client service for solr +*/}} +{{- define "solr.service-name" -}} +{{- printf "%s-%s" (include "solr.fullname" .) "svc" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Define the name of the solr exporter +*/}} +{{- define "solr.exporter-name" -}} +{{- printf "%s-%s" (include "solr.fullname" .) "exporter" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The name of the zookeeper service +*/}} +{{- define "solr.zookeeper-name" -}} +{{- printf "%s-%s" .Release.Name "zookeeper" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The name of the zookeeper headless service +*/}} +{{- define "solr.zookeeper-service-name" -}} +{{ printf "%s-%s" (include "solr.zookeeper-name" .) "headless" | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "solr.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Define the name of the solr PVC +*/}} +{{- define "solr.pvc-name" -}} +{{ printf "%s-%s" (include "solr.fullname" .) "pvc" | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* + Define the name of the solr.xml configmap +*/}} +{{- define "solr.configmap-name" -}} +{{- printf "%s-%s" (include "solr.fullname" .) "config-map" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Define the name of the custom script configmap +*/}} +{{- define "solr.custom-script.configmap-name" -}} +{{- printf "%s-%s" (include "solr.fullname" .) "custom-script-config-map" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Define the labels that should be applied to all resources in the chart +*/}} +{{- define "solr.common.labels" -}} +app.kubernetes.io/name: {{ include "solr.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +helm.sh/chart: {{ include "solr.chart" . }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "solr.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if or .Values.image.pullSecrets .Values.exporter.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.exporter.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if or .Values.image.pullSecrets .Values.exporter.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- range .Values.exporter.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/stable/ckan/charts/solr/templates/exporter-deployment.yaml b/stable/ckan/charts/solr/templates/exporter-deployment.yaml new file mode 100644 index 00000000..d4508a9f --- /dev/null +++ b/stable/ckan/charts/solr/templates/exporter-deployment.yaml @@ -0,0 +1,104 @@ +{{- if .Values.exporter.enabled }} +--- + +apiVersion: "v1" +kind: "Service" +metadata: + name: "{{ include "solr.exporter-name" . }}" + labels: +{{ include "solr.common.labels" . | indent 4 }} + app.kubernetes.io/component: "exporter" + annotations: +{{ toYaml .Values.exporter.service.annotations | indent 4}} +spec: + type: "{{ .Values.exporter.service.type }}" + ports: + - port: {{ .Values.exporter.port }} + name: "solr-client" + selector: + app.kubernetes.io/name: "{{ include "solr.name" . }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/component: "exporter" + + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "solr.exporter-name" . }} + labels: +{{ include "solr.common.labels" . | indent 4 }} + app.kubernetes.io/component: "exporter" +spec: + selector: + matchLabels: + app.kubernetes.io/name: "{{ include "solr.name" . }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/component: "exporter" + replicas: 1 + strategy: + {{ toYaml .Values.exporter.updateStrategy | indent 4}} + template: + metadata: + labels: +{{ include "solr.common.labels" . | indent 8 }} + app.kubernetes.io/component: "exporter" + annotations: +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} + spec: +{{- include "solr.imagePullSecrets" . | indent 6 }} + affinity: +{{ tpl (toYaml .Values.affinity) . | indent 8 }} + containers: + - name: exporter + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: +{{ toYaml .Values.exporter.resources | indent 12 }} + ports: + - containerPort: {{ .Values.port }} + name: solr-client + command: + - "/opt/solr/contrib/prometheus-exporter/bin/solr-exporter" + - "-p" + - "{{ .Values.exporter.port }}" + - "-z" + - "{{ include "solr.zookeeper-service-name" . }}:2181" + - "-n" + - "{{ .Values.exporter.threads }}" + - "-f" + - "{{ .Values.exporter.configFile }}" + livenessProbe: + initialDelaySeconds: {{ .Values.exporter.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.exporter.livenessProbe.periodSeconds }} + httpGet: + path: "/metrics" + port: {{ .Values.exporter.port }} + readinessProbe: + initialDelaySeconds: {{ .Values.exporter.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.exporter.readinessProbe.periodSeconds }} + httpGet: + path: "/metrics" + port: {{ .Values.exporter.port }} + initContainers: + - name: solr-init + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - 'sh' + - '-c' + - | + {{- if .Values.tls.enabled }} + PROTOCOL="https://" + {{ else }} + PROTOCOL="http://" + {{- end }} + COUNTER=0; + while [ $COUNTER -lt 30 ]; do + curl -k -s --connect-timeout 10 "${PROTOCOL}{{ include "solr.service-name" . }}:{{ .Values.port }}/solr/admin/info/system" && exit 0 + sleep 2 + done; + echo "Did NOT see a Running Solr instance after 60 secs!"; + exit 1; +{{ end }} diff --git a/stable/ckan/charts/solr/templates/poddisruptionbudget.yaml b/stable/ckan/charts/solr/templates/poddisruptionbudget.yaml new file mode 100644 index 00000000..677ded3e --- /dev/null +++ b/stable/ckan/charts/solr/templates/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: "policy/v1beta1" +kind: "PodDisruptionBudget" +metadata: + name: "{{ include "solr.fullname" . }}" + labels: +{{ include "solr.common.labels" . | indent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: "{{ include "solr.name" . }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/component: "server" +{{ toYaml .Values.podDisruptionBudget | indent 2 }} diff --git a/stable/ckan/charts/solr/templates/service-headless.yaml b/stable/ckan/charts/solr/templates/service-headless.yaml new file mode 100644 index 00000000..9ff2aa23 --- /dev/null +++ b/stable/ckan/charts/solr/templates/service-headless.yaml @@ -0,0 +1,17 @@ +--- + +apiVersion: "v1" +kind: "Service" +metadata: + name: "{{ include "solr.headless-service-name" . }}" + labels: +{{ include "solr.common.labels" . | indent 4 }} +spec: + clusterIP: "None" + ports: + - port: {{ .Values.port }} + name: "solr-headless" + selector: + app.kubernetes.io/name: "{{ include "solr.name" . }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/component: "server" diff --git a/stable/ckan/charts/solr/templates/service.yaml b/stable/ckan/charts/solr/templates/service.yaml new file mode 100644 index 00000000..d922bb4a --- /dev/null +++ b/stable/ckan/charts/solr/templates/service.yaml @@ -0,0 +1,19 @@ +--- + +apiVersion: "v1" +kind: "Service" +metadata: + name: "{{ include "solr.service-name" . }}" + labels: +{{ include "solr.common.labels" . | indent 4 }} + annotations: +{{ toYaml .Values.service.annotations | indent 4}} +spec: + type: "{{ .Values.service.type }}" + ports: + - port: {{ .Values.port }} + name: "solr-client" + selector: + app.kubernetes.io/name: "{{ include "solr.name" . }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/component: "server" diff --git a/stable/ckan/charts/solr/templates/solr-custom-script.yaml b/stable/ckan/charts/solr/templates/solr-custom-script.yaml new file mode 100644 index 00000000..41c0e13e --- /dev/null +++ b/stable/ckan/charts/solr/templates/solr-custom-script.yaml @@ -0,0 +1,13 @@ +{{ if not ( eq .Values.initScript "" ) }} +--- + +apiVersion: "v1" +kind: "ConfigMap" +metadata: + name: "{{ include "solr.custom-script.configmap-name" . }}" + labels: +{{ include "solr.common.labels" . | indent 4}} +data: + solr-init.sh: | +{{ .Files.Get .Values.initScript | indent 4}} +{{ end }} diff --git a/stable/ckan/charts/solr/templates/solr-xml-configmap.yaml b/stable/ckan/charts/solr/templates/solr-xml-configmap.yaml new file mode 100644 index 00000000..43cdb236 --- /dev/null +++ b/stable/ckan/charts/solr/templates/solr-xml-configmap.yaml @@ -0,0 +1,29 @@ +--- + +apiVersion: "v1" +kind: "ConfigMap" +metadata: + name: "{{ include "solr.configmap-name" . }}" + labels: +{{ include "solr.common.labels" . | indent 4}} +data: + solr.xml: | + + + + ${host:} + ${jetty.port:8983} + ${hostContext:solr} + ${genericCoreNodeNames:true} + ${zkClientTimeout:30000} + ${distribUpdateSoTimeout:600000} + ${distribUpdateConnTimeout:60000} + ${zkCredentialsProvider:org.apache.solr.common.cloud.DefaultZkCredentialsProvider} + ${zkACLProvider:org.apache.solr.common.cloud.DefaultZkACLProvider} + + + ${socketTimeout:600000} + ${connTimeout:60000} + + diff --git a/stable/ckan/charts/solr/templates/statefulset.yaml b/stable/ckan/charts/solr/templates/statefulset.yaml new file mode 100644 index 00000000..07c0dbef --- /dev/null +++ b/stable/ckan/charts/solr/templates/statefulset.yaml @@ -0,0 +1,234 @@ +--- + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "solr.fullname" . }} + labels: +{{ include "solr.common.labels" . | indent 4 }} + app.kubernetes.io/component: server +spec: + selector: + matchLabels: + app.kubernetes.io/name: "{{ include "solr.name" . }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/component: "server" + serviceName: {{ include "solr.headless-service-name" . }} + replicas: {{ .Values.replicaCount }} + updateStrategy: + {{ toYaml .Values.updateStrategy | indent 4}} + template: + metadata: + labels: + app.kubernetes.io/name: "{{ include "solr.name" . }}" + app.kubernetes.io/instance: "{{ .Release.Name }}" + app.kubernetes.io/component: "server" + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} + spec: +{{- include "solr.imagePullSecrets" . | indent 6 }} + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + securityContext: + fsGroup: 8983 + runAsUser: 8983 + affinity: +{{ tpl (toYaml .Values.affinity) . | indent 8 }} + tolerations: +{{ tpl (toYaml .Values.tolerations) . | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: +{{- if .Values.tls.enabled }} + - name: keystore-volume + emptyDir: {} + - name: "tls-secret" + secret: + secretName: {{ .Values.tls.certSecret.name }} +{{- if not (eq .Values.tls.caSecret.name "") }} + - name: "tls-ca" + secret: + secretName: {{ .Values.tls.caSecret.name }} +{{- end }} +{{- end }} + - name: solr-xml + configMap: + name: {{ include "solr.configmap-name" . }} + items: + - key: solr.xml + path: solr.xml +{{- if not ( eq .Values.initScript "" ) }} + - name: solr-init-script + configMap: + name: {{ include "solr.custom-script.configmap-name" . }} + items: + - key: solr-init.sh + path: solr-init.sh +{{- end }} + initContainers: + - name: check-zk + image: busybox:latest + command: + - 'sh' + - '-c' + - | + COUNTER=0; + while [ $COUNTER -lt 120 ]; do + addr=$(nslookup -type=a {{ include "solr.zookeeper-service-name" . }} | grep "Address:" | awk 'NR>1 {print $2}') + if [ ! -z "$addr" ]; then + while read -r line; do + echo $line; + exit 0; + done <> /app/backup/{{ $fullName }}-{{ $key }}-$(date +%Y-%m-%d)-log.txt ; +{{- end }} +{{- end }} + diff --git a/stable/ckan/templates/cm/ckan-overlay.yaml b/stable/ckan/templates/cm/ckan-overlay.yaml index 70fb34b8..35a6b5a3 100644 --- a/stable/ckan/templates/cm/ckan-overlay.yaml +++ b/stable/ckan/templates/cm/ckan-overlay.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "ckan.fullname" . }}-ini-overlay-configmap + name: {{ include "ckan.name" . }}-ini-overlay-configmap data: production.ini: | {{ .Files.Get "conf/ckan/overlay-production.ini" | indent 4 }} diff --git a/stable/ckan/templates/cm/ckan-prerun.yaml b/stable/ckan/templates/cm/ckan-prerun.yaml index a58fd689..a6d23fdf 100644 --- a/stable/ckan/templates/cm/ckan-prerun.yaml +++ b/stable/ckan/templates/cm/ckan-prerun.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "ckan.fullname" . }}-prerun-configmap + name: {{ include "ckan.name" . }}-prerun-configmap data: prerun.py: | {{ .Files.Get "conf/ckan/prerun.py" | indent 4 }} diff --git a/stable/ckan/templates/cm/psql-init.yaml b/stable/ckan/templates/cm/psql-init.yaml index 77aa249c..5e1363e1 100644 --- a/stable/ckan/templates/cm/psql-init.yaml +++ b/stable/ckan/templates/cm/psql-init.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: psql-{{ include "ckan.fullname" . }}-init-configmap + name: psql-{{ include "ckan.name" . }}-init-configmap data: psql-init.py: | {{ .Files.Get "conf/psql-init/psql-init.py" | indent 4 }} diff --git a/stable/ckan/templates/cm/solr-configset.yaml b/stable/ckan/templates/cm/solr-configset.yaml index 4667bba8..00d958a0 100644 --- a/stable/ckan/templates/cm/solr-configset.yaml +++ b/stable/ckan/templates/cm/solr-configset.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: solr-{{ include "ckan.fullname" . }}-configset-configmap + name: solr-{{ include "ckan.name" . }}-configset-configmap data: {{ (.Files.Glob "conf/solr-init/solr-configset/*").AsConfig | indent 2 }} {{- end }} diff --git a/stable/ckan/templates/cm/solr-init.yaml b/stable/ckan/templates/cm/solr-init.yaml index d3ba4bd1..0f228e34 100644 --- a/stable/ckan/templates/cm/solr-init.yaml +++ b/stable/ckan/templates/cm/solr-init.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: solr-{{ include "ckan.fullname" . }}-init-configmap + name: solr-{{ include "ckan.name" . }}-init-configmap data: solr-init.py: | {{ .Files.Get "conf/solr-init/solr-init.py" | indent 4 }} diff --git a/stable/ckan/templates/cronjob/ckan.yaml b/stable/ckan/templates/cronjob/ckan.yaml index 85d6fc4b..f8c57bc5 100644 --- a/stable/ckan/templates/cronjob/ckan.yaml +++ b/stable/ckan/templates/cronjob/ckan.yaml @@ -1,9 +1,5 @@ -{{- if eq .Values.ckan.activityStreamsEmailNotifications_jobs "true" -}} -{{- if semverCompare "<1.21" .Capabilities.KubeVersion.GitVersion }} +{{- if .Values.ckan.activityStreamsEmailNotifications_jobs -}} apiVersion: batch/v1beta1 -{{- else }} -apiVersion: batch/v1 -{{- end }} kind: CronJob metadata: name: {{ include "ckan.name" . }}-email-notifications diff --git a/stable/ckan/templates/deploy/ckan.yaml b/stable/ckan/templates/deploy/ckan.yaml index 62781b4c..3185a95b 100644 --- a/stable/ckan/templates/deploy/ckan.yaml +++ b/stable/ckan/templates/deploy/ckan.yaml @@ -5,20 +5,20 @@ metadata: labels: app.kubernetes.io/name: {{ include "ckan.name" . }} helm.sh/chart: {{ include "ckan.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/instance: {{ include "ckan.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ include "ckan.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/instance: {{ include "ckan.name" . }} tier: ckan template: metadata: labels: app.kubernetes.io/name: {{ include "ckan.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/instance: {{ include "ckan.name" . }} tier: ckan annotations: {{- with .Values.ckan.podAnnotations }} @@ -33,6 +33,17 @@ spec: securityContext: {{- toYaml .Values.ckan.podSecurityContext | nindent 8 }} volumes: + {{- if .Values.ckan.backup.enabled }} + - name: "ckan-backup" + azureFile: + secretName: {{ .Values.fullnameOverride }}-ckan-backup-secret + shareName: {{ .Values.ckan.backup.shareName }} + + - name: {{ include "ckan.fullname" . }}-crontabs + configMap: + name: {{ include "ckan.fullname" . }}-crontabs + defaultMode: 0755 + {{- end }} - name: {{ include "ckan.fullname" . }}-ini-overlay-configmap configMap: name: {{ include "ckan.fullname" . }}-ini-overlay-configmap @@ -66,7 +77,7 @@ spec: {{ end }} initContainers: - name: create-production-ini - image: "{{ .Values.initContainer.image.repository }}:{{ .Values.initContainer.image.tag }}" + image: busybox command: - "sh" - "-c" @@ -82,7 +93,7 @@ spec: readOnly: false {{- if .Values.ckan.persistence.enabled }} - name: set-volume-ownership - image: "{{ .Values.initContainer.image.repository }}:{{ .Values.initContainer.image.tag }}" + image: busybox command: - "sh" - "-c" @@ -97,7 +108,7 @@ spec: containers: {{ if .Values.pgbouncer.enabled }} - name: pgbouncer - image: "{{ .Values.pgbouncer.image.repository }}:{{ .Values.pgbouncer.image.tag }}" + image: mcr.microsoft.com/azure-oss-db-tools/pgbouncer-sidecar:latest imagePullPolicy: Always ports: - containerPort: 5432 @@ -135,7 +146,7 @@ spec: value: "{{ .Values.solr.initialize.maxShardsPerNode }}" - name: CKAN_SOLR_INIT_CONFIGSETNAME value: "{{ .Values.solr.initialize.configsetName }}" - + command: - /bin/bash - -c @@ -241,6 +252,14 @@ spec: - | set -e source $CKAN_VENV/bin/activate + sudo service cron start + {{- if .Values.ckan.backup.enabled }} + echo "#!/usr/bin/bash" | crontab - + (crontab -l ; echo "PATH=/usr/lib/ckan/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin") | crontab - + {{- range $key, $value := .Values.ckan.cronjobs }} + (crontab -l ; echo {{ $value.crontab | quote }}) | crontab - + {{- end }} + {{- end }} ckan generate config /srv/app/production.ini python3 < /tmp/enviroment + sudo bash -c "cat /tmp/enviroment > /etc/environment" ckan -c /srv/app/production.ini run --host 0.0.0.0 ports: - name: http @@ -305,6 +326,8 @@ spec: secretKeyRef: name: {{ include "ckan.fullname" . }} key: sysadminPassword + - name: BEAKER_SESSION_SECRET + value: {{ .Values.ckan.beaker_session_secret }} - name: CKAN_SYSADMIN_EMAIL value: {{ .Values.ckan.sysadminEmail }} - name: CKAN_SITE_TITLE @@ -410,6 +433,12 @@ spec: failureThreshold: {{ .Values.ckan.liveness.failureThreshold }} timeoutSeconds: {{ .Values.ckan.liveness.timeoutSeconds }} volumeMounts: + {{- if .Values.ckan.backup.enabled}} + - mountPath: "/app/backup" + name: "ckan-backup" + - name: {{ include "ckan.fullname" . }}-crontabs + mountPath: /app/ + {{- end }} - name: {{ include "ckan.fullname" . }}-prerun-configmap mountPath: /srv/prerun - name: {{ include "ckan.fullname" . }}-ini-overlay-configmap diff --git a/stable/ckan/templates/secret/ckan-backup-secret.yaml b/stable/ckan/templates/secret/ckan-backup-secret.yaml new file mode 100644 index 00000000..e353d78c --- /dev/null +++ b/stable/ckan/templates/secret/ckan-backup-secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.ckan.backup.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.fullnameOverride }}-ckan-backup-secret +type: Opaque +data: + azurestorageaccountname: {{ .Values.ckan.backup.azurestorageaccountname | b64enc }} + azurestorageaccountkey: {{ .Values.ckan.backup.azurestorageaccountkey | b64enc }} +{{- end }} diff --git a/stable/ckan/values.yaml b/stable/ckan/values.yaml index 226b3c36..912e245e 100644 --- a/stable/ckan/values.yaml +++ b/stable/ckan/values.yaml @@ -9,11 +9,6 @@ image: tag: 2.9 pullPolicy: IfNotPresent -initContainer: - image: - repository: busybox - tag: latest - imagePullSecrets: [] nameOverride: "" fullnameOverride: "ckan-scheming" @@ -49,7 +44,7 @@ extensions: ## Configuration values for CKAN ckan: - sysadminName: "" + sysadminName: "ckan_admin" sysadminPassword: "PasswordHere" sysadminApiToken: "replace_this_with_generated_api_token_for_sysadmin" sysadminEmail: "admin@domain.com" @@ -61,7 +56,7 @@ ckan: organization_schemas: group_schemas: dataset_schemas: - presets: + presets: dataset_fallback: false resource_proxy_timeouts: 5 storagePath: "/var/lib/ckan/default" @@ -69,19 +64,26 @@ ckan: activityStreamsEmailNotifications_jobs: "false" debug: "false" maintenanceMode: "false" + backup: + adminuser: "" + enabled: true + shareName: "" + azurestorageaccountname: "" + azurestorageaccountkey: "" + psql: initialize: true db: - ckanDbName: "" - ckanDbUser: "" - ckanDbPassword: "" + ckanDbName: ckan + ckanDbUser: ckan + ckanDbPassword: password datastore: RwDbName: datastore_default RwDbUser: datastorerw - RwDbPassword: "" + RwDbPassword: password RoDbName: datastore_default RoDbUser: datastorero - RoDbPassword: "" + RoDbPassword: password spatialBackend: "solr" locale: offered: "en" @@ -150,7 +152,7 @@ ckan: # storageClass: "-" annotations: {} accessMode: ReadWriteOnce - size: 8Gi + size: 4Gi serviceAccount: create: false annotations: {} @@ -170,21 +172,20 @@ solr: configsetName: ckanConfigSet replicaCount: 1 volumeClaimTemplates: - storageSize: 5Gi + storageSize: 8Gi image: repository: solr - tag: 8.11.1 - initContainer: - image: - repository: busybox - tag: latest + tag: 9.3.0 zookeeper: replicaCount: 1 persistence: size: 1Gi - image: - repository: zookeeper - tag: 3.5.5 +datapusher: + image: + repository: artifactory.cloud.statcan.ca/docker/keitaro/ckan-datapusher + tag: 0.0.17 + imagePullSecrets: + - name: artifactory-prod ## Configuration values for the Redis dependency sub-chart ## ref: https://github.com/bitnami/charts/blob/master/bitnami/redis/README.md @@ -207,10 +208,14 @@ redis: service: type: ClusterIP disableCommands: [] + persistence: + size: 2Gi slave: service: type: ClusterIP disableCommands: [] + persistence: + size: 2Gi ## Configuration values for the PostgreSQL dependency sub-chart ## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md @@ -257,10 +262,6 @@ pgbouncer: password: password poolSize: 50 maxClientConnections: 400 - image: - repository: mcr.microsoft.com/azure-oss-db-tools/pgbouncer-sidecar - tag: latest - sslmode: prefer # Specify an external database # Useful for managed offerings from your Cloud Provider @@ -269,8 +270,8 @@ external: # CKAN DB driver driver: pgsql port: 5432 - host: "" + host: pgserver.postgres.database.azure.com # Credentials - database: "" + database: ckan user: username@hostname password: password diff --git a/stable/fdi-dotstatsuite-keycloak/Chart.yaml b/stable/fdi-dotstatsuite-keycloak/Chart.yaml new file mode 100644 index 00000000..3137dca8 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 16.1.0 +description: fdi-dotstatsuite-keycloak +home: https://statcan.gc.ca +maintainers: +- email: Jianlong.qian@statcan.gc.ca + name: Jianlong.qian +name: fdi-dotstatsuite-keycloak +sources: +- https://gitlab.com/sis-cc/.stat-suite/dotstatsuite-kube-rp/ +type: application +version: 1.0.0 diff --git a/stable/fdi-dotstatsuite-keycloak/config/realm.json b/stable/fdi-dotstatsuite-keycloak/config/realm.json new file mode 100644 index 00000000..32ba6fb9 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/config/realm.json @@ -0,0 +1,1724 @@ +{ + "id" : "statcan-ccei", + "realm" : "statcan-ccei", + "notBefore" : 0, + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 300, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "enabled" : true, + "sslRequired" : "none", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "730a6fa8-0f6a-47f7-ae37-406be7c80040", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "demo", + "attributes" : { } + }, { + "id" : "4be78069-52c6-405d-a432-b4e5a2b7879a", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "demo", + "attributes" : { } + } ], + "client" : { + "realm-management" : [ { + "id" : "d917ebeb-5260-4539-ae28-ec3460ba0a00", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "b828a023-743b-4c02-804b-699b93f45669", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "4372be79-7081-434d-bad1-11e53079a1a0", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "21c05113-2167-416f-834a-e86866df9ddc", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "43f1f2fc-43d2-4739-89b6-c613b8680474", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "41641907-82b5-40b8-874b-9e88c02b5575", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "db3b5ed7-0c09-47e7-a9e8-0867f1f45b2f", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "694337b1-820d-431f-8233-b20064691367", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-groups", "query-users" ] + } + }, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "c4de5757-a74b-483c-90d6-676c2c803ef8", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "3ad9004b-ffe8-48de-ae13-06a34e08a19e", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "4e3abf2f-52b1-4458-a423-ffe8e3db81e8", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "926a2f60-37d2-4867-a95e-f8e9d4cee16e", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "c778c383-3bce-45b2-a97c-0eed0775191f", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "edc17ea2-7518-48fc-a9fa-f5765cae08d8", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "6850c0cb-ba8d-435b-813e-ef8e1cb2d905", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "caad46f5-bb68-4e10-900e-aac78e2416f3", + "name" : "realm-admin", + "description" : "${role_realm-admin}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "impersonation", "manage-identity-providers", "view-realm", "manage-realm", "manage-authorization", "view-events", "manage-clients", "view-users", "manage-events", "view-identity-providers", "query-clients", "query-groups", "manage-users", "query-users", "view-authorization", "query-realms", "create-client", "view-clients" ] + } + }, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "e22eeae1-7a71-48b3-a5a7-ba82a8e8f2a1", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "f1edbbef-a629-4ab8-bc5c-fe79d101df71", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "a776e71c-38c0-4217-96d8-beeb411a6864", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + } ], + "stat-suite" : [ ], + "security-admin-console" : [ ], + "admin-cli" : [ ], + "account-console" : [ ], + "broker" : [ { + "id" : "8b0c6d36-6259-4d4e-926e-770b7965e905", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "477e51e0-bfe2-43f2-bb3c-65871f00c9a9", + "attributes" : { } + } ], + "account" : [ { + "id" : "800e807c-fe74-42d1-aa7c-532ebafa1dfc", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] + } + }, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "cef16bb5-1681-4203-891a-225456961421", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "1f7a05f1-b204-47cb-9644-ede7574a2a61", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "ab0b5e8a-63f0-456d-b6c7-1df1668d6b41", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "f5f46dbb-f7b5-4c76-8cc3-94dc32608261", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "95bbf4df-9e23-4c78-8e46-18bc44ee3ba8", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + } ] + } + }, + "groups" : [ { + "id" : "355e476c-079d-4ef7-97ee-0e40f977843a", + "name" : "admins", + "path" : "/admins", + "attributes" : { }, + "realmRoles" : [ ], + "clientRoles" : { }, + "subGroups" : [ ] + } ], + "defaultRoles" : [ "uma_authorization", "offline_access" ], + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "users" : [ { + "id" : "c2dc90cd-e525-4c4d-a834-0ac3d3ad346d", + "createdTimestamp" : 1568987587616, + "username" : "test-admin", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "Test", + "lastName" : "Admin", + "email" : "admin@dotstat-suite.com", + "credentials" : [ { + "id" : "d0ce0193-2673-4eee-a9a3-fdf7b492d397", + "type" : "password", + "createdDate" : 1568987597001, + "secretData" : "{\"value\":\"EM2T0gb84/dxdPgobNBG9GtYP2VC49KRgFb+CJwa2wGa7mFly5swZaD73YGMSeybKSWojqILX1MV+8hYW8rI8Q==\",\"salt\":\"uVj1DI50CR6lpbEkfN55MQ==\"}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "uma_authorization", "offline_access" ], + "clientRoles" : { + "account" : [ "view-profile", "manage-account" ] + }, + "notBefore" : 0, + "groups" : [ "/admins" ] + } ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account" ] + } ] + }, + "clients" : [ { + "id" : "f6efbc6a-a606-4260-ad22-553634954813", + "clientId" : "account", + "name" : "${client_account}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/demo/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "e925d1c0-3f7d-4323-8f3c-179e334ed877", + "defaultRoles" : [ "view-profile", "manage-account" ], + "redirectUris" : [ "/realms/demo/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "ea02131b-092d-452b-9360-c5e1749d09a7", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/demo/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "b6440098-44b0-4db2-8914-0ad5cafc33e1", + "redirectUris" : [ "/realms/demo/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "150f660a-c130-40db-adc0-fdd47183b973", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "bfc4a97f-d66f-47a4-82aa-4ba11fc9c819", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "62d8c86c-005c-4a5a-a669-8ecaf4ad58ca", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "477e51e0-bfe2-43f2-bb3c-65871f00c9a9", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "af29b39d-4586-4c8b-85b6-3bdf38395b85", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "clientId" : "realm-management", + "name" : "${client_realm-management}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "116b3e2c-fb08-4258-b130-65553c327eca", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "f9a68146-a40d-4e9b-8c80-8b84e80e2eef", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/demo/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "bc40fea6-695d-4c65-9897-b651441f6b00", + "redirectUris" : [ "/admin/demo/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "9dd9f62c-e822-4d8a-8e78-229f05187830", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "5f583792-1207-4ced-990d-5838733bc04e", + "clientId" : "stat-suite", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "**********", + "redirectUris" : [ "*" ], + "webOrigins" : [ "*" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : true, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "exclude.session.state.from.auth.response" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "pkce.code.challenge.method" : "", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "id" : "6d4e8871-3691-494d-ade6-f168dc8178c3", + "name" : "hardcoded-audience", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-mapper", + "consentRequired" : false, + "config" : { + "included.client.audience" : "stat-suite", + "id.token.claim" : "false", + "access.token.claim" : "true", + "userinfo.token.claim" : "false" + } + } ], + "defaultClientScopes" : [ "role_list", "profile", "groups", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "40c58f08-f31a-4f2f-a60d-0cc7b21f2dc9", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "07dbe9cc-26ce-427d-8155-be4323688b0f", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "776da0e7-4560-40a6-ad2c-d845d2d9620c", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "55343b2e-37d2-4983-991d-a6a6bd9d80c7", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + }, { + "id" : "7b5186b8-b526-4b3d-b90f-ccf6f8ef6f82", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + }, { + "id" : "7f8c2e01-8920-4235-a807-d25c02c51a69", + "name" : "groups", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "a7811413-ded2-4f74-84f2-ded7e0b86b78", + "name" : "Groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-group-membership-mapper", + "consentRequired" : false, + "config" : { + "full.path" : "false", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "userinfo.token.claim" : "true" + } + } ] + }, { + "id" : "bf552e5f-0ab2-4106-96c2-3df81dd17278", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "2e6af5fb-f219-4295-86f5-dc463c1166aa", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "15e3451b-56ea-4c72-bebc-d6a4458f3719", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "cfc41abd-0d31-430e-8d12-c10980b82ccf", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "4967d0ff-862c-4482-a356-9682ffd54bed", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "2c0972f0-e338-4ff3-ab7a-746b3c82a523", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "d8a7db02-2303-4ae1-aa55-0ece05e1439d", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "d942cf0e-2999-463e-b785-40fb34c78915", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "2fe28da0-34b3-4e21-a231-0234fd91000c", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "18d7af31-45da-405e-8672-1dd12c8bb7bb", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "3b7c66b6-53bf-4811-9a24-49ce50384aa6", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + }, { + "id" : "52014ca2-bcd5-4749-bf4c-8f51b584302b", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "21ed114e-1f75-406e-815e-dcd1261f7ae4", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "796c1e7c-6846-4fa4-846e-e9500b60ffef", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "da9e2b35-8924-46ff-b4e2-d12f8624ce85", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "89eaac72-84d2-4398-a906-f9ba5b04802a", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "60b80604-1155-482b-bf37-df5f0d68f81e", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "644ecede-bc4a-4533-a7bd-8ae6fb9e5b8e", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "36a7e957-c7aa-4b59-8fe0-815afad5fcaf", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "String" + } + }, { + "id" : "557ae544-b359-40c0-8f4b-29a3656df715", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "6f857936-6441-41d8-ab66-efecdc39b71b", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "da598377-4b87-45ba-b46a-41d64ceeb41f", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "c7deebc2-04e9-4d47-b919-74889e132e0c", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "8dac8fc6-308f-4de1-a7ca-6bde9405493a", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "e6cdbbf2-8565-42fd-97af-80a61064b409", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "4bb39e71-e83c-4530-b6ce-b97f302ed09e", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "efdb59a9-2006-4dd8-8e39-cfecf45aa57a", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "41405f2d-4a54-4e29-8b40-80af89c0ce21", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "194cf325-68ce-46e1-94fd-398d21f12b2f", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "714248d7-33c0-452d-9884-f1765323a07c", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + } ], + "defaultDefaultClientScopes" : [ "web-origins", "profile", "email", "role_list", "roles" ], + "defaultOptionalClientScopes" : [ "address", "offline_access", "microprofile-jwt", "phone" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self' http://localhost:* ; object-src 'none';", + "xXSSProtection" : "1; mode=block", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "034a0fb6-c8f1-422e-9bfa-19dd720e5660", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "69ff0243-275c-492b-b1f4-de7a9c0a4d74", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper" ] + } + }, { + "id" : "ad654b62-41f2-4893-b6c6-24d3b5ff79e5", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + }, { + "id" : "c004ae0c-c95d-4881-8a9a-c0659073ad22", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "31810fc8-854e-4fef-b40c-563117dcce09", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "e0e818b1-723d-4717-ba1b-afc3a83a1a21", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper" ] + } + }, { + "id" : "25b75e5c-d18c-4ebb-abb2-3fd3f1d86f25", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "4bfd9180-1910-47fd-8a19-6a2e25461918", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + } ], + "org.keycloak.keys.KeyProvider" : [ { + "id" : "5038fc1e-ff3e-4338-9c91-76545c968ea1", + "name" : "aes-generated", + "providerId" : "aes-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "1a0950be-5756-4baa-be6c-96ec371d4bc0" ], + "secret" : [ "ACokC9evoBBk6lRB_5a95w" ], + "priority" : [ "100" ] + } + }, { + "id" : "b633176a-7200-4f13-a1f8-511e6e7ea226", + "name" : "hmac-generated", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "981d23ef-cff9-473b-93fd-588ea529e067" ], + "secret" : [ "Vr3Za2uPq1ueOlu3trj1qkjoQOOaAoJ9G5vERXRFWFeLp6AKMVVLD-znGd3GTy1GgUrfjOAtYXUI8olHFc-kdA" ], + "priority" : [ "100" ], + "algorithm" : [ "HS256" ] + } + }, { + "id" : "ebbcdfbe-12e6-4c60-bed1-8f8a15b7c585", + "name" : "rsa-generated", + "providerId" : "rsa-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEpAIBAAKCAQEAtZgrud1gs0sCDBW7bieBOfwODTv1csVbkjKXd0MGl6tNdQ8QRwtjYmOQttOCcAVqCjUTAc1Qs7T/FQFA8gg78Kl+uM+8wCDna15vRdct0g8AskXrY/1F63DQZfTnJ83lscNy1lMj8LuD1Q0Xv9RCGUc8WVuVS5Z/9LDJ7ir1M4/j5D9fSOzE/fqynQtfFmCDPao0O8rIeZDVgN/wPvryvVFueIOUHDnUQ1wcNDTU5elhQQxkL5TDnbGXS3FDflYzjS8gIfqR0ZmBn7t5VvufonAu6iopKI0ETwj59VMBmfYyYb+uTvIVHOLAGhhJ9oaKwUsgNDvMgZJyBRS/AeekXwIDAQABAoIBAFho/Kjh6emAlD+T+Qu5OgYj/CdfULGO+nUkInAS9suyv+RE8DTWi41kUhlgwnmNeUH88wMGlcrYTPRKBvePILebnbGWmhukKWcxs9T53ToOydUBi4fD0F2/MAbjhALyEGlKccd89NuIP7fjRvPDAGdUMkKC/x2s6SEVTUqiKXzvNkvbD6vVnTP5Fduuu4p8AYDnd9sgbkQp3ckVpAebTpfsxE2i7uICU0mSq9SdsY2N38WIojjD3WEe6sU2AGtanwnMi63yuRtnHOR9YOHw5lUw+YV4n/3ezKPEh+k5LcmQRzFm0oCG4H1DO7428AQOMWJv1ITmYYwdAWkleQ3DeqECgYEA9fw3ndBveRay2yJDmqD+KAClxgZg8LXv9jFgeXh1LNa6BIR1Yvav3UZtrwYCHQJLkW0OanGL0SVSINx6dEpMoSvUvSvGMjMGQDeuMCOtwxjQNLacKdhfUSw1UtIyoNq2VM7UBH0jHnPt4cD7OL+V27SBNcqqWFVDrErWAPPpJm8CgYEAvPzXBJQaeRYHuo6yj1vE9ovjAd1xiLazp8HqPtGh1DhzUrsKM0HZ/rkqr7ctD35mHIDwgaFLc4Z/5M0agASu9hlGYW7vrWuoUHgrJ10PKkI9LjaFqlegNmSZvj8QHVRGKGLJ3rLNpcaa2tq3fX1FWa9Qu1mJ0/vLVpRLtNuo2RECgYEAgvxFWWHumho+L3Y1bZeg/wgpPiOTZ1paZ0yvxL8iFjhZYaJvJ72YtEmWioa2hV/9gXkDHidMfphS/XCqPFZ8K669X+Z5aa3F/FgqBzRYiPUjmY5L5fRz/TN/SZTopMMSKGLif2lrVAIDgB1VKUjLseySiWRcBSGSIaLQBj3bvz0CgYBqO1oGOdYzsF2B0YqvqO8rg3CEcNzL859DMm6hByeHan/wxjCypVaLp7xF75qFthBh/1yyEV+fPcCQdXZq9bb/oS99v2U8v2JqcVIYm2fV4kwPuRgjq4Pkb2I4naxKQD/7naRJ6YpNoDkVwpIYGR2tjy27UlZ2cXhYX526uSrNcQKBgQDsM1DXhHNTY046Y14WDPmhz+55WmzpMJUorJSo4Be/eKZpryeaIIF8rEmk0AXTb84o4yyW4fJWVt7vpsqldS4jK1N/BQYkyu6zTSQGiDuYfbecIRJbEtrHdJ0848uptDPz8qcXy2KVG3veZ+lT+Ie3FNiJlf/U6aQNbvHFeIlDQg==" ], + "certificate" : [ "MIICmTCCAYECBgFtTvFrqzANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVzaXNjYzAeFw0xOTA5MjAxMzUwMDdaFw0yOTA5MjAxMzUxNDdaMBAxDjAMBgNVBAMMBXNpc2NjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZgrud1gs0sCDBW7bieBOfwODTv1csVbkjKXd0MGl6tNdQ8QRwtjYmOQttOCcAVqCjUTAc1Qs7T/FQFA8gg78Kl+uM+8wCDna15vRdct0g8AskXrY/1F63DQZfTnJ83lscNy1lMj8LuD1Q0Xv9RCGUc8WVuVS5Z/9LDJ7ir1M4/j5D9fSOzE/fqynQtfFmCDPao0O8rIeZDVgN/wPvryvVFueIOUHDnUQ1wcNDTU5elhQQxkL5TDnbGXS3FDflYzjS8gIfqR0ZmBn7t5VvufonAu6iopKI0ETwj59VMBmfYyYb+uTvIVHOLAGhhJ9oaKwUsgNDvMgZJyBRS/AeekXwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQADyMe/ONG/yNrLNWEOOYPDZpXOMnlPVjhJhdMq5qghiXBsx/EiustkyXXfq/BrlLtJowK8VhDMFSmcNtP3VKklB/IsRM3vOXur2z3bMTHW2Y4jOlx+RXCDfGXKb6F5LazpR4S9oLfMvwXqUyskuQ2JL7olAe/g5v0F8OBiv8IsYnfj2LlDX6B+FXT1LruMGxbRqQGQesJD0IogcIBHf6+0CjJkzKxFulmqLVEBJHhqFhPZtf4wRdWJY0Di5nws+/yeu9FJi9LNyYlPz6scss/9JRBPDh0E3AW5VE6RSPu/anFe5J/2tgFGel2DsFKhnGqWPw/2X25uShfmgdw544dQ" ], + "priority" : [ "100" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "7ead61c9-9739-4452-a8a2-dac4b290bcf9", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "REQUIRED", + "priority" : 20, + "flowAlias" : "Handle Existing Account - Alternatives - 0", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "6a454183-f418-4c09-81ad-4dc45889c0ed", + "alias" : "Handle Existing Account - Alternatives - 0", + "description" : "Subflow of Handle Existing Account with alternative executions", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 20, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "96e2f402-7824-42b0-9090-4fe4f8db32c8", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 20, + "flowAlias" : "Verify Existing Account by Re-authentication - auth-otp-form - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "263245eb-42aa-486f-b1f7-1dd93aca377f", + "alias" : "Verify Existing Account by Re-authentication - auth-otp-form - Conditional", + "description" : "Flow to determine if the auth-otp-form authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "4e5ceed4-4e38-4040-86ae-937e256611fc", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "requirement" : "DISABLED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "identity-provider-redirector", + "requirement" : "ALTERNATIVE", + "priority" : 25, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 30, + "flowAlias" : "forms", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "4e01e0fd-4f44-432b-88c8-dffe0a15529a", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-jwt", + "requirement" : "ALTERNATIVE", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-secret-jwt", + "requirement" : "ALTERNATIVE", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-x509", + "requirement" : "ALTERNATIVE", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "84c8cc65-f967-481c-9b1a-b407148a5c68", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-password", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 30, + "flowAlias" : "direct grant - direct-grant-validate-otp - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "493f900f-74f0-48a1-81cc-21b1f7324bf4", + "alias" : "direct grant - direct-grant-validate-otp - Conditional", + "description" : "Flow to determine if the direct-grant-validate-otp authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "32f3ae88-3809-48ba-8c6e-251c18021ad4", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "6d25e5ee-1897-43b0-96a6-7df9fe04f20d", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "REQUIRED", + "priority" : 20, + "flowAlias" : "first broker login - Alternatives - 0", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "f29b4aac-b029-454d-b830-7044d96d4e3f", + "alias" : "first broker login - Alternatives - 0", + "description" : "Subflow of first broker login with alternative executions", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 20, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "f1a8ff22-aa29-4cfb-8a26-32062ff6774b", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 20, + "flowAlias" : "forms - auth-otp-form - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "0fe0e268-73d1-43a0-bcae-a1082b07852c", + "alias" : "forms - auth-otp-form - Conditional", + "description" : "Flow to determine if the auth-otp-form authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "53241d23-22f9-4565-b299-2ad889750ed9", + "alias" : "http challenge", + "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "no-cookie-redirect", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "basic-auth", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "basic-auth-otp", + "requirement" : "DISABLED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "requirement" : "DISABLED", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "ff206ce7-4dcd-471f-b3f0-eb466b691293", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "requirement" : "REQUIRED", + "priority" : 10, + "flowAlias" : "registration form", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "fc2220ae-4f3a-4df8-8ea3-cb6e891edefd", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-profile-action", + "requirement" : "REQUIRED", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-password-action", + "requirement" : "REQUIRED", + "priority" : 50, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-recaptcha-action", + "requirement" : "DISABLED", + "priority" : 60, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "194f34c0-1e4e-477c-937f-9eec763a5c00", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-credential-email", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-password", + "requirement" : "REQUIRED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 40, + "flowAlias" : "reset credentials - reset-otp - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "1a97111a-5cc0-45e0-9937-c6dfbac1ee4f", + "alias" : "reset credentials - reset-otp - Conditional", + "description" : "Flow to determine if the reset-otp authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-otp", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "85cc250e-f572-4c0e-9a7c-7df313e38397", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "fbd2f3a4-e2f8-4457-8d8d-52835dfacfc7", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "8f1882f5-e3d4-4639-be20-ed64b27c81c3", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "terms_and_conditions", + "name" : "Terms and Conditions", + "providerId" : "terms_and_conditions", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "clientOfflineSessionMaxLifespan" : "0", + "clientSessionIdleTimeout" : "0", + "clientSessionMaxLifespan" : "0", + "clientOfflineSessionIdleTimeout" : "0" + }, + "keycloakVersion" : "11.0.2", + "userManagedAccessAllowed" : false + } \ No newline at end of file diff --git a/stable/fdi-dotstatsuite-keycloak/templates/NOTES.txt b/stable/fdi-dotstatsuite-keycloak/templates/NOTES.txt new file mode 100644 index 00000000..e69de29b diff --git a/stable/fdi-dotstatsuite-keycloak/templates/_helpers.tpl b/stable/fdi-dotstatsuite-keycloak/templates/_helpers.tpl new file mode 100644 index 00000000..f5576b28 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/_helpers.tpl @@ -0,0 +1,76 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fdi-dotstatsuite-keycloak.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fdi-dotstatsuite-keycloak.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fdi-dotstatsuite-keycloak.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "fdi-dotstatsuite-keycloak.labels" -}} +helm.sh/chart: {{ include "fdi-dotstatsuite-keycloak.chart" . }} +{{ include "fdi-dotstatsuite-keycloak.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "fdi-dotstatsuite-keycloak.selectorLabels" -}} +app.kubernetes.io/name: {{ include "fdi-dotstatsuite-keycloak.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "fdi-dotstatsuite-keycloak.keycloak.serviceAccountName" -}} +{{- if .Values.keycloak.serviceAccount.create }} +{{- default (include "fdi-dotstatsuite-keycloak.fullname" .) .Values.keycloak.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.keycloak.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "fdi-dotstatsuite-keycloak.proxy.serviceAccountName" -}} +{{- if .Values.proxy.serviceAccount.create }} +{{- default (include "fdi-dotstatsuite-keycloak.fullname" .) .Values.proxy.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.proxy.serviceAccount.name }} +{{- end }} +{{- end }} + diff --git a/stable/fdi-dotstatsuite-keycloak/templates/cm/keycloak.yaml b/stable/fdi-dotstatsuite-keycloak/templates/cm/keycloak.yaml new file mode 100644 index 00000000..5143c595 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/cm/keycloak.yaml @@ -0,0 +1,1731 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-realm-json +data: + realm.json: | + { + "id" : "demo", + "realm" : "demo", + "notBefore" : 0, + "revokeRefreshToken" : false, + "refreshTokenMaxReuse" : 0, + "accessTokenLifespan" : 300, + "accessTokenLifespanForImplicitFlow" : 900, + "ssoSessionIdleTimeout" : 1800, + "ssoSessionMaxLifespan" : 36000, + "ssoSessionIdleTimeoutRememberMe" : 0, + "ssoSessionMaxLifespanRememberMe" : 0, + "offlineSessionIdleTimeout" : 2592000, + "offlineSessionMaxLifespanEnabled" : false, + "offlineSessionMaxLifespan" : 5184000, + "clientSessionIdleTimeout" : 0, + "clientSessionMaxLifespan" : 0, + "clientOfflineSessionIdleTimeout" : 0, + "clientOfflineSessionMaxLifespan" : 0, + "accessCodeLifespan" : 60, + "accessCodeLifespanUserAction" : 300, + "accessCodeLifespanLogin" : 1800, + "actionTokenGeneratedByAdminLifespan" : 43200, + "actionTokenGeneratedByUserLifespan" : 300, + "enabled" : true, + "sslRequired" : "none", + "registrationAllowed" : false, + "registrationEmailAsUsername" : false, + "rememberMe" : false, + "verifyEmail" : false, + "loginWithEmailAllowed" : true, + "duplicateEmailsAllowed" : false, + "resetPasswordAllowed" : false, + "editUsernameAllowed" : false, + "bruteForceProtected" : false, + "permanentLockout" : false, + "maxFailureWaitSeconds" : 900, + "minimumQuickLoginWaitSeconds" : 60, + "waitIncrementSeconds" : 60, + "quickLoginCheckMilliSeconds" : 1000, + "maxDeltaTimeSeconds" : 43200, + "failureFactor" : 30, + "roles" : { + "realm" : [ { + "id" : "730a6fa8-0f6a-47f7-ae37-406be7c80040", + "name" : "uma_authorization", + "description" : "${role_uma_authorization}", + "composite" : false, + "clientRole" : false, + "containerId" : "demo", + "attributes" : { } + }, { + "id" : "4be78069-52c6-405d-a432-b4e5a2b7879a", + "name" : "offline_access", + "description" : "${role_offline-access}", + "composite" : false, + "clientRole" : false, + "containerId" : "demo", + "attributes" : { } + } ], + "client" : { + "realm-management" : [ { + "id" : "d917ebeb-5260-4539-ae28-ec3460ba0a00", + "name" : "impersonation", + "description" : "${role_impersonation}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "b828a023-743b-4c02-804b-699b93f45669", + "name" : "manage-identity-providers", + "description" : "${role_manage-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "4372be79-7081-434d-bad1-11e53079a1a0", + "name" : "view-realm", + "description" : "${role_view-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "21c05113-2167-416f-834a-e86866df9ddc", + "name" : "manage-realm", + "description" : "${role_manage-realm}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "43f1f2fc-43d2-4739-89b6-c613b8680474", + "name" : "manage-authorization", + "description" : "${role_manage-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "41641907-82b5-40b8-874b-9e88c02b5575", + "name" : "view-events", + "description" : "${role_view-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "db3b5ed7-0c09-47e7-a9e8-0867f1f45b2f", + "name" : "manage-clients", + "description" : "${role_manage-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "694337b1-820d-431f-8233-b20064691367", + "name" : "view-users", + "description" : "${role_view-users}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-groups", "query-users" ] + } + }, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "c4de5757-a74b-483c-90d6-676c2c803ef8", + "name" : "manage-events", + "description" : "${role_manage-events}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "3ad9004b-ffe8-48de-ae13-06a34e08a19e", + "name" : "view-identity-providers", + "description" : "${role_view-identity-providers}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "4e3abf2f-52b1-4458-a423-ffe8e3db81e8", + "name" : "query-clients", + "description" : "${role_query-clients}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "926a2f60-37d2-4867-a95e-f8e9d4cee16e", + "name" : "query-groups", + "description" : "${role_query-groups}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "c778c383-3bce-45b2-a97c-0eed0775191f", + "name" : "manage-users", + "description" : "${role_manage-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "edc17ea2-7518-48fc-a9fa-f5765cae08d8", + "name" : "query-users", + "description" : "${role_query-users}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "6850c0cb-ba8d-435b-813e-ef8e1cb2d905", + "name" : "view-authorization", + "description" : "${role_view-authorization}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "caad46f5-bb68-4e10-900e-aac78e2416f3", + "name" : "realm-admin", + "description" : "${role_realm-admin}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "impersonation", "manage-identity-providers", "view-realm", "manage-realm", "manage-authorization", "view-events", "manage-clients", "view-users", "manage-events", "view-identity-providers", "query-clients", "query-groups", "manage-users", "query-users", "view-authorization", "query-realms", "create-client", "view-clients" ] + } + }, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "e22eeae1-7a71-48b3-a5a7-ba82a8e8f2a1", + "name" : "query-realms", + "description" : "${role_query-realms}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "f1edbbef-a629-4ab8-bc5c-fe79d101df71", + "name" : "create-client", + "description" : "${role_create-client}", + "composite" : false, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + }, { + "id" : "a776e71c-38c0-4217-96d8-beeb411a6864", + "name" : "view-clients", + "description" : "${role_view-clients}", + "composite" : true, + "composites" : { + "client" : { + "realm-management" : [ "query-clients" ] + } + }, + "clientRole" : true, + "containerId" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "attributes" : { } + } ], + "stat-suite" : [ ], + "security-admin-console" : [ ], + "admin-cli" : [ ], + "account-console" : [ ], + "broker" : [ { + "id" : "8b0c6d36-6259-4d4e-926e-770b7965e905", + "name" : "read-token", + "description" : "${role_read-token}", + "composite" : false, + "clientRole" : true, + "containerId" : "477e51e0-bfe2-43f2-bb3c-65871f00c9a9", + "attributes" : { } + } ], + "account" : [ { + "id" : "800e807c-fe74-42d1-aa7c-532ebafa1dfc", + "name" : "manage-consent", + "description" : "${role_manage-consent}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "view-consent" ] + } + }, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "cef16bb5-1681-4203-891a-225456961421", + "name" : "view-profile", + "description" : "${role_view-profile}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "1f7a05f1-b204-47cb-9644-ede7574a2a61", + "name" : "view-consent", + "description" : "${role_view-consent}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "ab0b5e8a-63f0-456d-b6c7-1df1668d6b41", + "name" : "manage-account", + "description" : "${role_manage-account}", + "composite" : true, + "composites" : { + "client" : { + "account" : [ "manage-account-links" ] + } + }, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "f5f46dbb-f7b5-4c76-8cc3-94dc32608261", + "name" : "view-applications", + "description" : "${role_view-applications}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + }, { + "id" : "95bbf4df-9e23-4c78-8e46-18bc44ee3ba8", + "name" : "manage-account-links", + "description" : "${role_manage-account-links}", + "composite" : false, + "clientRole" : true, + "containerId" : "f6efbc6a-a606-4260-ad22-553634954813", + "attributes" : { } + } ] + } + }, + "groups" : [ { + "id" : "355e476c-079d-4ef7-97ee-0e40f977843a", + "name" : "admins", + "path" : "/admins", + "attributes" : { }, + "realmRoles" : [ ], + "clientRoles" : { }, + "subGroups" : [ ] + } ], + "defaultRoles" : [ "uma_authorization", "offline_access" ], + "requiredCredentials" : [ "password" ], + "otpPolicyType" : "totp", + "otpPolicyAlgorithm" : "HmacSHA1", + "otpPolicyInitialCounter" : 0, + "otpPolicyDigits" : 6, + "otpPolicyLookAheadWindow" : 1, + "otpPolicyPeriod" : 30, + "otpSupportedApplications" : [ "FreeOTP", "Google Authenticator" ], + "webAuthnPolicyRpEntityName" : "keycloak", + "webAuthnPolicySignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyRpId" : "", + "webAuthnPolicyAttestationConveyancePreference" : "not specified", + "webAuthnPolicyAuthenticatorAttachment" : "not specified", + "webAuthnPolicyRequireResidentKey" : "not specified", + "webAuthnPolicyUserVerificationRequirement" : "not specified", + "webAuthnPolicyCreateTimeout" : 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyAcceptableAaguids" : [ ], + "webAuthnPolicyPasswordlessRpEntityName" : "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms" : [ "ES256" ], + "webAuthnPolicyPasswordlessRpId" : "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference" : "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment" : "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey" : "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement" : "not specified", + "webAuthnPolicyPasswordlessCreateTimeout" : 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false, + "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ], + "users" : [ { + "id" : "c2dc90cd-e525-4c4d-a834-0ac3d3ad346d", + "createdTimestamp" : 1568987587616, + "username" : "test-admin", + "enabled" : true, + "totp" : false, + "emailVerified" : false, + "firstName" : "Test", + "lastName" : "Admin", + "email" : "admin@dotstat-suite.com", + "credentials" : [ { + "id" : "d0ce0193-2673-4eee-a9a3-fdf7b492d397", + "type" : "password", + "createdDate" : 1568987597001, + "secretData" : "{\"value\":\"EM2T0gb84/dxdPgobNBG9GtYP2VC49KRgFb+CJwa2wGa7mFly5swZaD73YGMSeybKSWojqILX1MV+8hYW8rI8Q==\",\"salt\":\"uVj1DI50CR6lpbEkfN55MQ==\"}", + "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" + } ], + "disableableCredentialTypes" : [ ], + "requiredActions" : [ ], + "realmRoles" : [ "uma_authorization", "offline_access" ], + "clientRoles" : { + "account" : [ "view-profile", "manage-account" ] + }, + "notBefore" : 0, + "groups" : [ "/admins" ] + } ], + "scopeMappings" : [ { + "clientScope" : "offline_access", + "roles" : [ "offline_access" ] + } ], + "clientScopeMappings" : { + "account" : [ { + "client" : "account-console", + "roles" : [ "manage-account" ] + } ] + }, + "clients" : [ { + "id" : "f6efbc6a-a606-4260-ad22-553634954813", + "clientId" : "account", + "name" : "${client_account}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/demo/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "e925d1c0-3f7d-4323-8f3c-179e334ed877", + "defaultRoles" : [ "view-profile", "manage-account" ], + "redirectUris" : [ "/realms/demo/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "ea02131b-092d-452b-9360-c5e1749d09a7", + "clientId" : "account-console", + "name" : "${client_account-console}", + "rootUrl" : "${authBaseUrl}", + "baseUrl" : "/realms/demo/account/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "b6440098-44b0-4db2-8914-0ad5cafc33e1", + "redirectUris" : [ "/realms/demo/account/*" ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "150f660a-c130-40db-adc0-fdd47183b973", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "bfc4a97f-d66f-47a4-82aa-4ba11fc9c819", + "clientId" : "admin-cli", + "name" : "${client_admin-cli}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "62d8c86c-005c-4a5a-a669-8ecaf4ad58ca", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : false, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "477e51e0-bfe2-43f2-bb3c-65871f00c9a9", + "clientId" : "broker", + "name" : "${client_broker}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "af29b39d-4586-4c8b-85b6-3bdf38395b85", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "58dc8509-ffed-4190-ac51-9a00aa2490e1", + "clientId" : "realm-management", + "name" : "${client_realm-management}", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "116b3e2c-fb08-4258-b130-65553c327eca", + "redirectUris" : [ ], + "webOrigins" : [ ], + "notBefore" : 0, + "bearerOnly" : true, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : false, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "f9a68146-a40d-4e9b-8c80-8b84e80e2eef", + "clientId" : "security-admin-console", + "name" : "${client_security-admin-console}", + "rootUrl" : "${authAdminUrl}", + "baseUrl" : "/admin/demo/console/", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "bc40fea6-695d-4c65-9897-b651441f6b00", + "redirectUris" : [ "/admin/demo/console/*" ], + "webOrigins" : [ "+" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : false, + "directAccessGrantsEnabled" : false, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "pkce.code.challenge.method" : "S256" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : false, + "nodeReRegistrationTimeout" : 0, + "protocolMappers" : [ { + "id" : "9dd9f62c-e822-4d8a-8e78-229f05187830", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + } ], + "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + }, { + "id" : "5f583792-1207-4ced-990d-5838733bc04e", + "clientId" : "stat-suite", + "surrogateAuthRequired" : false, + "enabled" : true, + "alwaysDisplayInConsole" : false, + "clientAuthenticatorType" : "client-secret", + "secret" : "**********", + "redirectUris" : [ "*" ], + "webOrigins" : [ "*" ], + "notBefore" : 0, + "bearerOnly" : false, + "consentRequired" : false, + "standardFlowEnabled" : true, + "implicitFlowEnabled" : true, + "directAccessGrantsEnabled" : true, + "serviceAccountsEnabled" : false, + "publicClient" : true, + "frontchannelLogout" : false, + "protocol" : "openid-connect", + "attributes" : { + "saml.assertion.signature" : "false", + "saml.force.post.binding" : "false", + "saml.multivalued.roles" : "false", + "saml.encrypt" : "false", + "saml.server.signature" : "false", + "saml.server.signature.keyinfo.ext" : "false", + "exclude.session.state.from.auth.response" : "false", + "saml_force_name_id_format" : "false", + "saml.client.signature" : "false", + "tls.client.certificate.bound.access.tokens" : "false", + "saml.authnstatement" : "false", + "display.on.consent.screen" : "false", + "pkce.code.challenge.method" : "", + "saml.onetimeuse.condition" : "false" + }, + "authenticationFlowBindingOverrides" : { }, + "fullScopeAllowed" : true, + "nodeReRegistrationTimeout" : -1, + "protocolMappers" : [ { + "id" : "6d4e8871-3691-494d-ade6-f168dc8178c3", + "name" : "hardcoded-audience", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-mapper", + "consentRequired" : false, + "config" : { + "included.client.audience" : "stat-suite", + "id.token.claim" : "false", + "access.token.claim" : "true", + "userinfo.token.claim" : "false" + } + } ], + "defaultClientScopes" : [ "role_list", "profile", "groups", "email" ], + "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] + } ], + "clientScopes" : [ { + "id" : "40c58f08-f31a-4f2f-a60d-0cc7b21f2dc9", + "name" : "address", + "description" : "OpenID Connect built-in scope: address", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${addressScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "07dbe9cc-26ce-427d-8155-be4323688b0f", + "name" : "address", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-address-mapper", + "consentRequired" : false, + "config" : { + "user.attribute.formatted" : "formatted", + "user.attribute.country" : "country", + "user.attribute.postal_code" : "postal_code", + "userinfo.token.claim" : "true", + "user.attribute.street" : "street", + "id.token.claim" : "true", + "user.attribute.region" : "region", + "access.token.claim" : "true", + "user.attribute.locality" : "locality" + } + } ] + }, { + "id" : "776da0e7-4560-40a6-ad2c-d845d2d9620c", + "name" : "web-origins", + "description" : "OpenID Connect scope for add allowed web origins to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "false", + "consent.screen.text" : "" + }, + "protocolMappers" : [ { + "id" : "55343b2e-37d2-4983-991d-a6a6bd9d80c7", + "name" : "allowed web origins", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-allowed-origins-mapper", + "consentRequired" : false, + "config" : { } + } ] + }, { + "id" : "7b5186b8-b526-4b3d-b90f-ccf6f8ef6f82", + "name" : "offline_access", + "description" : "OpenID Connect built-in scope: offline_access", + "protocol" : "openid-connect", + "attributes" : { + "consent.screen.text" : "${offlineAccessScopeConsentText}", + "display.on.consent.screen" : "true" + } + }, { + "id" : "7f8c2e01-8920-4235-a807-d25c02c51a69", + "name" : "groups", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "a7811413-ded2-4f74-84f2-ded7e0b86b78", + "name" : "Groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-group-membership-mapper", + "consentRequired" : false, + "config" : { + "full.path" : "false", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "userinfo.token.claim" : "true" + } + } ] + }, { + "id" : "bf552e5f-0ab2-4106-96c2-3df81dd17278", + "name" : "microprofile-jwt", + "description" : "Microprofile - JWT built-in scope", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "false" + }, + "protocolMappers" : [ { + "id" : "2e6af5fb-f219-4295-86f5-dc463c1166aa", + "name" : "upn", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "upn", + "jsonType.label" : "String" + } + }, { + "id" : "15e3451b-56ea-4c72-bebc-d6a4458f3719", + "name" : "groups", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "multivalued" : "true", + "userinfo.token.claim" : "true", + "user.attribute" : "foo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "groups", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "cfc41abd-0d31-430e-8d12-c10980b82ccf", + "name" : "phone", + "description" : "OpenID Connect built-in scope: phone", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${phoneScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "4967d0ff-862c-4482-a356-9682ffd54bed", + "name" : "phone number verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumberVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "2c0972f0-e338-4ff3-ab7a-746b3c82a523", + "name" : "phone number", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "phoneNumber", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "phone_number", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "d8a7db02-2303-4ae1-aa55-0ece05e1439d", + "name" : "profile", + "description" : "OpenID Connect built-in scope: profile", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${profileScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "d942cf0e-2999-463e-b785-40fb34c78915", + "name" : "given name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "firstName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "given_name", + "jsonType.label" : "String" + } + }, { + "id" : "2fe28da0-34b3-4e21-a231-0234fd91000c", + "name" : "profile", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "profile", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "profile", + "jsonType.label" : "String" + } + }, { + "id" : "18d7af31-45da-405e-8672-1dd12c8bb7bb", + "name" : "username", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "username", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "preferred_username", + "jsonType.label" : "String" + } + }, { + "id" : "3b7c66b6-53bf-4811-9a24-49ce50384aa6", + "name" : "picture", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "picture", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "picture", + "jsonType.label" : "String" + } + }, { + "id" : "52014ca2-bcd5-4749-bf4c-8f51b584302b", + "name" : "gender", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "gender", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "gender", + "jsonType.label" : "String" + } + }, { + "id" : "21ed114e-1f75-406e-815e-dcd1261f7ae4", + "name" : "zoneinfo", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "zoneinfo", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "zoneinfo", + "jsonType.label" : "String" + } + }, { + "id" : "796c1e7c-6846-4fa4-846e-e9500b60ffef", + "name" : "locale", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "locale", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "locale", + "jsonType.label" : "String" + } + }, { + "id" : "da9e2b35-8924-46ff-b4e2-d12f8624ce85", + "name" : "website", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "website", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "website", + "jsonType.label" : "String" + } + }, { + "id" : "89eaac72-84d2-4398-a906-f9ba5b04802a", + "name" : "birthdate", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "birthdate", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "birthdate", + "jsonType.label" : "String" + } + }, { + "id" : "60b80604-1155-482b-bf37-df5f0d68f81e", + "name" : "nickname", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "nickname", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "nickname", + "jsonType.label" : "String" + } + }, { + "id" : "644ecede-bc4a-4533-a7bd-8ae6fb9e5b8e", + "name" : "family name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "lastName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "family_name", + "jsonType.label" : "String" + } + }, { + "id" : "36a7e957-c7aa-4b59-8fe0-815afad5fcaf", + "name" : "updated at", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "updatedAt", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "updated_at", + "jsonType.label" : "String" + } + }, { + "id" : "557ae544-b359-40c0-8f4b-29a3656df715", + "name" : "full name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-full-name-mapper", + "consentRequired" : false, + "config" : { + "id.token.claim" : "true", + "access.token.claim" : "true", + "userinfo.token.claim" : "true" + } + }, { + "id" : "6f857936-6441-41d8-ab66-efecdc39b71b", + "name" : "middle name", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-attribute-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "middleName", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "middle_name", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "da598377-4b87-45ba-b46a-41d64ceeb41f", + "name" : "email", + "description" : "OpenID Connect built-in scope: email", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "true", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${emailScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "c7deebc2-04e9-4d47-b919-74889e132e0c", + "name" : "email verified", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "emailVerified", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email_verified", + "jsonType.label" : "boolean" + } + }, { + "id" : "8dac8fc6-308f-4de1-a7ca-6bde9405493a", + "name" : "email", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-property-mapper", + "consentRequired" : false, + "config" : { + "userinfo.token.claim" : "true", + "user.attribute" : "email", + "id.token.claim" : "true", + "access.token.claim" : "true", + "claim.name" : "email", + "jsonType.label" : "String" + } + } ] + }, { + "id" : "e6cdbbf2-8565-42fd-97af-80a61064b409", + "name" : "role_list", + "description" : "SAML role list", + "protocol" : "saml", + "attributes" : { + "consent.screen.text" : "${samlRoleListScopeConsentText}", + "display.on.consent.screen" : "true" + }, + "protocolMappers" : [ { + "id" : "4bb39e71-e83c-4530-b6ce-b97f302ed09e", + "name" : "role list", + "protocol" : "saml", + "protocolMapper" : "saml-role-list-mapper", + "consentRequired" : false, + "config" : { + "single" : "false", + "attribute.nameformat" : "Basic", + "attribute.name" : "Role" + } + } ] + }, { + "id" : "efdb59a9-2006-4dd8-8e39-cfecf45aa57a", + "name" : "roles", + "description" : "OpenID Connect scope for add user roles to the access token", + "protocol" : "openid-connect", + "attributes" : { + "include.in.token.scope" : "false", + "display.on.consent.screen" : "true", + "consent.screen.text" : "${rolesScopeConsentText}" + }, + "protocolMappers" : [ { + "id" : "41405f2d-4a54-4e29-8b40-80af89c0ce21", + "name" : "audience resolve", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-audience-resolve-mapper", + "consentRequired" : false, + "config" : { } + }, { + "id" : "194cf325-68ce-46e1-94fd-398d21f12b2f", + "name" : "realm roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-realm-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "realm_access.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + }, { + "id" : "714248d7-33c0-452d-9884-f1765323a07c", + "name" : "client roles", + "protocol" : "openid-connect", + "protocolMapper" : "oidc-usermodel-client-role-mapper", + "consentRequired" : false, + "config" : { + "user.attribute" : "foo", + "access.token.claim" : "true", + "claim.name" : "resource_access.${client_id}.roles", + "jsonType.label" : "String", + "multivalued" : "true" + } + } ] + } ], + "defaultDefaultClientScopes" : [ "web-origins", "profile", "email", "role_list", "roles" ], + "defaultOptionalClientScopes" : [ "address", "offline_access", "microprofile-jwt", "phone" ], + "browserSecurityHeaders" : { + "contentSecurityPolicyReportOnly" : "", + "xContentTypeOptions" : "nosniff", + "xRobotsTag" : "none", + "xFrameOptions" : "SAMEORIGIN", + "contentSecurityPolicy" : "frame-src 'self'; frame-ancestors 'self' http://localhost:* ; object-src 'none';", + "xXSSProtection" : "1; mode=block", + "strictTransportSecurity" : "max-age=31536000; includeSubDomains" + }, + "smtpServer" : { }, + "eventsEnabled" : false, + "eventsListeners" : [ "jboss-logging" ], + "enabledEventTypes" : [ ], + "adminEventsEnabled" : false, + "adminEventsDetailsEnabled" : false, + "components" : { + "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy" : [ { + "id" : "034a0fb6-c8f1-422e-9bfa-19dd720e5660", + "name" : "Full Scope Disabled", + "providerId" : "scope", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "69ff0243-275c-492b-b1f4-de7a9c0a4d74", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-address-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper" ] + } + }, { + "id" : "ad654b62-41f2-4893-b6c6-24d3b5ff79e5", + "name" : "Trusted Hosts", + "providerId" : "trusted-hosts", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "host-sending-registration-request-must-match" : [ "true" ], + "client-uris-must-match" : [ "true" ] + } + }, { + "id" : "c004ae0c-c95d-4881-8a9a-c0659073ad22", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + }, { + "id" : "31810fc8-854e-4fef-b40c-563117dcce09", + "name" : "Consent Required", + "providerId" : "consent-required", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { } + }, { + "id" : "e0e818b1-723d-4717-ba1b-afc3a83a1a21", + "name" : "Allowed Protocol Mapper Types", + "providerId" : "allowed-protocol-mappers", + "subType" : "authenticated", + "subComponents" : { }, + "config" : { + "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "saml-user-attribute-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper" ] + } + }, { + "id" : "25b75e5c-d18c-4ebb-abb2-3fd3f1d86f25", + "name" : "Max Clients Limit", + "providerId" : "max-clients", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "max-clients" : [ "200" ] + } + }, { + "id" : "4bfd9180-1910-47fd-8a19-6a2e25461918", + "name" : "Allowed Client Scopes", + "providerId" : "allowed-client-templates", + "subType" : "anonymous", + "subComponents" : { }, + "config" : { + "allow-default-scopes" : [ "true" ] + } + } ], + "org.keycloak.keys.KeyProvider" : [ { + "id" : "5038fc1e-ff3e-4338-9c91-76545c968ea1", + "name" : "aes-generated", + "providerId" : "aes-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "1a0950be-5756-4baa-be6c-96ec371d4bc0" ], + "secret" : [ "ACokC9evoBBk6lRB_5a95w" ], + "priority" : [ "100" ] + } + }, { + "id" : "b633176a-7200-4f13-a1f8-511e6e7ea226", + "name" : "hmac-generated", + "providerId" : "hmac-generated", + "subComponents" : { }, + "config" : { + "kid" : [ "981d23ef-cff9-473b-93fd-588ea529e067" ], + "secret" : [ "Vr3Za2uPq1ueOlu3trj1qkjoQOOaAoJ9G5vERXRFWFeLp6AKMVVLD-znGd3GTy1GgUrfjOAtYXUI8olHFc-kdA" ], + "priority" : [ "100" ], + "algorithm" : [ "HS256" ] + } + }, { + "id" : "ebbcdfbe-12e6-4c60-bed1-8f8a15b7c585", + "name" : "rsa-generated", + "providerId" : "rsa-generated", + "subComponents" : { }, + "config" : { + "privateKey" : [ "MIIEpAIBAAKCAQEAtZgrud1gs0sCDBW7bieBOfwODTv1csVbkjKXd0MGl6tNdQ8QRwtjYmOQttOCcAVqCjUTAc1Qs7T/FQFA8gg78Kl+uM+8wCDna15vRdct0g8AskXrY/1F63DQZfTnJ83lscNy1lMj8LuD1Q0Xv9RCGUc8WVuVS5Z/9LDJ7ir1M4/j5D9fSOzE/fqynQtfFmCDPao0O8rIeZDVgN/wPvryvVFueIOUHDnUQ1wcNDTU5elhQQxkL5TDnbGXS3FDflYzjS8gIfqR0ZmBn7t5VvufonAu6iopKI0ETwj59VMBmfYyYb+uTvIVHOLAGhhJ9oaKwUsgNDvMgZJyBRS/AeekXwIDAQABAoIBAFho/Kjh6emAlD+T+Qu5OgYj/CdfULGO+nUkInAS9suyv+RE8DTWi41kUhlgwnmNeUH88wMGlcrYTPRKBvePILebnbGWmhukKWcxs9T53ToOydUBi4fD0F2/MAbjhALyEGlKccd89NuIP7fjRvPDAGdUMkKC/x2s6SEVTUqiKXzvNkvbD6vVnTP5Fduuu4p8AYDnd9sgbkQp3ckVpAebTpfsxE2i7uICU0mSq9SdsY2N38WIojjD3WEe6sU2AGtanwnMi63yuRtnHOR9YOHw5lUw+YV4n/3ezKPEh+k5LcmQRzFm0oCG4H1DO7428AQOMWJv1ITmYYwdAWkleQ3DeqECgYEA9fw3ndBveRay2yJDmqD+KAClxgZg8LXv9jFgeXh1LNa6BIR1Yvav3UZtrwYCHQJLkW0OanGL0SVSINx6dEpMoSvUvSvGMjMGQDeuMCOtwxjQNLacKdhfUSw1UtIyoNq2VM7UBH0jHnPt4cD7OL+V27SBNcqqWFVDrErWAPPpJm8CgYEAvPzXBJQaeRYHuo6yj1vE9ovjAd1xiLazp8HqPtGh1DhzUrsKM0HZ/rkqr7ctD35mHIDwgaFLc4Z/5M0agASu9hlGYW7vrWuoUHgrJ10PKkI9LjaFqlegNmSZvj8QHVRGKGLJ3rLNpcaa2tq3fX1FWa9Qu1mJ0/vLVpRLtNuo2RECgYEAgvxFWWHumho+L3Y1bZeg/wgpPiOTZ1paZ0yvxL8iFjhZYaJvJ72YtEmWioa2hV/9gXkDHidMfphS/XCqPFZ8K669X+Z5aa3F/FgqBzRYiPUjmY5L5fRz/TN/SZTopMMSKGLif2lrVAIDgB1VKUjLseySiWRcBSGSIaLQBj3bvz0CgYBqO1oGOdYzsF2B0YqvqO8rg3CEcNzL859DMm6hByeHan/wxjCypVaLp7xF75qFthBh/1yyEV+fPcCQdXZq9bb/oS99v2U8v2JqcVIYm2fV4kwPuRgjq4Pkb2I4naxKQD/7naRJ6YpNoDkVwpIYGR2tjy27UlZ2cXhYX526uSrNcQKBgQDsM1DXhHNTY046Y14WDPmhz+55WmzpMJUorJSo4Be/eKZpryeaIIF8rEmk0AXTb84o4yyW4fJWVt7vpsqldS4jK1N/BQYkyu6zTSQGiDuYfbecIRJbEtrHdJ0848uptDPz8qcXy2KVG3veZ+lT+Ie3FNiJlf/U6aQNbvHFeIlDQg==" ], + "certificate" : [ "MIICmTCCAYECBgFtTvFrqzANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAVzaXNjYzAeFw0xOTA5MjAxMzUwMDdaFw0yOTA5MjAxMzUxNDdaMBAxDjAMBgNVBAMMBXNpc2NjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZgrud1gs0sCDBW7bieBOfwODTv1csVbkjKXd0MGl6tNdQ8QRwtjYmOQttOCcAVqCjUTAc1Qs7T/FQFA8gg78Kl+uM+8wCDna15vRdct0g8AskXrY/1F63DQZfTnJ83lscNy1lMj8LuD1Q0Xv9RCGUc8WVuVS5Z/9LDJ7ir1M4/j5D9fSOzE/fqynQtfFmCDPao0O8rIeZDVgN/wPvryvVFueIOUHDnUQ1wcNDTU5elhQQxkL5TDnbGXS3FDflYzjS8gIfqR0ZmBn7t5VvufonAu6iopKI0ETwj59VMBmfYyYb+uTvIVHOLAGhhJ9oaKwUsgNDvMgZJyBRS/AeekXwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQADyMe/ONG/yNrLNWEOOYPDZpXOMnlPVjhJhdMq5qghiXBsx/EiustkyXXfq/BrlLtJowK8VhDMFSmcNtP3VKklB/IsRM3vOXur2z3bMTHW2Y4jOlx+RXCDfGXKb6F5LazpR4S9oLfMvwXqUyskuQ2JL7olAe/g5v0F8OBiv8IsYnfj2LlDX6B+FXT1LruMGxbRqQGQesJD0IogcIBHf6+0CjJkzKxFulmqLVEBJHhqFhPZtf4wRdWJY0Di5nws+/yeu9FJi9LNyYlPz6scss/9JRBPDh0E3AW5VE6RSPu/anFe5J/2tgFGel2DsFKhnGqWPw/2X25uShfmgdw544dQ" ], + "priority" : [ "100" ] + } + } ] + }, + "internationalizationEnabled" : false, + "supportedLocales" : [ ], + "authenticationFlows" : [ { + "id" : "7ead61c9-9739-4452-a8a2-dac4b290bcf9", + "alias" : "Handle Existing Account", + "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-confirm-link", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "REQUIRED", + "priority" : 20, + "flowAlias" : "Handle Existing Account - Alternatives - 0", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "6a454183-f418-4c09-81ad-4dc45889c0ed", + "alias" : "Handle Existing Account - Alternatives - 0", + "description" : "Subflow of Handle Existing Account with alternative executions", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-email-verification", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 20, + "flowAlias" : "Verify Existing Account by Re-authentication", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "96e2f402-7824-42b0-9090-4fe4f8db32c8", + "alias" : "Verify Existing Account by Re-authentication", + "description" : "Reauthentication of existing account", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "idp-username-password-form", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 20, + "flowAlias" : "Verify Existing Account by Re-authentication - auth-otp-form - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "263245eb-42aa-486f-b1f7-1dd93aca377f", + "alias" : "Verify Existing Account by Re-authentication - auth-otp-form - Conditional", + "description" : "Flow to determine if the auth-otp-form authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "4e5ceed4-4e38-4040-86ae-937e256611fc", + "alias" : "browser", + "description" : "browser based authentication", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-cookie", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "requirement" : "DISABLED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "identity-provider-redirector", + "requirement" : "ALTERNATIVE", + "priority" : 25, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 30, + "flowAlias" : "forms", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "4e01e0fd-4f44-432b-88c8-dffe0a15529a", + "alias" : "clients", + "description" : "Base authentication for clients", + "providerId" : "client-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "client-secret", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-jwt", + "requirement" : "ALTERNATIVE", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-secret-jwt", + "requirement" : "ALTERNATIVE", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "client-x509", + "requirement" : "ALTERNATIVE", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "84c8cc65-f967-481c-9b1a-b407148a5c68", + "alias" : "direct grant", + "description" : "OpenID Connect Resource Owner Grant", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "direct-grant-validate-username", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-password", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 30, + "flowAlias" : "direct grant - direct-grant-validate-otp - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "493f900f-74f0-48a1-81cc-21b1f7324bf4", + "alias" : "direct grant - direct-grant-validate-otp - Conditional", + "description" : "Flow to determine if the direct-grant-validate-otp authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "direct-grant-validate-otp", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "32f3ae88-3809-48ba-8c6e-251c18021ad4", + "alias" : "docker auth", + "description" : "Used by Docker clients to authenticate against the IDP", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "docker-http-basic-authenticator", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "6d25e5ee-1897-43b0-96a6-7df9fe04f20d", + "alias" : "first broker login", + "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "review profile config", + "authenticator" : "idp-review-profile", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "REQUIRED", + "priority" : 20, + "flowAlias" : "first broker login - Alternatives - 0", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "f29b4aac-b029-454d-b830-7044d96d4e3f", + "alias" : "first broker login - Alternatives - 0", + "description" : "Subflow of first broker login with alternative executions", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticatorConfig" : "create unique user config", + "authenticator" : "idp-create-user-if-unique", + "requirement" : "ALTERNATIVE", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "ALTERNATIVE", + "priority" : 20, + "flowAlias" : "Handle Existing Account", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "f1a8ff22-aa29-4cfb-8a26-32062ff6774b", + "alias" : "forms", + "description" : "Username, password, otp and other auth forms.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "auth-username-password-form", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 20, + "flowAlias" : "forms - auth-otp-form - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "0fe0e268-73d1-43a0-bcae-a1082b07852c", + "alias" : "forms - auth-otp-form - Conditional", + "description" : "Flow to determine if the auth-otp-form authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-otp-form", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "53241d23-22f9-4565-b299-2ad889750ed9", + "alias" : "http challenge", + "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "no-cookie-redirect", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "basic-auth", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "basic-auth-otp", + "requirement" : "DISABLED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "auth-spnego", + "requirement" : "DISABLED", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "ff206ce7-4dcd-471f-b3f0-eb466b691293", + "alias" : "registration", + "description" : "registration flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-page-form", + "requirement" : "REQUIRED", + "priority" : 10, + "flowAlias" : "registration form", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "fc2220ae-4f3a-4df8-8ea3-cb6e891edefd", + "alias" : "registration form", + "description" : "registration form", + "providerId" : "form-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "registration-user-creation", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-profile-action", + "requirement" : "REQUIRED", + "priority" : 40, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-password-action", + "requirement" : "REQUIRED", + "priority" : 50, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "registration-recaptcha-action", + "requirement" : "DISABLED", + "priority" : 60, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "194f34c0-1e4e-477c-937f-9eec763a5c00", + "alias" : "reset credentials", + "description" : "Reset credentials for a user if they forgot their password or something", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "reset-credentials-choose-user", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-credential-email", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-password", + "requirement" : "REQUIRED", + "priority" : 30, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "requirement" : "CONDITIONAL", + "priority" : 40, + "flowAlias" : "reset credentials - reset-otp - Conditional", + "userSetupAllowed" : false, + "autheticatorFlow" : true + } ] + }, { + "id" : "1a97111a-5cc0-45e0-9937-c6dfbac1ee4f", + "alias" : "reset credentials - reset-otp - Conditional", + "description" : "Flow to determine if the reset-otp authenticator should be used or not.", + "providerId" : "basic-flow", + "topLevel" : false, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "conditional-user-configured", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + }, { + "authenticator" : "reset-otp", + "requirement" : "REQUIRED", + "priority" : 20, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + }, { + "id" : "85cc250e-f572-4c0e-9a7c-7df313e38397", + "alias" : "saml ecp", + "description" : "SAML ECP Profile Authentication Flow", + "providerId" : "basic-flow", + "topLevel" : true, + "builtIn" : true, + "authenticationExecutions" : [ { + "authenticator" : "http-basic-authenticator", + "requirement" : "REQUIRED", + "priority" : 10, + "userSetupAllowed" : false, + "autheticatorFlow" : false + } ] + } ], + "authenticatorConfig" : [ { + "id" : "fbd2f3a4-e2f8-4457-8d8d-52835dfacfc7", + "alias" : "create unique user config", + "config" : { + "require.password.update.after.registration" : "false" + } + }, { + "id" : "8f1882f5-e3d4-4639-be20-ed64b27c81c3", + "alias" : "review profile config", + "config" : { + "update.profile.on.first.login" : "missing" + } + } ], + "requiredActions" : [ { + "alias" : "CONFIGURE_TOTP", + "name" : "Configure OTP", + "providerId" : "CONFIGURE_TOTP", + "enabled" : true, + "defaultAction" : false, + "priority" : 10, + "config" : { } + }, { + "alias" : "terms_and_conditions", + "name" : "Terms and Conditions", + "providerId" : "terms_and_conditions", + "enabled" : false, + "defaultAction" : false, + "priority" : 20, + "config" : { } + }, { + "alias" : "UPDATE_PASSWORD", + "name" : "Update Password", + "providerId" : "UPDATE_PASSWORD", + "enabled" : true, + "defaultAction" : false, + "priority" : 30, + "config" : { } + }, { + "alias" : "UPDATE_PROFILE", + "name" : "Update Profile", + "providerId" : "UPDATE_PROFILE", + "enabled" : true, + "defaultAction" : false, + "priority" : 40, + "config" : { } + }, { + "alias" : "VERIFY_EMAIL", + "name" : "Verify Email", + "providerId" : "VERIFY_EMAIL", + "enabled" : true, + "defaultAction" : false, + "priority" : 50, + "config" : { } + }, { + "alias" : "update_user_locale", + "name" : "Update User Locale", + "providerId" : "update_user_locale", + "enabled" : true, + "defaultAction" : false, + "priority" : 1000, + "config" : { } + } ], + "browserFlow" : "browser", + "registrationFlow" : "registration", + "directGrantFlow" : "direct grant", + "resetCredentialsFlow" : "reset credentials", + "clientAuthenticationFlow" : "clients", + "dockerAuthenticationFlow" : "docker auth", + "attributes" : { + "clientOfflineSessionMaxLifespan" : "0", + "clientSessionIdleTimeout" : "0", + "clientSessionMaxLifespan" : "0", + "clientOfflineSessionIdleTimeout" : "0" + }, + "keycloakVersion" : "11.0.2", + "userManagedAccessAllowed" : false + } + diff --git a/stable/fdi-dotstatsuite-keycloak/templates/deploy/keycloak.yaml b/stable/fdi-dotstatsuite-keycloak/templates/deploy/keycloak.yaml new file mode 100644 index 00000000..3890756f --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/deploy/keycloak.yaml @@ -0,0 +1,138 @@ +{{- if .Values.keycloak.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }} + labels: + {{- include "fdi-dotstatsuite-keycloak.labels" . | nindent 4 }} +spec: +{{- if not .Values.keycloak.autoscaling.enabled }} + replicas: {{ .Values.keycloak.replicaCount }} +{{- end }} + selector: + matchLabels: + {{- include "fdi-dotstatsuite-keycloak.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.keycloak.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "fdi-dotstatsuite-keycloak.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.keycloak.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "fdi-dotstatsuite-keycloak.keycloak.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.keycloak.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }} + securityContext: + {{- toYaml .Values.keycloak.securityContext | nindent 12 }} + image: "{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.keycloak.image.pullPolicy }} + # command: + # - "sh" + # - "-c" + # - | + # # 900 is the uid and gid of ckan user/group + # cd /opt/jboss/keycloak/bin/ && \ + # ./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user \$KEYCLOAK_USER --password \$KEYCLOAK_PASSWORD && \ + # ./kcadm.sh update realms/master -s sslRequired=NONE + volumeMounts: + {{- if .Values.keycloak.export.enabled }} + - mountPath: "/opt/jboss/export/" + name: "keycloak-export" + {{- end }} + - name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-import-realm + mountPath: /opt/jboss/import/ + command: + - /bin/bash + - -c + - /opt/keycloak/bin/kc.sh start --spi-connections-jpa-legacy-initialize-empty=false --transaction-xa-enabled=false --log-level=ALL + env: + {{- range .Values.keycloak.ingress.hosts }} + - name: KC_HOSTNAME + value: "{{ .host }}" + {{- end }} + - name: KC_PROXY_ADDRESS_FORWARDING + value: "true" + - name: KEYCLOAK_LOGLEVEL + value: DEBUG + - name: KC_PROXY + value: "edge" + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HTTP_RELATIVE_PATH + value: "/" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "true" + - name: KC_DB + value: {{ .Values.managed.postgresdb.db_vendor }} + - name: KC_DB_URL + {{- if eq .Values.managed.postgresdb.db_vendor "mssql" }} + value: "jdbc:sqlserver://{{ .Values.managed.postgresdb.db_url }};database={{ .Values.managed.postgresdb.db_name }};encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;" + {{- end }} + - name: KC_DB_DATABASE + value: {{ .Values.managed.postgresdb.db_name }} + - name: KC_DB_SCHEMA + value: {{ .Values.managed.postgresdb.schema }} + - name: KC_DB_USERNAME + value: {{ .Values.managed.postgresdb.db_username }} + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-passwords + key: db_password + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-passwords + key: keycloak_password + - name: KEYCLOAK_ADMIN + value: {{ .Values.keycloak.keycloak_user }} + - name: DB_ADDR + value: {{ .Values.managed.postgresdb.db_url }} + - name: DB_DATABASE + value: {{ .Values.managed.postgresdb.db_name }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-passwords + key: db_password + - name: DB_SCHEMA + value: {{ .Values.managed.postgresdb.schema }} + - name: DB_USER + value: {{ .Values.managed.postgresdb.db_username }} + - name: DB_VENDOR + value: {{ .Values.managed.postgresdb.db_vendor }} + - name: JDBC_PARAMS + value: trustServerCertificate=false;encrypt=false + - name: KEYCLOAK_IMPORT + value: /opt/jboss/import/realm.json + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-passwords + key: keycloak_password + - name: KEYCLOAK_USER + value: {{ .Values.keycloak.keycloak_user }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + volumes: + {{- if .Values.keycloak.export.enabled }} + - name: "keycloak-export" + azureFile: + secretName: {{ .Values.fullnameOverride }}-keycloak-export-secret + shareName: {{ .Values.keycloak.export.shareName }} + {{- end }} + - name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-import-realm + configMap: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-realm-json + +{{- end -}} diff --git a/stable/fdi-dotstatsuite-keycloak/templates/dr/destrule.yaml b/stable/fdi-dotstatsuite-keycloak/templates/dr/destrule.yaml new file mode 100644 index 00000000..e6882e20 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/dr/destrule.yaml @@ -0,0 +1,16 @@ +{{- if .Values.destinationRule.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ template "fdi-dotstatsuite-keycloak.fullname" . }} + labels: + app: {{ template "fdi-dotstatsuite-keycloak.name" . }} + chart: {{ template "fdi-dotstatsuite-keycloak.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + host: "*.{{ .Release.Namespace }}.svc.{{ default "cluster.local" .Values.clusterDomain }}" + trafficPolicy: + tls: + mode: "{{ default "DISABLE" .Values.destinationRule.mode }}" +{{- end }} diff --git a/stable/fdi-dotstatsuite-keycloak/templates/hpa/keycloak.yaml b/stable/fdi-dotstatsuite-keycloak/templates/hpa/keycloak.yaml new file mode 100644 index 00000000..967e01fa --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/hpa/keycloak.yaml @@ -0,0 +1,30 @@ +{{- if .Values.keycloak.enabled -}} +{{- if .Values.keycloak.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }} + labels: + {{- include "fdi-dotstatsuite-keycloak.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }} + minReplicas: {{ .Values.keycloak.autoscaling.minReplicas }} + maxReplicas: {{ .Values.keycloak.autoscaling.maxReplicas }} + metrics: + {{- if .Values.keycloak.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.keycloak.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.keycloak.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.keycloak.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} +{{- end }} diff --git a/stable/fdi-dotstatsuite-keycloak/templates/ing/keycloak.yaml b/stable/fdi-dotstatsuite-keycloak/templates/ing/keycloak.yaml new file mode 100644 index 00000000..2afef207 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/ing/keycloak.yaml @@ -0,0 +1,46 @@ +{{- if .Values.keycloak.enabled -}} +{{- if .Values.keycloak.ingress.enabled -}} +{{- $fullName := include "fdi-dotstatsuite-keycloak.fullname" . -}} +{{- $svcPort := .Values.keycloak.service.port -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: extensions/v1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "fdi-dotstatsuite-keycloak.labels" . | nindent 4 }} + {{- with .Values.keycloak.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.keycloak.ingress.tls }} + tls: + {{- range .Values.keycloak.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.keycloak.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + pathType: ImplementationSpecific + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/stable/fdi-dotstatsuite-keycloak/templates/sa/keycloak.yaml b/stable/fdi-dotstatsuite-keycloak/templates/sa/keycloak.yaml new file mode 100644 index 00000000..686dde8e --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/sa/keycloak.yaml @@ -0,0 +1,14 @@ +{{- if .Values.keycloak.enabled -}} +{{- if .Values.keycloak.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "fdi-dotstatsuite-keycloak.keycloak.serviceAccountName" . }} + labels: + {{- include "fdi-dotstatsuite-keycloak.labels" . | nindent 4 }} + {{- with .Values.keycloak.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-export-secret.yaml b/stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-export-secret.yaml new file mode 100644 index 00000000..ff89f643 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-export-secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.keycloak.export.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.fullnameOverride }}-keycloak-export-secret +type: Opaque +data: + azurestorageaccountname: {{ .Values.keycloak.export.azurestorageaccountname | b64enc }} + azurestorageaccountkey: {{ .Values.keycloak.export.azurestorageaccountkey | b64enc }} +{{- end }} diff --git a/stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-pwds.yaml b/stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-pwds.yaml new file mode 100644 index 00000000..7bf8baf9 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/secret/keycloak-pwds.yaml @@ -0,0 +1,8 @@ +kind: Secret +apiVersion: v1 +metadata: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }}-passwords +data: + db_password: {{ .Values.managed.postgresdb.db_password | b64enc }} + keycloak_password: {{ .Values.keycloak.keycloak_password | b64enc }} +type: Opaque \ No newline at end of file diff --git a/stable/fdi-dotstatsuite-keycloak/templates/svc/keycloak.yaml b/stable/fdi-dotstatsuite-keycloak/templates/svc/keycloak.yaml new file mode 100644 index 00000000..661932a9 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/templates/svc/keycloak.yaml @@ -0,0 +1,18 @@ +{{- if .Values.keycloak.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "fdi-dotstatsuite-keycloak.fullname" . }} + labels: + {{- include "fdi-dotstatsuite-keycloak.labels" . | nindent 4 }} +spec: + type: {{ .Values.keycloak.service.type }} + ports: + - port: {{ .Values.keycloak.service.port }} + targetPort: http + protocol: TCP + name: http-keycloak + selector: + {{- include "fdi-dotstatsuite-keycloak.selectorLabels" . | nindent 4 }} + +{{- end }} \ No newline at end of file diff --git a/stable/fdi-dotstatsuite-keycloak/values.yaml b/stable/fdi-dotstatsuite-keycloak/values.yaml new file mode 100644 index 00000000..d78b3e63 --- /dev/null +++ b/stable/fdi-dotstatsuite-keycloak/values.yaml @@ -0,0 +1,118 @@ +# Default values for sdmxfrontend. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Globals +nameOverride: "fdi-dotstatsuite-keycloak" +fullnameOverride: "fdi-dotstatsuite-keycloak" +managed: + postgresdb: + db_url: "fdickandev.postgres.database.azure.com:5432" + db_password: "keycloak" + db_username: "keycloak" + db_name: "keycloak" + db_vendor: "postgres" + schema: "postgres" + +# Config +# https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose +keycloak: + enabled: true + replicaCount: 1 + keycloak_user: "keycloak" + keycloak_password: "keycloak" + export: + enabled: true + shareName: "keycloak-keycloak/dev/export" + azurestorageaccountname: "tt" + azurestorageaccountkey: "tt" + ingress: + enabled: true + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: istio + hosts: + - host: sdmx-keycloak.dev.cloud.statcan.ca + paths: + - '/*' + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + image: + #repository: siscc/dotstatsuite-proxy + repository: artifactory.cloud.statcan.ca/docker/siscc/dotstatsuite-keycloak + pullPolicy: Always + # Overrides the image tag whose default is the chart version. + tag: "yay" + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: { + traffic.sidecar.istio.io/excludeOutboundPorts: '5432' + } + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 8080 + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + ## + imagePullSecrets: + - name: artifactory-prod + + resources: + limits: + cpu: 100m + memory: 4g + requests: + cpu: 100m + memory: 2g + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +destinationRule: + enabled: false + mode: DISABLE diff --git a/stable/fdi-dotstatsuite-sfs-solr/Chart.yaml b/stable/fdi-dotstatsuite-sfs-solr/Chart.yaml index 164eb44b..9ad2a658 100644 --- a/stable/fdi-dotstatsuite-sfs-solr/Chart.yaml +++ b/stable/fdi-dotstatsuite-sfs-solr/Chart.yaml @@ -1,32 +1,13 @@ apiVersion: v2 -name: fdi-dotstatsuite-sfs-solr -description: fdi-dotstatsuite helm chart for the Data Explorer and Data Viewer - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.1 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. appVersion: v14.0.0 - +description: fdi-dotstatsuite helm chart for the Data Explorer and Data Viewer home: https://statcan.gc.ca +maintainers: +- email: Jianlong.qian@statcan.gc.ca + name: Jianlong Qian +name: fdi-dotstatsuite-sfs-solr sources: - https://gitlab.k8s.cloud.statcan.ca/analytics-platform/fdi-idf/metadata - https://gitlab.com/sis-cc/.stat-suite/dotstatsuite-kube-rp/ -maintainers: -- name: Jianlong Qian - email: Jianlong.qian@statcan.gc.ca -engine: gotpl +type: application +version: 1.0.0 diff --git a/stable/fdi-dotstatsuite-sfs-solr/templates/deploy/solr.yaml b/stable/fdi-dotstatsuite-sfs-solr/templates/deploy/solr.yaml index 29f7a53f..f29375ad 100644 --- a/stable/fdi-dotstatsuite-sfs-solr/templates/deploy/solr.yaml +++ b/stable/fdi-dotstatsuite-sfs-solr/templates/deploy/solr.yaml @@ -50,7 +50,7 @@ spec: - name: OOM value: "exit" - name: SOLR_JAVA_MEM - value: "-Xms4g -Xmx6g" + value: "-Xms4g -Xmx6g -Dsolr.max.booleanClauses=50000" volumeMounts: - mountPath: /var/solr name: {{ include "dotstatsuite.fullname" . }}-solr-pv-storage diff --git a/stable/fdi-dotstatsuite-sfs-solr/values.yaml b/stable/fdi-dotstatsuite-sfs-solr/values.yaml index 71be319c..97369658 100644 --- a/stable/fdi-dotstatsuite-sfs-solr/values.yaml +++ b/stable/fdi-dotstatsuite-sfs-solr/values.yaml @@ -7,6 +7,7 @@ nameOverride: "fdi-dotstatsuite-sfs-solr" fullnameOverride: "fdi-dotstatsuite-sfs-solr" + # sfs # https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose sfs: @@ -243,7 +244,7 @@ mongo: name: "" podAnnotations: { - sidecar.istio.io/inject: 'false' + sidecar.istio.io/inject: 'false' } podSecurityContext: {} @@ -311,6 +312,7 @@ mongo: affinity: {} + # Destination Rule # https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose destinationRule: diff --git a/stable/fdi-dotstatsuite-sfs-solr/values_for_octopus.yaml b/stable/fdi-dotstatsuite-sfs-solr/values_for_octopus.yaml new file mode 100644 index 00000000..56d83acd --- /dev/null +++ b/stable/fdi-dotstatsuite-sfs-solr/values_for_octopus.yaml @@ -0,0 +1,309 @@ +# Default values for sdmxfrontend. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Globals +nameOverride: #{NAME} +fullnameOverride: #{FULLLNAME} + + +# sfs +# https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose +sfs: + enabled: true + replicaCount: #{REPLICACOUNT} + + ingress: + enabled: true + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: istio + hosts: + - host: #{SFS_HOST} + paths: + - '/*' + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + image: + # repository: siscc/dotstatsuite-data-explorer + repository: #{SFS_RESPOSITORY} + pullPolicy: Always + # Overrides the image tag whose default is the chart version. + tag: #{SFS_TAG} + config: + host: #{CONFIG_HOST} + api_key_secret: #{API_KEY} + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + # podAnnotations: { + # sidecar.istio.io/inject: 'false' + # } + podAnnotations: { + traffic.sidecar.istio.io/excludeOutboundPorts: '27017' + } + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 80 + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + ## + imagePullSecrets: + - name: #{IMAGE_PULL_SECRET} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +# solr +# https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose +solr: + enabled: true + replicaCount: 1 + + ingress: + enabled: false + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: istio + hosts: + - host: "" + paths: + - '/*' + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + image: + repository: #{SOLR_RESPOSITORY} + pullPolicy: Always + # Overrides the image tag whose default is the chart version. + tag: #{SOLR_TAG} + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + # podAnnotations: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 8983 + persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + ## CKAN data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + annotations: {} + accessMode: ReadWriteOnce + size: #{SOLR_STORAGE_SZIE} + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + ## + imagePullSecrets: + - name: #{IMAGE_PULL_SECRET} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +# mongo +# https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose +mongo: + enabled: true + replicaCount: 1 + + ingress: + enabled: false + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: istio + hosts: + - host: "" + paths: + - '/*' + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + image: + repository: repository: #{MONGO_RESPOSITORY} + pullPolicy: Always + # Overrides the image tag whose default is the chart version. + tag: repository: #{MONGO_TAG} + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: { + sidecar.istio.io/inject: 'false' + } + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 27017 + persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + ## CKAN data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + annotations: {} + accessMode: ReadWriteOnce + size: #{MONGO_STORAGE_SZIE} + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + ## + imagePullSecrets: + - name: #{IMAGE_PULL_SECRET} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + diff --git a/stable/fdi-dotstatsuite/Chart.yaml b/stable/fdi-dotstatsuite/Chart.yaml index 07245992..bb023f7c 100644 --- a/stable/fdi-dotstatsuite/Chart.yaml +++ b/stable/fdi-dotstatsuite/Chart.yaml @@ -1,44 +1,17 @@ apiVersion: v2 -name: fdi-dotstatsuite +appVersion: 16.2.0 +dependencies: +- condition: mssql-linux.enabled + name: mssql-linux + repository: https://charts.helm.sh/stable + version: 0.11.4 description: fdi-dotstatsuite kube core services - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.21 - - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 7.2.0 -# .StatSuite Release version -# https://gitlab.com/groups/sis-cc/.stat-suite/-/milestones/47#tab-issues - home: https://statcan.gc.ca +maintainers: +- email: jianlong.qian@statcan.gc.ca + name: Jianlong.qian +name: fdi-dotstatsuite sources: - https://gitlab.com/sis-cc/.stat-suite/dotstatsuite-kube-core-rp/-/tree/master/staging -maintainers: -- name: sylus - email: william.hearn@canada.ca -- name: Zachary Seguin - email: zachary.seguin@canada.ca -- name: Jianlong.qian - email: jianlong.qian@statcan.gc.ca -engine: gotpl - -dependencies: -- name: mssql-linux - version: 0.11.4 - repository: https://charts.helm.sh/stable - condition: mssql-linux.enabled +type: application +version: 0.3.2 diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/Chart.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/Chart.yaml new file mode 100644 index 00000000..4aadc042 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +appVersion: 14.0.3023.8 +deprecated: true +description: DEPRECATED - SQL Server 2017 Linux Helm Chart +home: https://hub.docker.com/r/microsoft/mssql-server-linux/ +icon: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1I4Dx +name: mssql-linux +sources: +- https://hub.docker.com/r/microsoft/mssql-server-linux/ +version: 0.11.4 diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/README.md b/stable/fdi-dotstatsuite/charts/mssql-linux/README.md new file mode 100644 index 00000000..51d7f5cf --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/README.md @@ -0,0 +1,263 @@ +# ⚠️ Repo Archive Notice + +As of Nov 13, 2020, charts in this repo will no longer be updated. +For more information, see the Helm Charts [Deprecation and Archive Notice](https://github.com/helm/charts#%EF%B8%8F-deprecation-and-archive-notice), and [Update](https://helm.sh/blog/charts-repo-deprecation/). + +# HELM Chart for Microsoft SQL Server 2017 on Linux + +## DEPRECATION NOTICE + +This chart is deprecated and no longer supported. + +## Prerequisites + +* This chart requires Docker Engine 1.8+ in any of their supported platforms. Please see vendor requirements [here for more information](https://docs.microsoft.com/en-us/sql/linux/quickstart-install-connect-docker). +* At least 2GB of RAM (3.25 GB prior to 2017-CU2). Make sure to assign enough memory to the Docker VM if you're running on Docker for Mac or Windows. +* Requires the following variables + * You must change the acceptEula.value in the values.yaml file to `Y` or include `--set acceptEula.value=Y` in the command line of `helm install` to override the default value of `N`. + * You must change the editions variable in the values.yaml file to include the edition of SQL Server or include `--set edition.value=` in the command line of `helm install`. + +## Chart Components + +* Creates a SQL Server 2017 deployment (default edition: Express) +* Creates a Kubernetes Service on specified port (default: 1433) +* Creates a Secret to hold SA_PASSWORD + +## Installing the Chart + +You can install the chart with the release name `mymssql` as below. + +```console +$ helm install --name mymssql stable/mssql-linux --set acceptEula.value=Y --set edition.value=Developer +... +``` + +> Note - If you do not specify a name, helm will select a name for you. + +### Installed Components + +You can use `kubectl get` to view all of the installed components. + +```console +$ kubectl get all -l app=mssql-linux +NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE +deploy/mymssql-mssql-linux 1 1 1 1 9m + +NAME DESIRED CURRENT READY AGE +rs/mymssql-mssql-linux-8688756468 1 1 1 9m + +NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE +deploy/mymssql-mssql-linux 1 1 1 1 9m + +NAME DESIRED CURRENT READY AGE +rs/mymssql-mssql-linux-8688756468 1 1 1 9m + +NAME READY STATUS RESTARTS AGE +po/mymssql-mssql-linux-8688756468-x758g 1/1 Running 0 9m + +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +svc/mymssql-mssql-linux ClusterIP 10.104.152.61 1433/TCP 9m + +``` + +### SA Password Retrieval + +The sa password is randomized in the secret.yaml file. To retrieve the password, perform the following steps once you install the helm chart. + +```console +$ printf $(kubectl get secret --namespace default mymssql-mssql-linux-secret -o jsonpath="{.data.sapassword}" | base64 --decode);echo +... +``` + +In case an existing secret is used, the sa password must be retrieved from that secret, of course. + +## Connecting to SQL Server Instance + +1. Run the following command + +This command will create a pod called `mssqlcli` that will include the SQL Server Commandline `sqlcmd` and start at a bash prompt. + +```console +$ kubectl run mssqlcli --image=microsoft/mssql-tools -ti --restart=Never --rm=true -- /bin/bash +$ sqlcmd -S mymssql-mssql-linux -U sa +Password: +$ 1> select @@VERSION; +$ 2> go +------------------------------------------------------------------------------------ +Microsoft SQL Server 2017 (RTM-CU5) (KB4092643) - 14.0.3023.8 (X64) +Dec 22 2017 16:13:22 +Copyright (C) 2017 Microsoft Corporation +Express Edition (64-bit) on Linux (Ubuntu 16.04.3 LTS) +(1 rows affected) + +``` + +## Values + +The configuration parameters in this section control the resources requested and utilized by the SQL Server instance. + +| Parameter | Description | Default | +| --------------------------------------- | ---------------------------------------------------------------------------------------------- | -------------------------------- | +| acceptEula.value | EULA that needs to be accepted. It will need to be changed via commandline or values.yaml. | `n` | +| edition.value | The edition of SQL Server to install. See section [Editions](#sql-server-for-linux-editions). | `Express` | +| sapassword | Password for sa login | `Random (20-AlphNum)`1 | +| existingSecret | Name of an existing secret containing the sa password | `Empty String` | +| existingSecretKey | Name of key of the password in existing secret | `sapassword` | +| image.repository | The docker hub repo for SQL Server | `microsoft/mssql-server-linux` | +| image.tag | The tag for the image | `2017-CU5` | +| image.pullPolicy | The pull policy for the deployment | `IfNotPresent` | +| image.pullSecrets | Specify an image pull secret if needed | `Commented Out` | +| nodeSelector | Node labels for pod assignment | `{}` | +| service.headless | Allows you to setup a headless service | `false` | +| service.type | Service Type | `ClusterIP` | +| service.loadBalancerIP | Loadbalancer IP | `nil` | +| service.port | Service Port | `1433` | +| service.nodePort | Optional NodePort to use when `service.type` is `NodePort` | None | +| service.annotations | Kubernetes service annotations | `{}` | +| service.labels | Kubernetes service labels | `{}` | +| deployment.annotations | Kubernetes deployment annotations | `{}` | +| deployment.labels | Kubernetes deployment labels | `{}` | +| pod.annotations | Kubernetes pod annotations | `{}` | +| pod.labels | Kubernetes pod labels | `{}` | +| collation | Default collation for SQL Server | `SQL_Latin1_General_CP1_CI_AS` | +| lcid | Default languages for SQL Server | `1033` | +| hadr | Enable Availability Group | `0` | +| agent.enabled | Enable Agent | `false` | +| schedulerName | Name of the k8s scheduler (other than default) | `nil` | +| persistence.enabled | Persist the Data and Log files for SQL Server | `true` | +| persistence.existingDataClaim | Identify an existing Claim to be used for the Data Directory | `Commented Out` | +| persistence.existingTransactionLogClaim | Identify an existing Claim to be used for the Log Directory | `Commented Out` | +| persistence.existingBackupClaim | Identify an existing Claim to be used for the SQL Database Backups | `Commented Out` | +| persistence.existingMasterClaim | Identify an existing Claim to be used for the Master Database log & file | `Commented Out` | +| persistence.storageClass | Storage Class to be used | `Commented Out` | +| persistence.dataAccessMode | Data Access Mode to be used for the Data Directory | `ReadWriteOnce` | +| persistence.dataSize | PVC Size for Data Directory | `1Gi` | +| persistence.logAccessMode | Data Access Mode to be used for the Log Directory | `ReadWriteOnce` | +| persistence.logSize | PVC Size for Log Directory | `1Gi` | +| persistence.backupAccessMode | Data Access Mode to be used for the Backup Directory | `ReadWriteOnce` | +| persistence.backupSize | PVC Size for Backup Directory | `1Gi` | +| persistence.masterAccessMode | Data Access Mode to be used for the Master Database | `ReadWriteOnce` | +| persistence.masterSize | PVC Size for Master Database | `1Gi` | +| tolerations | List of node taints to tolerate | `[]` | +| affinity | Map of node/pod affinities | `{}` | +| securityContext | SecurityContext to apply to the pod | `{}` | + +> 1 - [Please read password requirements](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy) + +## Liveness and Readiness + +The SQL Server instance has liveness and readiness checks specified. These parameters can be used to tune the sensitivity of the liveness and readiness checks. + +### Liveness Probes + +| Parameter | Description | Default | +| --------------------------------- | ------------------------------------------------------------------------------------ | ------- | +| livenessprobe.initialDelaySeconds | Tells the kubelet that it should wait XX second(s) before performing the first probe | `15` | +| livenessprobe.periodSeconds | Field specifies that the kubelet should perform a liveness probe every XX seconds(s) | `20` | + +### Readiness Probes + +| Parameter | Description | Default | +| ---------------------------------- | ------------------------------------------------------------------------------------ | ------- | +| readinessprobe.initialDelaySeconds | Tells the kubelet that it should wait XX second(s) before performing the first probe | 5 | +| readinessprobe.periodSeconds | Field specifies that the kubelet should perform a liveness probe every XX second(s) | 10 | + +## Resources + +You can specify the resource limits for this chart in the values.yaml file. Make sure you comment out or remove the curly brackets from the values.yaml file before specifying resource limits. +Example: + +```yaml +resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 0.5 + memory: 2Gi +``` + +## Persistence Examples + +Persistence in this chart can be enabled by specifying `persistence.enabled=true`. The path to the database's data and log files can be customized to fit different requirements. + +* Example 1 - Enable persistence in values.yaml without specifying claim +> Note - This is useful for local development in a minikube environment + +```yaml +persistence: + enabled: true + # existingDataClaim: + # existingTransactionLogClaim: + # existingBackupClaim: + # existingMasterClaim: + # storageClass: "-" + dataAccessMode: ReadWriteOnce + dataSize: 1Gi + logAccessMode: ReadWriteOnce + logSize: 1Gi + backupAccessMode: ReadWriteOnce + backupLogSize: 1Gi + masterAccessMode: ReadWriteOnce + masterSize: 1Gi +``` + +* Example 2 - Enable persistence in values.yaml with existing claim +> Note - This is useful for production based environments for persistence volumes and claims already exist. + +```yaml +persistence: + enabled: true + existingDataClaim: pvc-mssql-data + existingTransactionLogClaim: pvc-mssql-log + existingBackupClaim: pvc-mssql-backup + existingMasterClaim: pvc-mssql-master + # storageClass: "-" + # dataAccessMode: ReadWriteOnce + # dataSize: 1Gi + # logAccessMode: ReadWriteOnce + # logSize: 1Gi + # backupAccessMode: ReadWriteOnce + # backupLogSize: 1Gi + # masterAccessMode: ReadWriteOnce + # masterSize: 1Gi +``` + +## SQL Server for Linux Editions + +Below are the supported versions of SQL Server on Linux. You can find out more information [here](https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-editions-and-components-2017). + +* Developer : This will run the container using the Developer Edition (this is the default if no MSSQL_PID environment variable is supplied) +* Express : This will run the container using the Express Edition +* Standard : This will run the container using the Standard Edition +* Enterprise : This will run the container using the Enterprise Edition +* EnterpriseCore : This will run the container using the Enterprise Edition Core +* Product ID: This will run the container with the edition that is associated with the PID + +## Collation and Language Support + +You can change the collation of the MSSQL installation by changing the `collation` key in the `values.yaml` file. More information about Collation and Unicode Support can be found on the [Microsoft Docs Page](https://docs.microsoft.com/en-us/sql/relational-databases/collations/collation-and-unicode-support). + +To change the language of the MSSQL installation, change the `lcid` key in the `values.yaml`. More informationa about languages can be found using the system view `sys.syslanguages`. A list of available languages can be found [here](https://docs.microsoft.com/en-us/sql/relational-databases/system-compatibility-views/sys-syslanguages-transact-sql). + +* Example 1 - Retrieve Collation and Language + +```sql +1>select substring(convert(varchar(30),serverproperty('Collation')),1,30), substring(convert(varchar(20),serverproperty('lcid')),1,20); +2>go +``` + +## Master database files + +As part of this chart the `master` database is configured to be installed based in the `/mssql-data/master`. + +## HADR + +As part of this chart you can enable your SQL Server container for Availability Groups. As an administrator, you will need to configure additional settings once this options is enabled. For more information on Availability Group(s) [click here](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/overview-of-always-on-availability-groups-sql-server?view=sql-server-2017) for more information. + +### Query to determine if HADR is enabled + +```sql +1>SELECT SERVERPROPERTY ('IsHadrEnabled'); +2>go +``` diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/NOTES.txt b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/NOTES.txt new file mode 100644 index 00000000..f959c229 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/NOTES.txt @@ -0,0 +1,30 @@ +License Terms for MSSQL Server +Please read the License Terms Carefully. The can be found End-User Licensing Agreement. + + +License Terms: https://go.microsoft.com/fwlink/?linkid=857698 +Docker Hub Resource: https://hub.docker.com/r/microsoft/mssql-server-linux + +Edition for this installation: {{ .Values.edition.value }} +SQL Server Name: {{ template "mssql.fullname" . }}.{{ .Release.Namespace }} +Port: {{ .Values.service.port }} +Collation: {{ .Values.collation }} + +Note - By Default the Express Edition is installed as part of this Chart. + +Gain access to your SQL Server: +1. Get SA Password +$ printf $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "mssql.secret" . }} -o jsonpath="{.data.{{ template "mssql.passwordKey" . }}}" | base64 --decode);echo +2. You can test that SQL Server is available by the service port with with the following set of command: +(Note: You will be prompted for the SA password, use the password generated in Step 1) +$ kubectl run mssqlcli --image=microsoft/mssql-tools -ti --restart=Never --rm=true -- /bin/bash +$ sqlcmd -S {{ template "mssql.fullname" . }}.{{ .Release.Namespace }},{{ .Values.service.port }} -U sa +$ Password: + +2. Connection Library Information +https://docs.microsoft.com/en-us/sql/connect/sql-connection-libraries + +3. Connecting with JDBC +https://docs.microsoft.com/en-us/sql/connect/jdbc/connecting-to-sql-server-with-the-jdbc-driver + + diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/_helpers.tpl b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/_helpers.tpl new file mode 100644 index 00000000..e927d7ef --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/_helpers.tpl @@ -0,0 +1,59 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mssql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mssql.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name for the SA password secret. +*/}} +{{- define "mssql.secret" -}} +{{- if .Values.existingSecret -}} + {{- .Values.existingSecret -}} +{{- else -}} + {{- include "mssql.fullname" . -}}-secret +{{- end -}} +{{- end -}} + +{{/* +Create the name for the SA password secret key. +*/}} +{{- define "mssql.passwordKey" -}} +{{- if .Values.existingSecret -}} + {{- .Values.existingSecretKey -}} +{{- else -}} + sapassword +{{- end -}} +{{- end -}} + + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "deployment.apiVersion" -}} +{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/deployment.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/deployment.yaml new file mode 100644 index 00000000..ac886dc0 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/deployment.yaml @@ -0,0 +1,168 @@ +apiVersion: {{ template "deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "mssql.fullname" . }} + labels: + app: {{ template "mssql.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.deployment.labels }} +{{ toYaml .Values.deployment.labels | indent 4 }} +{{- end }} +{{- if .Values.deployment.annotations }} + annotations: +{{ toYaml .Values.deployment.annotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "mssql.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "mssql.name" . }} + release: {{ .Release.Name }} +{{- if .Values.pod.labels }} +{{ toYaml .Values.pod.labels | indent 8 }} +{{- end }} +{{- if .Values.pod.annotations }} + annotations: +{{ toYaml .Values.pod.annotations | indent 8 }} +{{- end }} + spec: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: ACCEPT_EULA + value: "{{ .Values.acceptEula.value | upper }}" + - name: MSSQL_PID + value: "{{ .Values.edition.value }}" + - name: SA_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mssql.secret" . }} + key: {{ template "mssql.passwordKey" . }} + - name: MSSQL_DATA_DIR + value: /mssql-data/data + - name: MSSQL_LOG_DIR + value: /mssql-translog/translog + - name: MSSQL_TCP_PORT + value: "{{ .Values.service.port }}" + - name: MSSQL_BACKUP_DIR + value: "/mssql-backup/backup" + - name: MSSQL_COLLATION + value: "{{ .Values.collation }}" + - name: MSSQL_LCID + value: "{{ .Values.lcid }}" + - name: MSSQL_MASTER_DATA_FILE + value: /mssql-data/master/master.mdf + - name: MSSQL_MASTER_LOG_FILE + value: /mssql-data/master/mastlog.ldf + - name: MSSQL_ENABLE_HADR + value: "{{ .Values.hadr }}" + - name: MSSQL_AGENT_ENABLED + value: {{ .Values.agent.enabled | quote }} + {{ if .Values.resources.limits.memory }} + - name: MSSQL_MEMORY_LIMIT_MB + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: 1Mi + {{ end }} + ports: + - name: mssql + containerPort: {{ .Values.service.port }} + volumeMounts: + - name: data + mountPath: /mssql-data/data + - name: transactionlog + mountPath: /mssql-translog/translog + - name: backup + mountPath: /mssql-backup/backup + - name: master + mountPath: /mssql-data/master + livenessProbe: + tcpSocket: + port: mssql + initialDelaySeconds: {{ .Values.livenessprobe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessprobe.periodSeconds }} + readinessProbe: + tcpSocket: + port: mssql + initialDelaySeconds: {{ .Values.readinessprobe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessprobe.periodSeconds }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: +{{ toYaml .Values.image.pullSecrets | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: +{{ toYaml .Values.securityContext | indent 8 }} + {{- end }} + volumes: + - name: data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + {{- if .Values.persistence.existingDataClaim }} + claimName: {{ .Values.persistence.existingDataClaim }} + {{- else }} + claimName: {{ template "mssql.fullname" . }}-data + {{- end -}} + {{- else }} + emptyDir: {} + {{- end }} + - name: transactionlog + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + {{- if .Values.persistence.existingTransactionLogClaim }} + claimName: {{ .Values.persistence.existingTransactionLogClaim }} + {{- else }} + claimName: {{ template "mssql.fullname" . }}-translog + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + - name: backup + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + {{- if .Values.persistence.existingBackupClaim }} + claimName: {{ .Values.persistence.existingBackupClaim }} + {{- else }} + claimName: {{ template "mssql.fullname" . }}-backup + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + - name: master + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + {{- if .Values.persistence.existingMasterClaim }} + claimName: {{ .Values.persistence.existingMasterClaim }} + {{- else }} + claimName: {{ template "mssql.fullname" . }}-master + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-backup.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-backup.yaml new file mode 100644 index 00000000..b2c078c7 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-backup.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingBackupClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "mssql.fullname" . }}-backup + labels: + app: {{ template "mssql.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- if .Values.persistence.annotations }} + annotations: +{{ toYaml .Values.persistence.annotations | indent 4 }} +{{- end }} +spec: + accessModes: + - {{ .Values.persistence.backupAccessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.backupSize | quote }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-data.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-data.yaml new file mode 100644 index 00000000..0facb7c5 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-data.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingDataClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "mssql.fullname" . }}-data + labels: + app: {{ template "mssql.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- if .Values.persistence.annotations }} + annotations: +{{ toYaml .Values.persistence.annotations | indent 4 }} +{{- end }} +spec: + accessModes: + - {{ .Values.persistence.dataAccessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.dataSize | quote }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end -}} diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-master.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-master.yaml new file mode 100644 index 00000000..6a44253b --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-master.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingMasterClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "mssql.fullname" . }}-master + labels: + app: {{ template "mssql.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- if .Values.persistence.annotations }} + annotations: +{{ toYaml .Values.persistence.annotations | indent 4 }} +{{- end }} +spec: + accessModes: + - {{ .Values.persistence.masterAccessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.masterSize | quote }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-tranlog.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-tranlog.yaml new file mode 100644 index 00000000..21abc242 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/pvc-tranlog.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingTransactionLogClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "mssql.fullname" . }}-translog + labels: + app: {{ template "mssql.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +{{- if .Values.persistence.annotations }} + annotations: +{{ toYaml .Values.persistence.annotations | indent 4 }} +{{- end }} +spec: + accessModes: + - {{ .Values.persistence.transactionLogAccessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.transactionLogSize | quote }} +{{- if .Values.persistence.storageClass }} +{{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/secret.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/secret.yaml new file mode 100644 index 00000000..3ce19892 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/secret.yaml @@ -0,0 +1,18 @@ +{{- if not .Values.existingSecret -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "mssql.fullname" . }}-secret + labels: + app: {{ template "mssql.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + {{ if .Values.sapassword }} + sapassword: {{ .Values.sapassword | b64enc | quote }} + {{ else }} + sapassword: {{ randAlphaNum 20 | b64enc | quote }} + {{ end }} +{{- end -}} diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/templates/service.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/service.yaml new file mode 100644 index 00000000..c6616968 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/templates/service.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "mssql.fullname" . }} + labels: + app: {{ template "mssql.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.service.headless }} + type: ClusterIP + clusterIP: None + {{- else }} + type: {{ .Values.service.type }} + {{- end }} + {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: mssql + port: {{ .Values.service.port }} + targetPort: mssql + {{- if and (eq "NodePort" .Values.service.type) .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + protocol: TCP + selector: + app: {{ template "mssql.name" . }} + release: {{ .Release.Name }} diff --git a/stable/fdi-dotstatsuite/charts/mssql-linux/values.yaml b/stable/fdi-dotstatsuite/charts/mssql-linux/values.yaml new file mode 100644 index 00000000..29c14643 --- /dev/null +++ b/stable/fdi-dotstatsuite/charts/mssql-linux/values.yaml @@ -0,0 +1,79 @@ +acceptEula: + value: "n" +edition: + value: Express +collation: SQL_Latin1_General_CP1_CI_AS +lcid: 1033 +hadr: 0 +agent: + enabled: false +# Override sapassword in templates/secret.yaml +# sapassword: "MyStrongPassword1234" +existingSecret: "" +existingSecretKey: sapassword +image: + repository: microsoft/mssql-server-linux + tag: 2017-CU5 + pullPolicy: IfNotPresent + ## It is possible to specify docker registry credentials + ## See https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + # pullSecrets: + # - name: regsecret + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: "default-scheduler" + +service: + # If headless is set to TRUE then the service type is ignored + headless: false + type: ClusterIP + port: 1433 + nodePort: + annotations: {} + labels: {} + loadBalancerIP: +deployment: + annotations: {} + labels: {} +pod: + annotations: {} + labels: {} +persistence: + enabled: true + # existingDataClaim: + # existingTransactionLogClaim: + # existingBackupClaim: + # existingMasterClaim: + storageClass: "" + dataAccessMode: ReadWriteOnce + dataSize: 1Gi + transactionLogAccessMode: ReadWriteOnce + transactionLogSize: 1Gi + backupAccessMode: ReadWriteOnce + backupSize: 1Gi + masterAccessMode: ReadWriteOnce + masterSize: 1Gi +livenessprobe: + initialDelaySeconds: 15 + periodSeconds: 20 +readinessprobe: + initialDelaySeconds: 5 + periodSeconds: 10 +resources: + limits: + # cpu: 100m + memory: 2Gi + # requests: + # cpu: 100m + # memory: 2Gi +nodeSelector: {} + # kubernetes.io/hostname: minikube + +tolerations: [] + +affinity: {} + +securityContext: {} + # runAsUser: 1000 diff --git a/stable/fdi-dotstatsuite/templates/cm/authz.yaml b/stable/fdi-dotstatsuite/templates/cm/authz.yaml index 5b68e83a..165b2f2b 100644 --- a/stable/fdi-dotstatsuite/templates/cm/authz.yaml +++ b/stable/fdi-dotstatsuite/templates/cm/authz.yaml @@ -8,8 +8,8 @@ data: auth__allowAnonymous: 'true' auth__authority: "{{ .Values.managed.azuread.authority }}" auth__authorizationUrl: "{{ .Values.managed.azuread.authorizationUrl }}" - auth__claimsMapping__email: upn - auth__claimsMapping__groups: roles + auth__claimsMapping__email: {{ default "upn" .Values.managed.azuread.claimsMapping__email | quote }} + auth__claimsMapping__groups: {{ default "roles" .Values.managed.azuread.claimsMapping__groups | quote }} auth__clientId: "{{ .Values.managed.azuread.clientId }}" auth__enabled: 'true' auth__requireHttps: 'false' diff --git a/stable/fdi-dotstatsuite/templates/deploy/nsidesign.yaml b/stable/fdi-dotstatsuite/templates/deploy/nsidesign.yaml index c96826e4..a3cfaf0d 100644 --- a/stable/fdi-dotstatsuite/templates/deploy/nsidesign.yaml +++ b/stable/fdi-dotstatsuite/templates/deploy/nsidesign.yaml @@ -82,17 +82,17 @@ spec: - name: SQL_PASSWORD value: $(DESIGN_STRUCTURE_PASSWORD) - name: SENDER_ID - value: "Stable - DotStat v8" + value: {{ default "Stable - DotStat v8" .Values.nsiDesign.sender_id | quote }} - name: MA_SQL_USER value: $(SA_USER) - name: MA_SQL_PASSWORD value: $(SA_PASSWORD) - name: MA_ALWAYS_RESET - value: "N" + value: {{ default "N" .Values.nsiDesign.reset | quote }} - name: INSERT_NEW_ITEM_SCHEME_VALUES - value: "true" + value: {{ default "true" .Values.nsiDesign.allow_insert_new_value | quote }} - name: enableReleaseManagement - value: "true" + value: {{ default "true" .Values.nsiDesign.enableReleaseManagement | quote }} - name: "mappingStore__Id__Default" value: "{{ .Values.nsiDesign.dataspace }}" - name: disseminationDbConnection__dbType diff --git a/stable/fdi-dotstatsuite/templates/deploy/nsireset.yaml b/stable/fdi-dotstatsuite/templates/deploy/nsireset.yaml index 870770aa..0d227458 100644 --- a/stable/fdi-dotstatsuite/templates/deploy/nsireset.yaml +++ b/stable/fdi-dotstatsuite/templates/deploy/nsireset.yaml @@ -83,17 +83,17 @@ spec: - name: SQL_PASSWORD value: $(RESET_STRUCTURE_PASSWORD) - name: SENDER_ID - value: "Stable - DotStat v8" + value: {{ default "Stable - DotStat v8" .Values.nsiReset.enableReleaseManagement | quote }} - name: MA_SQL_USER value: $(SA_USER) - name: MA_SQL_PASSWORD value: $(SA_PASSWORD) - name: MA_ALWAYS_RESET - value: "Y" + value: {{ default "N" .Values.nsiReset.reset | quote }} - name: INSERT_NEW_ITEM_SCHEME_VALUES - value: "true" + value: {{ default "true" .Values.nsiReset.allow_insert_new_value | quote }} - name: enableReleaseManagement - value: "true" + value: {{ default "true" .Values.nsiReset.enableReleaseManagement | quote }} - name: "mappingStore__Id__Default" value: "{{ .Values.nsiReset.dataspace }}" - name: disseminationDbConnection__dbType diff --git a/stable/fdi-dotstatsuite/templates/deploy/nsistable.yaml b/stable/fdi-dotstatsuite/templates/deploy/nsistable.yaml index 309f0096..9795d50a 100644 --- a/stable/fdi-dotstatsuite/templates/deploy/nsistable.yaml +++ b/stable/fdi-dotstatsuite/templates/deploy/nsistable.yaml @@ -82,17 +82,17 @@ spec: - name: SQL_PASSWORD value: $(STABLE_STRUCTURE_PASSWORD) - name: SENDER_ID - value: "Stable - DotStat v8" + value: {{ default "Stable - DotStat v8" .Values.nsiStable.sender_id | quote }} - name: MA_SQL_USER value: $(SA_USER) - name: MA_SQL_PASSWORD value: $(SA_PASSWORD) - name: MA_ALWAYS_RESET - value: "N" + value: {{ default "N" .Values.nsiStable.reset | quote }} - name: INSERT_NEW_ITEM_SCHEME_VALUES - value: "false" + value: {{ default "false" .Values.nsiStable.allow_insert_new_value | quote }} - name: enableReleaseManagement - value: "true" + value: {{ default "true" .Values.nsiStable.enableReleaseManagement | quote }} - name: "mappingStore__Id__Default" value: "{{ .Values.nsiStable.dataspace }}" - name: disseminationDbConnection__dbType diff --git a/stable/fdi-dotstatsuite/templates/deploy/nsistaging.yaml b/stable/fdi-dotstatsuite/templates/deploy/nsistaging.yaml index 3cedd443..21a85d76 100644 --- a/stable/fdi-dotstatsuite/templates/deploy/nsistaging.yaml +++ b/stable/fdi-dotstatsuite/templates/deploy/nsistaging.yaml @@ -82,17 +82,17 @@ spec: - name: SQL_PASSWORD value: $(STAGING_STRUCTURE_PASSWORD) - name: SENDER_ID - value: "Stable - DotStat v8" + value: {{ default "Stable - DotStat v8" .Values.nsiStaging.sender_id | quote }} - name: MA_SQL_USER value: $(SA_USER) - name: MA_SQL_PASSWORD value: $(SA_PASSWORD) - name: MA_ALWAYS_RESET - value: "N" + value: {{ default "N" .Values.nsiStaging.reset | quote }} - name: INSERT_NEW_ITEM_SCHEME_VALUES - value: "false" + value: {{ default "false" .Values.nsiStaging.allow_insert_new_value | quote }} - name: enableReleaseManagement - value: "true" + value: {{ default "true" .Values.nsiStaging.enableReleaseManagement | quote }} - name: "mappingStore__Id__Default" value: "{{ .Values.nsiStaging.dataspace }}" - name: disseminationDbConnection__dbType diff --git a/stable/fdi-dotstatsuite/templates/deploy/transfer.yaml b/stable/fdi-dotstatsuite/templates/deploy/transfer.yaml index 52419eb6..85875233 100644 --- a/stable/fdi-dotstatsuite/templates/deploy/transfer.yaml +++ b/stable/fdi-dotstatsuite/templates/deploy/transfer.yaml @@ -40,6 +40,10 @@ spec: - mountPath: "/app/logs" name: "sdmx-logs" {{- end}} + {{- if .Values.transfer.data_loading_on_server.enabled }} + - mountPath: "/app/data" + name: "sdmx-loading-path" + {{- end}} {{- if .Values.transfer.log4net_config.enabled }} - mountPath: /app/config/log4net.config name: transfer-log4net @@ -115,15 +119,15 @@ spec: key: password {{- end }} - name: "MaxTransferErrorAmount" - value: "0" + value: {{ default "10" .Values.transfer.MaxTransferErrorAmount | quote }} - name: "MaxTextAttributeLength" - value: "150" + value: {{ default "150" .Values.transfer.MaxTextAttributeLength | quote }} - name: "MinPercentageDiskSpace" - value: "10" + value: {{ default "10" .Values.transfer.MinPercentageDiskSpace | quote }} - name: "DefaultLanguageCode" - value: "en" + value: {{ default "en" .Values.transfer.DefaultLanguageCode | quote }} - name: "ShowAdvanceDbHealthInfo" - value: "false" + value: {{ default "false" .Values.transfer.ShowAdvanceDbHealthInfo | quote }} - name: "SmtpHost" value: "{{ .Values.managed.smtp.host }}" - name: "SmtpPort" @@ -146,9 +150,11 @@ spec: - name: "SpacesInternal__0__DotStatSuiteCoreDataDbConnectionString" value: "Server={{ template "dotstatsuite.databaseHost" . }};Database=$(STABLE_DATA_DB);User=$(STABLE_DATA_USER);Password=$(STABLE_DATA_PASSWORD);" - name: "SpacesInternal__0__DataImportTimeOutInMinutes" - value: "{{ .Values.transfer.dataImportTimeOutInMinutes }}" + value: "{{ default 1440 .Values.transfer.dataImportTimeOutInMinutes }}" - name: "SpacesInternal__0__DatabaseCommandTimeoutInSec" - value: "{{ .Values.transfer.databaseCommandTimeoutInSec }}" + value: "{{ default 18000 .Values.transfer.databaseCommandTimeoutInSec }}" + - name: "SpacesInternal__0__NotifyImportBatchSize" + value: "{{ default 1000000 .Values.transfer.NotifyImportBatchSize }}" - name: "SpacesInternal__0__AutoLog2DB" value: "{{ .Values.transfer.autoLog2DB }}" - name: "SpacesInternal__0__AutoLog2DBLogLevel" @@ -162,9 +168,11 @@ spec: - name: "SpacesInternal__1__DotStatSuiteCoreDataDbConnectionString" value: "Server={{ template "dotstatsuite.databaseHost" . }};Database=$(RESET_DATA_DB);User=$(RESET_DATA_USER);Password=$(RESET_DATA_PASSWORD);" - name: "SpacesInternal__1__DataImportTimeOutInMinutes" - value: "{{ .Values.transfer.dataImportTimeOutInMinutes }}" + value: "{{ default 1440 .Values.transfer.dataImportTimeOutInMinutes }}" - name: "SpacesInternal__1__DatabaseCommandTimeoutInSec" - value: "{{ .Values.transfer.databaseCommandTimeoutInSec }}" + value: "{{ default 18000 .Values.transfer.databaseCommandTimeoutInSec }}" + - name: "SpacesInternal__1__NotifyImportBatchSize" + value: "{{ default 1000000 .Values.transfer.NotifyImportBatchSize }}" - name: "SpacesInternal__1__AutoLog2DB" value: "{{ .Values.transfer.autoLog2DB }}" - name: "SpacesInternal__1__AutoLog2DBLogLevel" @@ -178,9 +186,11 @@ spec: - name: "SpacesInternal__2__DotStatSuiteCoreDataDbConnectionString" value: "Server={{ template "dotstatsuite.databaseHost" . }};Database=$(DESIGN_DATA_DB);User=$(DESIGN_DATA_USER);Password=$(DESIGN_DATA_PASSWORD);" - name: "SpacesInternal__2__DataImportTimeOutInMinutes" - value: "{{ .Values.transfer.dataImportTimeOutInMinutes }}" + value: "{{ default 1440 .Values.transfer.dataImportTimeOutInMinutes }}" - name: "SpacesInternal__2__DatabaseCommandTimeoutInSec" - value: "{{ .Values.transfer.databaseCommandTimeoutInSec }}" + value: "{{ default 18000 .Values.transfer.databaseCommandTimeoutInSec }}" + - name: "SpacesInternal__2__NotifyImportBatchSize" + value: "{{ default 1000000 .Values.transfer.NotifyImportBatchSize }}" - name: "SpacesInternal__2__AutoLog2DB" value: "{{ .Values.transfer.autoLog2DB }}" - name: "SpacesInternal__2__AutoLog2DBLogLevel" @@ -194,9 +204,11 @@ spec: - name: "SpacesInternal__3__DotStatSuiteCoreDataDbConnectionString" value: "Server={{ template "dotstatsuite.databaseHost" . }};Database=$(STAGING_DATA_DB);User=$(STAGING_DATA_USER);Password=$(STAGING_DATA_PASSWORD);" - name: "SpacesInternal__3__DataImportTimeOutInMinutes" - value: "{{ .Values.transfer.dataImportTimeOutInMinutes }}" + value: "{{ default 1440 .Values.transfer.dataImportTimeOutInMinutes }}" - name: "SpacesInternal__3__DatabaseCommandTimeoutInSec" - value: "{{ .Values.transfer.databaseCommandTimeoutInSec }}" + value: "{{ default 18000 .Values.transfer.databaseCommandTimeoutInSec }}" + - name: "SpacesInternal__3__NotifyImportBatchSize" + value: "{{ default 1000000 .Values.transfer.NotifyImportBatchSize }}" - name: "SpacesInternal__3__AutoLog2DB" value: "{{ .Values.transfer.autoLog2DB }}" - name: "SpacesInternal__3__AutoLog2DBLogLevel" @@ -219,6 +231,12 @@ spec: shareName: {{ .Values.transfer.sdmx_logs.logShareName }} name: "sdmx-logs" {{- end }} + {{- if .Values.transfer.data_loading_on_server.enabled }} + - azureFile: + secretName: {{ .Values.fullnameOverride }}-sdmx-data-loading-secret + shareName: {{ .Values.transfer.data_loading_on_server.path }} + name: "sdmx-loading-path" + {{- end }} {{- if .Values.transfer.log4net_config.enabled }} - name: transfer-log4net configMap: diff --git a/stable/fdi-dotstatsuite/templates/secret/sdmx-log-secret.yaml b/stable/fdi-dotstatsuite/templates/secret/sdmx-log-secret.yaml index f1eb0e7f..d5f5d2ef 100644 --- a/stable/fdi-dotstatsuite/templates/secret/sdmx-log-secret.yaml +++ b/stable/fdi-dotstatsuite/templates/secret/sdmx-log-secret.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.nsiStaging.sdmx_logs.enabled .Values.nsiReset.sdmx_logs.enabled}} +{{- if or .Values.nsiStaging.sdmx_logs.enabled .Values.nsiReset.sdmx_logs.enabled .Values.nsiDesign.sdmx_logs.enabled .Values.nsiStable.sdmx_logs.enabled .Values.transfer.sdmx_logs.enabled}} apiVersion: v1 kind: Secret metadata: diff --git a/stable/fdi-dotstatsuite/templates/secret/sdmx-sdmx-data-loading-secret.yaml b/stable/fdi-dotstatsuite/templates/secret/sdmx-sdmx-data-loading-secret.yaml new file mode 100644 index 00000000..a8ced94b --- /dev/null +++ b/stable/fdi-dotstatsuite/templates/secret/sdmx-sdmx-data-loading-secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.transfer.data_loading_on_server.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.fullnameOverride }}-sdmx-data-loading-secret +type: Opaque +data: + azurestorageaccountname: {{ .Values.managed.sdmx_data.azurestorageaccountname | b64enc }} + azurestorageaccountkey: {{ .Values.managed.sdmx_data.azurestorageaccountkey | b64enc }} +{{- end }} diff --git a/stable/fdi-dotstatsuite/values.yaml b/stable/fdi-dotstatsuite/values.yaml index 4c54c566..d0fd7ea6 100644 --- a/stable/fdi-dotstatsuite/values.yaml +++ b/stable/fdi-dotstatsuite/values.yaml @@ -12,14 +12,16 @@ managed: authority: "" authorizationUrl: "" clientId: "" + claimsMapping__email: "" + claimsMapping__groups: "" database: server: "" - sapassword: "" - password: "" - sa_user: "" + sapassword: "test" + password: "test" + sa_user: "sdmxadm" smtp: username: "" - password: "" + password: "test" host: "" port: "587" enableSsl: "true" @@ -27,6 +29,9 @@ managed: sdmx_log: azurestorageaccountname: "" azurestorageaccountkey: "" + sdmx_data: + azurestorageaccountname: "" + azurestorageaccountkey: "" no_dba_scripts: "--withoutDbaScripts" image: &image repository: &repository siscc/sdmxri-nsi-maapi @@ -575,8 +580,8 @@ transfer: init_database: false - dataImportTimeOutInMinutes: 30 - databaseCommandTimeoutInSec: 1800 + dataImportTimeOutInMinutes: 4800 + databaseCommandTimeoutInSec: 14400 autoLog2DB: "true" autoLog2DBLogLevel: "Notice" @@ -586,7 +591,9 @@ transfer: name: "transfer-log4net" log4net_sqlquerylogger_level: "OFF" log4net_root_level: INFO - + data_loading_on_server: + enabled: false + path: sdmx_logs: enabled: false logShareName: "sdmx-logs" diff --git a/stable/fdi-fmr-chart/.helmignore b/stable/fdi-fmr-chart/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/stable/fdi-fmr-chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/stable/fdi-fmr-chart/Chart.yaml b/stable/fdi-fmr-chart/Chart.yaml new file mode 100644 index 00000000..6b6bdea9 --- /dev/null +++ b/stable/fdi-fmr-chart/Chart.yaml @@ -0,0 +1,33 @@ +apiVersion: v2 +name: fusionsuite +description: fusionsuite + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 1.16.0 + +home: https://statcan.gc.ca +sources: +- https://repo.private.example.ca/analytics-platform/discovery/fusionsuite-docker-compose +maintainers: +- name: sylus + email: william.hearn@canada.ca +- name: Zachary Seguin + email: zachary.seguin@canada.ca +engine: gotpl diff --git a/stable/fdi-fmr-chart/requirements.yaml b/stable/fdi-fmr-chart/requirements.yaml new file mode 100644 index 00000000..1de5d1ca --- /dev/null +++ b/stable/fdi-fmr-chart/requirements.yaml @@ -0,0 +1 @@ +dependencies: \ No newline at end of file diff --git a/stable/fdi-fmr-chart/templates/NOTES.txt b/stable/fdi-fmr-chart/templates/NOTES.txt new file mode 100644 index 00000000..ccf0fcea --- /dev/null +++ b/stable/fdi-fmr-chart/templates/NOTES.txt @@ -0,0 +1,33 @@ +1. Application URL for Authz: + +{{- if .Values.fusionapps.ingress.enabled }} + +{{- range $host := .Values.fusionapps.ingress.hosts }} + + {{- range .paths }} + http{{ if $.Values.fusionapps.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} + +{{- end }} + +{{- else if contains "NodePort" .Values.fusionapps.service.type }} + + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "fusionsuite.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT + +{{- else if contains "LoadBalancer" .Values.fusionapps.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "fusionsuite.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "fusionsuite.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.fusionapps.service.port }} + +{{- else if contains "ClusterIP" .Values.fusionapps.service.type }} + + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "fusionsuite.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8080 + +{{- end }} + diff --git a/stable/fdi-fmr-chart/templates/_helpers.tpl b/stable/fdi-fmr-chart/templates/_helpers.tpl new file mode 100644 index 00000000..dd06b985 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/_helpers.tpl @@ -0,0 +1,64 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fusionsuite.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fusionsuite.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fusionsuite.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "fusionsuite.labels" -}} +helm.sh/chart: {{ include "fusionsuite.chart" . }} +{{ include "fusionsuite.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "fusionsuite.selectorLabels" -}} +app.kubernetes.io/name: {{ include "fusionsuite.name" . }} +app.kubernetes.io/instance: {{ include "fusionsuite.name" . }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "fusionsuite.fusionapps.serviceAccountName" -}} +{{- if .Values.fusionapps.serviceAccount.create }} +{{- default (include "fusionsuite.fullname" .) .Values.fusionapps.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.fusionapps.serviceAccount.name }} +{{- end }} +{{- end }} + diff --git a/stable/fdi-fmr-chart/templates/cm/registry.yaml b/stable/fdi-fmr-chart/templates/cm/registry.yaml new file mode 100644 index 00000000..54d95c79 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/cm/registry.yaml @@ -0,0 +1,56 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "fusionsuite.fullname" . }}-registry +data: + fmr.properties: | + database.dialect={{ .Values.managed.registry.db_dialect }} + database.driver={{ .Values.managed.registry.db_driver }} + database.password={{ .Values.managed.registry.db_password }} + database.url=jdbc\:{{ .Values.managed.registry.db_jdbc_type }}\://{{ .Values.managed.registry.mssql_host }}\:{{ .Values.managed.registry.mssql_port }};databaseName\={{ .Values.managed.registry.db_name }} + database.useCustomString=false + database.username={{ .Values.managed.registry.db_username }} + encrypt.password ={{ .Values.managed.registry.encrypt_password }} + encrypt.salt ={{ .Values.managed.registry.encrypt_salt }} + security.password ={{ .Values.managed.registry.security_password }} + security.username ={{ .Values.managed.registry.security_username }} + fwb_config.json: | + { + "Properties": { + "server.url": "https://{{ .Values.managed.host }}/fwb" + }, + "Environments": [ + {{- range $key, $value := .Values.fwb }} + { + "id": {{ $key | quote }}, + "name": {{ $value.name | quote }}, + "api": { + "query": {{ $value.api.query | quote }}, + {{- if $value.api.delete }} + "delete": {{ $value.api.delete | quote }}, + {{- end }} + {{- if $value.api.persist | quote }} + "persist": {{ $value.api.persist | quote }}, + {{- end }} + "version": {{ $value.api.version | quote }} + }, + "auth": {{ $value.auth | quote }}, + {{- if $value.oidc }} + "oidc": { + "config": {{ $value.oidc.config | quote }}, + "clientId": {{ $value.oidc.clientId | quote }} + {{- if $value.oidc.scope }} + "scope": {{ $value.oidc.scope | quote }} + {{- end }} + }, + {{- end }} + "locale": [{{ $value.locale }}], + {{- if $value.agencies }} + "agencies": [{{ $value.agencies }}], + {{- end }} + "format": {{ $value.format | quote }} + }, + {{- end }} + ] + } + diff --git a/stable/fdi-fmr-chart/templates/cm/security.yaml b/stable/fdi-fmr-chart/templates/cm/security.yaml new file mode 100644 index 00000000..d8b0d588 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/cm/security.yaml @@ -0,0 +1,80 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "fusionsuite.fullname" . }}-security +data: + fusion-security.properties: | + ###################################################################### + # DATABASE CONNECTION # + ###################################################################### + database.security.dialect={{ .Values.managed.security.db_dialect }} + database.security.driver={{ .Values.managed.security.db_driver }} + database.security.username={{ .Values.managed.security.db_username }} + database.security.password={{ .Values.managed.security.db_password }} + #database.security.url=jdbc:{{ .Values.managed.security.db_jdbc_type }}://{{ .Values.managed.security.mssql_host }}:{{ .Values.managed.security.mssql_port }};databaseName\={{ .Values.managed.security.db_name }}; + database.security.url=jdbc:sqlserver://dotstatsuite.database.windows.net:1433;databaseName\={{ .Values.managed.security.db_name }} + ###################################################################### + # SECURITY (HTTPS PORT REDIRECTION) # + ###################################################################### + #Auto Redirect to http: + # any - do not auto redirect + # https - auto redirect traffic coming in on http to https, requires port mapping information to be correct + requires.channel=any + + #Only required if requires.channel=https + port.http=8080 + port.https=8444 + + ###################################################################### + # CERTIFICATE AUTHENTICATION # + ###################################################################### + security.p12File= + security.p12Pass= + + ###################################################################### + # EMAIL SERVER # + ###################################################################### + mail.smtp={{ .Values.managed.smtp.host }} + mail.port={{ .Values.managed.smtp.port }} + mail.username={{ .Values.managed.smtp.username }} + mail.password={{ .Values.managed.smtp.password }} + mail.security=TLS + #mail.starttls.enable={{ .Values.managed.smtp.enableSsl }} + mail.from={{ .Values.managed.smtp.mailFrom }} + + ###################################################################### + # PASSWORD RULES # + ###################################################################### + security.password.timeouthours=2 + security.password.disallowed= + security.password.minlength=1 + security.password.minnum=-1 + security.password.minchar=-1 + security.password.minlower=-1 + security.password.minupper=-1 + security.password.illegalchars= + max.login.attempt=3 + {{- if .Values.fusionapps.ingress.enabled -}} + {{- range .Values.fusionapps.ingress.hosts }} + ###################################################################### + # STRUCTURE WEB SERVICE (ORGANISATION RETRIEVAL) # + ###################################################################### + structure.ws=CloudRegistry@https://{{ .host }}/FusionRegistry + + ###################################################################### + # GENERAL SETTINGS # + ###################################################################### + server.url=https://{{ .host }}/FusionSecurity + {{- end }} + {{ else }} + ###################################################################### + # STRUCTURE WEB SERVICE (ORGANISATION RETRIEVAL) # + ###################################################################### + structure.ws=CloudRegistry@https://{{ .Values.managed.host }}:{{ .Values.managed.port }}/FusionRegistry + + ###################################################################### + # GENERAL SETTINGS # + ###################################################################### + server.url=https://{{ .Values.managed.host }}:{{ .Values.managed.port }}/FusionSecurity + + {{- end }} \ No newline at end of file diff --git a/stable/fdi-fmr-chart/templates/deploy/apps.yaml b/stable/fdi-fmr-chart/templates/deploy/apps.yaml new file mode 100644 index 00000000..6cef0ca1 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/deploy/apps.yaml @@ -0,0 +1,76 @@ +{{- if .Values.fusionapps.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fusionsuite.fullname" . }}-fusionapps + labels: + {{- include "fusionsuite.labels" . | nindent 4 }}-fusionapps +spec: +{{- if not .Values.fusionapps.autoscaling.enabled }} + replicas: {{ .Values.fusionapps.replicaCount }} +{{- end }} + selector: + matchLabels: + {{- include "fusionsuite.selectorLabels" . | nindent 6 }}-fusionapps + template: + metadata: + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: '1433' + {{- with .Values.fusionapps.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "fusionsuite.selectorLabels" . | nindent 8 }}-fusionapps + spec: + {{- with .Values.fusionapps.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "fusionsuite.fusionapps.serviceAccountName" . }}-fusionapps + securityContext: + {{- toYaml .Values.fusionapps.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "fusionsuite.fullname" . }}-fusionapps + securityContext: + {{- toYaml .Values.fusionapps.securityContext | nindent 12 }} + image: "{{ .Values.fusionapps.image.repository }}:{{ .Values.fusionapps.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.fusionapps.image.pullPolicy }} + env: + - name: TOMCAT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "fusionsuite.fullname" . }}-tomcat-password + key: password + - name: TOMCAT_USERNAME + value: {{ .Values.managed.tomcat.tomcat_username }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + volumeMounts: + - name: {{ include "fusionsuite.fullname" . }}-registry + mountPath: /opt/bitnami/tomcat/MetadataTechnology/FusionRegistry + - name: {{ include "fusionsuite.fullname" . }}-security + mountPath: /opt/bitnami/tomcat/FusionSecurity + resources: + {{- toYaml .Values.fusionapps.resources | nindent 12 }} + {{- with .Values.fusionapps.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.fusionapps.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.fusionapps.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: {{ include "fusionsuite.fullname" . }}-security + configMap: + name: {{ include "fusionsuite.fullname" . }}-security + - name: {{ include "fusionsuite.fullname" . }}-registry + configMap: + name: {{ include "fusionsuite.fullname" . }}-registry +{{- end -}} diff --git a/stable/fdi-fmr-chart/templates/dr/destrule.yaml b/stable/fdi-fmr-chart/templates/dr/destrule.yaml new file mode 100644 index 00000000..24f9c16a --- /dev/null +++ b/stable/fdi-fmr-chart/templates/dr/destrule.yaml @@ -0,0 +1,16 @@ +{{- if .Values.destinationRule.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ template "fusionsuite.fullname" . }} + labels: + app: {{ template "fusionsuite.name" . }} + chart: {{ template "fusionsuite.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + host: "*.{{ .Release.Namespace }}.svc.{{ default "cluster.local" .Values.clusterDomain }}" + trafficPolicy: + tls: + mode: "{{ default "DISABLE" .Values.destinationRule.mode }}" +{{- end }} diff --git a/stable/fdi-fmr-chart/templates/hpa/apps.yaml b/stable/fdi-fmr-chart/templates/hpa/apps.yaml new file mode 100644 index 00000000..f5a8f396 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/hpa/apps.yaml @@ -0,0 +1,30 @@ +{{- if .Values.fusionapps.enabled -}} +{{- if .Values.fusionapps.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fusionsuite.fullname" . }}-fusionapps + labels: + {{- include "fusionsuite.labels" . | nindent 4 }}-fusionapps +spec: + scaleTargetRef: + apiVersion: fusionapps/v1 + kind: Deployment + name: {{ include "fusionsuite.fullname" . }}-fusionapps + minReplicas: {{ .Values.fusionapps.autoscaling.minReplicas }} + maxReplicas: {{ .Values.fusionapps.autoscaling.maxReplicas }} + metrics: + {{- if .Values.fusionapps.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.fusionapps.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.fusionapps.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.fusionapps.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/stable/fdi-fmr-chart/templates/ing/apps.yaml b/stable/fdi-fmr-chart/templates/ing/apps.yaml new file mode 100644 index 00000000..d8b7dad1 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/ing/apps.yaml @@ -0,0 +1,46 @@ +{{- if .Values.fusionapps.enabled -}} +{{- if .Values.fusionapps.ingress.enabled -}} +{{- $fullName := include "fusionsuite.fullname" . -}} +{{- $svcPort := .Values.fusionapps.service.port -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else -}} +apiVersion: extensions/v1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }}-fusionapps + labels: + {{- include "fusionsuite.labels" . | nindent 4 }}-fusionapps + {{- with .Values.fusionapps.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.fusionapps.ingress.tls }} + tls: + {{- range .Values.fusionapps.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.fusionapps.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + pathType: ImplementationSpecific + backend: + service: + name: {{ $fullName }}-fusionapps + port: + number: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/stable/fdi-fmr-chart/templates/sa/apps.yaml b/stable/fdi-fmr-chart/templates/sa/apps.yaml new file mode 100644 index 00000000..cda214a7 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/sa/apps.yaml @@ -0,0 +1,14 @@ +{{- if .Values.fusionapps.enabled -}} +{{- if .Values.fusionapps.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "fusionsuite.fusionapps.serviceAccountName" . }}-fusionapps + labels: + {{- include "fusionsuite.labels" . | nindent 4 }}-fusionapps + {{- with .Values.fusionapps.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/stable/fdi-fmr-chart/templates/secret/apps-db-registry-pwd.yaml b/stable/fdi-fmr-chart/templates/secret/apps-db-registry-pwd.yaml new file mode 100644 index 00000000..114c4397 --- /dev/null +++ b/stable/fdi-fmr-chart/templates/secret/apps-db-registry-pwd.yaml @@ -0,0 +1,7 @@ +kind: Secret +apiVersion: v1 +metadata: + name: {{ include "fusionsuite.fullname" . }}-db-registry-pwd +data: + password: {{ .Values.managed.registry.db_password | b64enc }} +type: Opaque \ No newline at end of file diff --git a/stable/fdi-fmr-chart/templates/secret/apps-tomcat-password.yaml b/stable/fdi-fmr-chart/templates/secret/apps-tomcat-password.yaml new file mode 100644 index 00000000..d1af474c --- /dev/null +++ b/stable/fdi-fmr-chart/templates/secret/apps-tomcat-password.yaml @@ -0,0 +1,7 @@ +kind: Secret +apiVersion: v1 +metadata: + name: {{ include "fusionsuite.fullname" . }}-tomcat-password +data: + password: {{ .Values.managed.tomcat.tomcat_password | b64enc }} +type: Opaque diff --git a/stable/fdi-fmr-chart/templates/svc/apps.yaml b/stable/fdi-fmr-chart/templates/svc/apps.yaml new file mode 100644 index 00000000..31f615cf --- /dev/null +++ b/stable/fdi-fmr-chart/templates/svc/apps.yaml @@ -0,0 +1,17 @@ +{{- if .Values.fusionapps.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "fusionsuite.fullname" . }}-fusionapps + labels: + {{- include "fusionsuite.labels" . | nindent 4 }}-fusionapps +spec: + type: {{ .Values.fusionapps.service.type }} + ports: + - port: {{ .Values.fusionapps.service.port }} + targetPort: http + protocol: TCP + name: http-fusionapps + selector: + {{- include "fusionsuite.selectorLabels" . | nindent 4 }}-fusionapps +{{- end -}} diff --git a/stable/fdi-fmr-chart/values.yaml b/stable/fdi-fmr-chart/values.yaml new file mode 100644 index 00000000..6ad8ef89 --- /dev/null +++ b/stable/fdi-fmr-chart/values.yaml @@ -0,0 +1,148 @@ +# Default values for fusionsuite. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Globals +nameOverride: "" +fullnameOverride: "" +managed: + tomcat: + tomcat_password: "" + tomcat_username: "admin" + registry: + mssql_host: "172.23.224.96" + mssql_port: 1433 + db_dialect: org.hibernate.dialect.SQLServerDialect + db_driver: com.microsoft.sqlserver.jdbc.SQLServerDriver + db_jdbc_type: "sqlserver" + db_username: "sa" + #"fusion_register" + db_name: "fusion_registry" + db_password: "" + encrypt_password: "" + encrypt_salt: "" + security_password: "" + security_username: "" + # security: + # mssql_host: "172.23.224.96" + # mssql_port: 1433 + # db_dialect: org.hibernate.dialect.SQLServerDialect + # db_driver: com.microsoft.sqlserver.jdbc.SQLServerDriver + # db_jdbc_type: "sqlserver" + # db_username: "sa" + # #"fusion_securitor" + # db_password: "" + # db_name: "fusion_security" + host: "" + port: 8080 + smtp: + username: "admin@example.com" + password: "" + host: "smtp.sendgrid.net" + port: "587" + enableSsl: "true" + mailFrom: "build@siscc.org" + +# Apps +fusionapps: + enabled: true + replicaCount: 1 + + ingress: + enabled: true + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: istio + hosts: + - host: fusionapps.dev.cloud.statcan.ca + paths: + - '/*' + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + image: + repository: artifactory.cloud.statcan.ca/docker/analytics-platform/fusionsuite + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart version. + tag: "fbded50" + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + type: ClusterIP + port: 8080 + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod + ## + imagePullSecrets: + - name: + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + +fwb: +- id: + name: + api: + query: + delete: + persist: + version: + auth: + oidc: + config: + clientId: + locale: + format: + + +# Destination Rule +destinationRule: + enabled: false + mode: DISABLE diff --git a/stable/fdi-hfed-scrapping-loading-portal/.helmignore b/stable/fdi-hfed-scrapping-loading-portal/.helmignore new file mode 100644 index 00000000..5d9272cd --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + diff --git a/stable/fdi-hfed-scrapping-loading-portal/Chart.yaml b/stable/fdi-hfed-scrapping-loading-portal/Chart.yaml new file mode 100644 index 00000000..b5c982d6 --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +appVersion: 0.0.1 +description: The scheduled web scrapping tool +home: https://statcan.gc.ca +icon: https://www.python.org/static/img/python-logo +keywords: +- flask +- python +maintainers: +- email: Jianlong.qian@statcan.gc.ca + name: Jianlong Qian +name: fdi-hfed-scrapping-loading-portal +sources: +- https://gitlab.k8s.cloud.statcan.ca/analytics-platform/fdi-idf/metadata/metadata-tools/heft/hfed-scrapping-loading-tools-portal.git +version: 1.0.0 diff --git a/stable/fdi-hfed-scrapping-loading-portal/requirements.yaml b/stable/fdi-hfed-scrapping-loading-portal/requirements.yaml new file mode 100644 index 00000000..1de5d1ca --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/requirements.yaml @@ -0,0 +1 @@ +dependencies: \ No newline at end of file diff --git a/stable/fdi-hfed-scrapping-loading-portal/templates/NOTES.txt b/stable/fdi-hfed-scrapping-loading-portal/templates/NOTES.txt new file mode 100644 index 00000000..e69de29b diff --git a/stable/fdi-hfed-scrapping-loading-portal/templates/_helpers.tpl b/stable/fdi-hfed-scrapping-loading-portal/templates/_helpers.tpl new file mode 100644 index 00000000..a88dcf0d --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/templates/_helpers.tpl @@ -0,0 +1,53 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "hfed.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hfed.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hfed.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{/* +Common labels +*/}} +{{- define "hfed.labels" -}} +helm.sh/chart: {{ include "hfed.chart" . }} +{{ include "hfed.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "hfed.selectorLabels" -}} +app.kubernetes.io/name: {{ include "hfed.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/stable/fdi-hfed-scrapping-loading-portal/templates/deploy/hfed.yaml b/stable/fdi-hfed-scrapping-loading-portal/templates/deploy/hfed.yaml new file mode 100644 index 00000000..921ea5ae --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/templates/deploy/hfed.yaml @@ -0,0 +1,84 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "hfed.fullname" . }} + labels: + {{- include "hfed.labels" . | nindent 4 }} +spec: +{{- if not .Values.hfed.autoscaling.enabled }} + replicas: {{ .Values.hfed.replicaCount }} +{{- end }} + selector: + matchLabels: + {{- include "hfed.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.hfed.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "hfed.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.hfed.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.hfed.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }}-hfed + securityContext: + {{- toYaml .Values.hfed.securityContext | nindent 12 }} + image: "{{ .Values.hfed.image.repository }}:{{ .Values.hfed.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.hfed.image.pullPolicy }} + env: + - name: CLIENT_ID + value: {{ .Values.hfed.client_id }} + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "hfed.fullname" .}}-client-secret + key: password + - name: APPLICATION_ID + valueFrom: + secretKeyRef: + name: {{ include "hfed.fullname" . }}-application-id + key: application_id + - name: AUTHORITY_URL + value: {{ .Values.hfed.authority_url }} + - name: API_SCOPE + value: {{ .Values.hfed.api_scope }} + - name: FILE_PATH_ROOT + value: {{ .Values.hfed.file_path_root }} + - name: LOCAL_FILE_PATH_ROOT + value: {{ .Values.hfed.local_file_path_root }} + - name: DATASPACE + value: {{ .Values.hfed.dataspace }} + - name: SDMX_TRANSFER_URL + value: {{ .Values.hfed.sdmx_transfer_url }} + - name: SMTP_SERVER + value: {{ .Values.hfed.smtp.server | quote }} + - name: SMTP_USER + value: {{ .Values.hfed.smtp.user }} + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "hfed.fullname" . }}-smtp-password + key: password + - name: SMTP_MAIL_FROM + value: {{ .Values.hfed.smtp.mailFrom }} + - name: SMTP_MAIL_TO + value: {{ .Values.hfed.smtp.mailTo }} + - name: SMTP_TLS + value: {{ .Values.hfed.smtp.tls }} + - name: SMTP_STARTTLS + value: {{ .Values.hfed.smtp.starttls | quote }} + volumeMounts: + - mountPath: "/hfed" + name: "hfed-fileshare-volume" + volumes: + - azureFile: + secretName: {{ include "hfed.fullname" . }}-filesystem-secret + shareName: {{ .Values.hfed.fdi_azure_filesystems_hfed_name }} + name: hfed-fileshare-volume diff --git a/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_application_id.yaml b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_application_id.yaml new file mode 100644 index 00000000..5fccec7c --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_application_id.yaml @@ -0,0 +1,13 @@ + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "hfed.fullname" . }}-application-id + labels: + app.kubernetes.io/name: {{ include "hfed.fullname" . }} + helm.sh/chart: {{ include "hfed.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + application_id: {{ .Values.hfed.application_id | b64enc | quote }} \ No newline at end of file diff --git a/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_azure_filesystem-secret.yaml b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_azure_filesystem-secret.yaml new file mode 100644 index 00000000..a320a87e --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_azure_filesystem-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "hfed.fullname" . }}-filesystem-secret +type: Opaque +data: + azurestorageaccountname: {{ .Values.hfed.fdi_azure_account_name_prod | b64enc }} + azurestorageaccountkey: {{ .Values.hfed.fdi_azure_account_key_prod | b64enc }} diff --git a/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_client_secret.yaml b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_client_secret.yaml new file mode 100644 index 00000000..10ae4ea0 --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_client_secret.yaml @@ -0,0 +1,13 @@ + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "hfed.fullname" . }}-client-secret + labels: + app.kubernetes.io/name: {{ include "hfed.fullname" . }} + helm.sh/chart: {{ include "hfed.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + password: {{ .Values.hfed.client_secret | b64enc | quote }} \ No newline at end of file diff --git a/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_smtp_password.yaml b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_smtp_password.yaml new file mode 100644 index 00000000..4c991ca7 --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/templates/secret/hfed_smtp_password.yaml @@ -0,0 +1,13 @@ + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "hfed.fullname" . }}-smtp-password + labels: + app.kubernetes.io/name: {{ include "hfed.fullname" . }} + helm.sh/chart: {{ include "hfed.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: Opaque +data: + password: {{ .Values.hfed.smtp.password | b64enc | quote }} \ No newline at end of file diff --git a/stable/fdi-hfed-scrapping-loading-portal/values.yaml b/stable/fdi-hfed-scrapping-loading-portal/values.yaml new file mode 100644 index 00000000..ab8f9ce9 --- /dev/null +++ b/stable/fdi-hfed-scrapping-loading-portal/values.yaml @@ -0,0 +1,65 @@ +# Default values for hfed-scrapping-loading. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +## Optionally specify an array of imagePullSecrets. +## Secrets must be manually created in the namespace. +## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod +## +nameOverride: "hfed-scrapping-loading-portal" +fullnameOverride: "hfed-scrapping-loading-portal" + +hfed: + application_id: "" + replicaCount: 1 + image: + repository: artifactory.cloud.statcan.ca/docker/analytics-platform/hfed-scrapping-loading-tools-portal + tag: v1.0.0 + pullPolicy: Always + imagePullSecrets: + - name: artifactory-prod + fdi_azure_account_name_prod: stnmmfdidcm01sa + fdi_azure_account_key_prod: '' + fdi_azure_filesystems_hfed_name: hfed-hfed + client_id: e3ba6109-592b-426a-9cc8-b7b6580501b3 + client_secret: '' + authority_url: https://login.microsoftonline.com/258f1f99-ee3d-42c7-bfc5-7af1b2343e02 + api_scope: api://fdi-sdmx-prod/.default + file_path_root: '/hfed/data' + local_file_path_root: '/app/hfed/data' + sdmx_transfer_url: https://fdi-transfer-dev.dev.cloud.statcan.ca/2/import/sdmxFile + dataspace: 'dev:design-dev' + smtp: + server: 'email-smtp.ca-central-1.amazonaws.com:587' + user: '' + password: '' + mailFrom: "" + mailTo: 'jianlong.qian@statcan.gc.ca' + tls: "enabled" + starttls: "true" + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} From 891866146bd046f1ae31875d8c24ac1d0cfeb635 Mon Sep 17 00:00:00 2001 From: Qian Date: Wed, 20 Nov 2024 13:44:18 -0500 Subject: [PATCH 2/8] deleted some charts folders --- stable/ckan/charts/datapusher/.helmignore | 23 - stable/ckan/charts/datapusher/Chart.yaml | 6 - stable/ckan/charts/datapusher/README.md | 39 - .../charts/datapusher/templates/NOTES.txt | 21 - .../charts/datapusher/templates/_helpers.tpl | 77 -- .../datapusher/templates/deployment.yaml | 70 -- .../templates/service-headless.yaml | 13 - .../charts/datapusher/templates/service.yaml | 15 - .../datapusher/templates/serviceaccount.yaml | 12 - stable/ckan/charts/datapusher/values.yaml | 85 -- stable/ckan/charts/postgresql/.helmignore | 21 - stable/ckan/charts/postgresql/Chart.lock | 6 - stable/ckan/charts/postgresql/Chart.yaml | 29 - stable/ckan/charts/postgresql/README.md | 798 ------------- .../postgresql/charts/common/.helmignore | 22 - .../postgresql/charts/common/Chart.yaml | 23 - .../charts/postgresql/charts/common/README.md | 309 ----- .../charts/common/templates/_affinities.tpl | 94 -- .../charts/common/templates/_capabilities.tpl | 33 - .../charts/common/templates/_errors.tpl | 20 - .../charts/common/templates/_images.tpl | 43 - .../charts/common/templates/_labels.tpl | 18 - .../charts/common/templates/_names.tpl | 32 - .../charts/common/templates/_secrets.tpl | 57 - .../charts/common/templates/_storage.tpl | 23 - .../charts/common/templates/_tplvalues.tpl | 13 - .../charts/common/templates/_utils.tpl | 45 - .../charts/common/templates/_warnings.tpl | 14 - .../templates/validations/_cassandra.tpl | 72 -- .../common/templates/validations/_mariadb.tpl | 103 -- .../common/templates/validations/_mongodb.tpl | 108 -- .../templates/validations/_postgresql.tpl | 131 --- .../common/templates/validations/_redis.tpl | 72 -- .../templates/validations/_validations.tpl | 44 - .../postgresql/charts/common/values.yaml | 3 - .../postgresql/ci/commonAnnotations.yaml | 3 - .../charts/postgresql/ci/default-values.yaml | 1 - .../ci/shmvolume-disabled-values.yaml | 2 - stable/ckan/charts/postgresql/files/README.md | 1 - .../charts/postgresql/files/conf.d/README.md | 4 - .../docker-entrypoint-initdb.d/README.md | 3 - .../charts/postgresql/templates/NOTES.txt | 59 - .../charts/postgresql/templates/_helpers.tpl | 330 ------ .../postgresql/templates/configmap.yaml | 26 - .../templates/extended-config-configmap.yaml | 21 - .../postgresql/templates/extra-list.yaml | 4 - .../templates/initialization-configmap.yaml | 24 - .../templates/metrics-configmap.yaml | 13 - .../postgresql/templates/metrics-svc.yaml | 25 - .../postgresql/templates/networkpolicy.yaml | 38 - .../templates/podsecuritypolicy.yaml | 37 - .../postgresql/templates/prometheusrule.yaml | 23 - .../charts/postgresql/templates/role.yaml | 19 - .../postgresql/templates/rolebinding.yaml | 19 - .../charts/postgresql/templates/secrets.yaml | 21 - .../postgresql/templates/serviceaccount.yaml | 11 - .../postgresql/templates/servicemonitor.yaml | 33 - .../templates/statefulset-readreplicas.yaml | 410 ------- .../postgresql/templates/statefulset.yaml | 589 ---------- .../postgresql/templates/svc-headless.yaml | 27 - .../charts/postgresql/templates/svc-read.yaml | 42 - .../ckan/charts/postgresql/templates/svc.yaml | 40 - .../charts/postgresql/values-production.yaml | 791 ------------- .../ckan/charts/postgresql/values.schema.json | 103 -- stable/ckan/charts/postgresql/values.yaml | 813 ------------- stable/ckan/charts/redis/.helmignore | 21 - stable/ckan/charts/redis/Chart.lock | 6 - stable/ckan/charts/redis/Chart.yaml | 29 - stable/ckan/charts/redis/README.md | 738 ------------ .../charts/redis/charts/common/.helmignore | 22 - .../charts/redis/charts/common/Chart.yaml | 23 - .../ckan/charts/redis/charts/common/README.md | 322 ------ .../charts/common/templates/_affinities.tpl | 94 -- .../charts/common/templates/_capabilities.tpl | 95 -- .../redis/charts/common/templates/_errors.tpl | 23 - .../redis/charts/common/templates/_images.tpl | 47 - .../charts/common/templates/_ingress.tpl | 42 - .../redis/charts/common/templates/_labels.tpl | 18 - .../redis/charts/common/templates/_names.tpl | 32 - .../charts/common/templates/_secrets.tpl | 129 --- .../charts/common/templates/_storage.tpl | 23 - .../charts/common/templates/_tplvalues.tpl | 13 - .../redis/charts/common/templates/_utils.tpl | 62 - .../charts/common/templates/_warnings.tpl | 14 - .../templates/validations/_cassandra.tpl | 72 -- .../common/templates/validations/_mariadb.tpl | 103 -- .../common/templates/validations/_mongodb.tpl | 108 -- .../templates/validations/_postgresql.tpl | 131 --- .../common/templates/validations/_redis.tpl | 72 -- .../templates/validations/_validations.tpl | 46 - .../charts/redis/charts/common/values.yaml | 3 - .../ckan/charts/redis/ci/default-values.yaml | 1 - .../charts/redis/ci/extra-flags-values.yaml | 11 - .../redis/ci/production-sentinel-values.yaml | 682 ----------- .../redis/img/redis-cluster-topology.png | Bin 11448 -> 0 bytes .../ckan/charts/redis/img/redis-topology.png | Bin 9709 -> 0 bytes stable/ckan/charts/redis/templates/NOTES.txt | 136 --- .../ckan/charts/redis/templates/_helpers.tpl | 445 -------- .../redis/templates/configmap-scripts.yaml | 430 ------- .../charts/redis/templates/configmap.yaml | 53 - .../charts/redis/templates/headless-svc.yaml | 28 - .../redis/templates/health-configmap.yaml | 176 --- .../redis/templates/metrics-prometheus.yaml | 39 - .../metrics-sentinel-prometheus.yaml | 33 - .../redis/templates/metrics-sentinel-svc.yaml | 35 - .../charts/redis/templates/metrics-svc.yaml | 34 - .../charts/redis/templates/networkpolicy.yaml | 74 -- stable/ckan/charts/redis/templates/pdb.yaml | 22 - .../redis/templates/prometheusrule.yaml | 25 - stable/ckan/charts/redis/templates/psp.yaml | 43 - .../templates/redis-master-statefulset.yaml | 394 ------- .../redis/templates/redis-master-svc.yaml | 43 - .../templates/redis-node-statefulset.yaml | 556 --------- .../charts/redis/templates/redis-role.yaml | 22 - .../redis/templates/redis-rolebinding.yaml | 19 - .../redis/templates/redis-serviceaccount.yaml | 15 - .../templates/redis-slave-statefulset.yaml | 398 ------- .../redis/templates/redis-slave-svc.yaml | 43 - .../templates/redis-with-sentinel-svc.yaml | 43 - .../ckan/charts/redis/templates/secret.yaml | 15 - stable/ckan/charts/redis/values.schema.json | 168 --- stable/ckan/charts/redis/values.yaml | 1008 ----------------- stable/ckan/charts/solr/Chart.lock | 6 - stable/ckan/charts/solr/Chart.yaml | 14 - stable/ckan/charts/solr/README.md | 72 -- .../charts/solr/charts/zookeeper/.helmignore | 21 - .../charts/solr/charts/zookeeper/Chart.yaml | 17 - .../ckan/charts/solr/charts/zookeeper/OWNERS | 6 - .../charts/solr/charts/zookeeper/README.md | 145 --- .../solr/charts/zookeeper/templates/NOTES.txt | 7 - .../charts/zookeeper/templates/_helpers.tpl | 46 - .../templates/config-jmx-exporter.yaml | 19 - .../zookeeper/templates/config-script.yaml | 110 -- .../zookeeper/templates/job-chroots.yaml | 65 -- .../templates/poddisruptionbudget.yaml | 17 - .../zookeeper/templates/service-headless.yaml | 25 - .../charts/zookeeper/templates/service.yaml | 41 - .../zookeeper/templates/servicemonitors.yaml | 56 - .../zookeeper/templates/statefulset.yaml | 226 ---- .../charts/solr/charts/zookeeper/values.yaml | 295 ----- stable/ckan/charts/solr/templates/NOTES.txt | 11 - .../ckan/charts/solr/templates/_helpers.tpl | 133 --- .../solr/templates/exporter-deployment.yaml | 104 -- .../solr/templates/poddisruptionbudget.yaml | 14 - .../solr/templates/service-headless.yaml | 17 - .../ckan/charts/solr/templates/service.yaml | 19 - .../solr/templates/solr-custom-script.yaml | 13 - .../solr/templates/solr-xml-configmap.yaml | 29 - .../charts/solr/templates/statefulset.yaml | 234 ---- stable/ckan/charts/solr/values.yaml | 138 --- 150 files changed, 15205 deletions(-) delete mode 100644 stable/ckan/charts/datapusher/.helmignore delete mode 100644 stable/ckan/charts/datapusher/Chart.yaml delete mode 100644 stable/ckan/charts/datapusher/README.md delete mode 100644 stable/ckan/charts/datapusher/templates/NOTES.txt delete mode 100644 stable/ckan/charts/datapusher/templates/_helpers.tpl delete mode 100644 stable/ckan/charts/datapusher/templates/deployment.yaml delete mode 100644 stable/ckan/charts/datapusher/templates/service-headless.yaml delete mode 100644 stable/ckan/charts/datapusher/templates/service.yaml delete mode 100644 stable/ckan/charts/datapusher/templates/serviceaccount.yaml delete mode 100644 stable/ckan/charts/datapusher/values.yaml delete mode 100644 stable/ckan/charts/postgresql/.helmignore delete mode 100644 stable/ckan/charts/postgresql/Chart.lock delete mode 100644 stable/ckan/charts/postgresql/Chart.yaml delete mode 100644 stable/ckan/charts/postgresql/README.md delete mode 100644 stable/ckan/charts/postgresql/charts/common/.helmignore delete mode 100644 stable/ckan/charts/postgresql/charts/common/Chart.yaml delete mode 100644 stable/ckan/charts/postgresql/charts/common/README.md delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_images.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_names.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl delete mode 100644 stable/ckan/charts/postgresql/charts/common/values.yaml delete mode 100644 stable/ckan/charts/postgresql/ci/commonAnnotations.yaml delete mode 100644 stable/ckan/charts/postgresql/ci/default-values.yaml delete mode 100644 stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml delete mode 100644 stable/ckan/charts/postgresql/files/README.md delete mode 100644 stable/ckan/charts/postgresql/files/conf.d/README.md delete mode 100644 stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md delete mode 100644 stable/ckan/charts/postgresql/templates/NOTES.txt delete mode 100644 stable/ckan/charts/postgresql/templates/_helpers.tpl delete mode 100644 stable/ckan/charts/postgresql/templates/configmap.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/extra-list.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/initialization-configmap.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/metrics-configmap.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/metrics-svc.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/networkpolicy.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/prometheusrule.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/role.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/rolebinding.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/secrets.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/serviceaccount.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/servicemonitor.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/statefulset.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/svc-headless.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/svc-read.yaml delete mode 100644 stable/ckan/charts/postgresql/templates/svc.yaml delete mode 100644 stable/ckan/charts/postgresql/values-production.yaml delete mode 100644 stable/ckan/charts/postgresql/values.schema.json delete mode 100644 stable/ckan/charts/postgresql/values.yaml delete mode 100644 stable/ckan/charts/redis/.helmignore delete mode 100644 stable/ckan/charts/redis/Chart.lock delete mode 100644 stable/ckan/charts/redis/Chart.yaml delete mode 100644 stable/ckan/charts/redis/README.md delete mode 100644 stable/ckan/charts/redis/charts/common/.helmignore delete mode 100644 stable/ckan/charts/redis/charts/common/Chart.yaml delete mode 100644 stable/ckan/charts/redis/charts/common/README.md delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_affinities.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_errors.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_images.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_ingress.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_labels.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_names.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_secrets.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_storage.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_utils.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/_warnings.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl delete mode 100644 stable/ckan/charts/redis/charts/common/values.yaml delete mode 100644 stable/ckan/charts/redis/ci/default-values.yaml delete mode 100644 stable/ckan/charts/redis/ci/extra-flags-values.yaml delete mode 100644 stable/ckan/charts/redis/ci/production-sentinel-values.yaml delete mode 100644 stable/ckan/charts/redis/img/redis-cluster-topology.png delete mode 100644 stable/ckan/charts/redis/img/redis-topology.png delete mode 100644 stable/ckan/charts/redis/templates/NOTES.txt delete mode 100644 stable/ckan/charts/redis/templates/_helpers.tpl delete mode 100644 stable/ckan/charts/redis/templates/configmap-scripts.yaml delete mode 100644 stable/ckan/charts/redis/templates/configmap.yaml delete mode 100644 stable/ckan/charts/redis/templates/headless-svc.yaml delete mode 100644 stable/ckan/charts/redis/templates/health-configmap.yaml delete mode 100644 stable/ckan/charts/redis/templates/metrics-prometheus.yaml delete mode 100644 stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml delete mode 100644 stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml delete mode 100644 stable/ckan/charts/redis/templates/metrics-svc.yaml delete mode 100644 stable/ckan/charts/redis/templates/networkpolicy.yaml delete mode 100644 stable/ckan/charts/redis/templates/pdb.yaml delete mode 100644 stable/ckan/charts/redis/templates/prometheusrule.yaml delete mode 100644 stable/ckan/charts/redis/templates/psp.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-master-statefulset.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-master-svc.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-node-statefulset.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-role.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-rolebinding.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-serviceaccount.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-slave-svc.yaml delete mode 100644 stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml delete mode 100644 stable/ckan/charts/redis/templates/secret.yaml delete mode 100644 stable/ckan/charts/redis/values.schema.json delete mode 100644 stable/ckan/charts/redis/values.yaml delete mode 100644 stable/ckan/charts/solr/Chart.lock delete mode 100644 stable/ckan/charts/solr/Chart.yaml delete mode 100644 stable/ckan/charts/solr/README.md delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/.helmignore delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/Chart.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/OWNERS delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/README.md delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml delete mode 100644 stable/ckan/charts/solr/charts/zookeeper/values.yaml delete mode 100644 stable/ckan/charts/solr/templates/NOTES.txt delete mode 100644 stable/ckan/charts/solr/templates/_helpers.tpl delete mode 100644 stable/ckan/charts/solr/templates/exporter-deployment.yaml delete mode 100644 stable/ckan/charts/solr/templates/poddisruptionbudget.yaml delete mode 100644 stable/ckan/charts/solr/templates/service-headless.yaml delete mode 100644 stable/ckan/charts/solr/templates/service.yaml delete mode 100644 stable/ckan/charts/solr/templates/solr-custom-script.yaml delete mode 100644 stable/ckan/charts/solr/templates/solr-xml-configmap.yaml delete mode 100644 stable/ckan/charts/solr/templates/statefulset.yaml delete mode 100644 stable/ckan/charts/solr/values.yaml diff --git a/stable/ckan/charts/datapusher/.helmignore b/stable/ckan/charts/datapusher/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/stable/ckan/charts/datapusher/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/stable/ckan/charts/datapusher/Chart.yaml b/stable/ckan/charts/datapusher/Chart.yaml deleted file mode 100644 index e6fd31d2..00000000 --- a/stable/ckan/charts/datapusher/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -appVersion: 0.0.17 -description: CKAN Datapusher helm chart -name: datapusher -type: application -version: 1.0.0 diff --git a/stable/ckan/charts/datapusher/README.md b/stable/ckan/charts/datapusher/README.md deleted file mode 100644 index 0422cdff..00000000 --- a/stable/ckan/charts/datapusher/README.md +++ /dev/null @@ -1,39 +0,0 @@ -datapusher -========== - -CKAN Datapusher helm chart - -## Chart Values - -| Key | Type | Default | Description | -|---------------------------------------|--------|-----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| affinity | object | `{}` | | -| datapusher.chunkSize | string | `"16384"` | Size of chunks of the data that is being downloaded in bytes | -| datapusher.datapusherRewriteResources | string | `"True"` | Enable or disable (boolean) whether datapusher should rewrite resources uploaded to CKAN's filestore, since datapusher takes the CKAN Site URL value for generating the resource URL. Default: False | -| datapusher.datapusherRewriteUrl | string | `"http://ckan"` | | -| datapusher.datapusherSslVerify | string | `"False"` | Enable or disable (boolean) verification of SSL when trying to get resources. Default: True | -| datapusher.downloadTimeout | string | `"30"` | Timeout limit of the download request | -| datapusher.insertRows | string | `"250"` | Number of rows to take from the data and upload them as chunks to datastore | -| datapusher.maxContentLength | string | `"10485760"` | Maximum size of content to be uploaded in bytes. | -| fullnameOverride | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"keitaro/ckan-datapusher"` | | -| image.tag | string | `"0.0.17"` | | -| imagePullSecrets | list | `[]` | | -| ingress.annotations | object | `{}` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths | list | `[]` | | -| ingress.tls | list | `[]` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | | -| resources | object | `{}` | | -| securityContext | object | `{}` | | -| service.port | int | `8000` | | -| service.type | string | `"ClusterIP"` | | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | | -| serviceAccount.name | string | `nil` | | -| tolerations | list | `[]` | | diff --git a/stable/ckan/charts/datapusher/templates/NOTES.txt b/stable/ckan/charts/datapusher/templates/NOTES.txt deleted file mode 100644 index eb5f2633..00000000 --- a/stable/ckan/charts/datapusher/templates/NOTES.txt +++ /dev/null @@ -1,21 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "datapusher.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "datapusher.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "datapusher.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "datapusher.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/stable/ckan/charts/datapusher/templates/_helpers.tpl b/stable/ckan/charts/datapusher/templates/_helpers.tpl deleted file mode 100644 index bc85c157..00000000 --- a/stable/ckan/charts/datapusher/templates/_helpers.tpl +++ /dev/null @@ -1,77 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "datapusher.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "datapusher.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "datapusher.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "datapusher.labels" -}} -helm.sh/chart: {{ include "datapusher.chart" . }} -{{ include "datapusher.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "datapusher.selectorLabels" -}} -app.kubernetes.io/name: {{ include "datapusher.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} - -{{/* -Define the name of the headless service for solr -*/}} -{{- define "datapusher.headless-service-name" -}} -{{- printf "%s-%s" (include "datapusher.fullname" .) "headless" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Define the name of the client service for solr -*/}} -{{- define "datapusher.service-name" -}} -{{- printf "%s-%s" (include "datapusher.fullname" .) "svc" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "datapusher.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "datapusher.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/datapusher/templates/deployment.yaml b/stable/ckan/charts/datapusher/templates/deployment.yaml deleted file mode 100644 index 56f0e8c2..00000000 --- a/stable/ckan/charts/datapusher/templates/deployment.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "datapusher.fullname" . }} - labels: - {{- include "datapusher.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - {{- include "datapusher.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "datapusher.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "datapusher.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 8000 - protocol: TCP - env: - - name: DATAPUSHER_MAX_CONTENT_LENGTH - value: {{ .Values.datapusher.maxContentLength | quote }} - - name: DATAPUSHER_CHUNK_SIZE - value: {{ .Values.datapusher.chunkSize | quote }} - - name: DATAPUSHER_CHUNK_INSERT_ROWS - value: {{ .Values.datapusher.insertRows | quote }} - - name: DATAPUSHER_DOWNLOAD_TIMEOUT - value: {{ .Values.datapusher.downloadTimeout | quote }} - - name: DATAPUSHER_SSL_VERIFY - value: {{ .Values.datapusher.datapusherSslVerify | quote }} - - name: DATAPUSHER_REWRITE_RESOURCES - value: {{ .Values.datapusher.datapusherRewriteResources | quote }} - - name: DATAPUSHER_REWRITE_URL - value: {{ .Values.datapusher.datapusherRewriteUrl | quote }} - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/stable/ckan/charts/datapusher/templates/service-headless.yaml b/stable/ckan/charts/datapusher/templates/service-headless.yaml deleted file mode 100644 index cc68df78..00000000 --- a/stable/ckan/charts/datapusher/templates/service-headless.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: "v1" -kind: "Service" -metadata: - name: "{{ include "datapusher.headless-service-name" . }}" - labels: - {{- include "datapusher.labels" . | nindent 4 }} -spec: - clusterIP: "None" - ports: - - port: {{ .Values.service.port }} - name: "datapusher-headless" - selector: - {{- include "datapusher.selectorLabels" . | nindent 4 }} diff --git a/stable/ckan/charts/datapusher/templates/service.yaml b/stable/ckan/charts/datapusher/templates/service.yaml deleted file mode 100644 index 07ab6eaf..00000000 --- a/stable/ckan/charts/datapusher/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "datapusher.service-name" . }} - labels: - {{- include "datapusher.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "datapusher.selectorLabels" . | nindent 4 }} diff --git a/stable/ckan/charts/datapusher/templates/serviceaccount.yaml b/stable/ckan/charts/datapusher/templates/serviceaccount.yaml deleted file mode 100644 index 9d23c1e2..00000000 --- a/stable/ckan/charts/datapusher/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "datapusher.serviceAccountName" . }} - labels: - {{- include "datapusher.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/datapusher/values.yaml b/stable/ckan/charts/datapusher/values.yaml deleted file mode 100644 index 4b130a1c..00000000 --- a/stable/ckan/charts/datapusher/values.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# Default values for datapusher. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: keitaro/ckan-datapusher - tag: 0.0.17 - pullPolicy: IfNotPresent - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -datapusher: - # datapusher.maxContentLength -- Maximum size of content to be uploaded in bytes. - maxContentLength: "10485760" - # datapusher.chunkSize -- Size of chunks of the data that is being downloaded in bytes - chunkSize: "16384" - # datapusher.insertRows -- Number of rows to take from the data and upload them as chunks to datastore - insertRows: "250" - # datapusher.downloadTimeout -- Timeout limit of the download request - downloadTimeout: "30" - # datapusher.datapusherSslVerify -- Enable or disable (boolean) verification of SSL when trying to get resources. Default: True - datapusherSslVerify: "False" - # datapusher.datapusherRewriteResources -- Enable or disable (boolean) whether datapusher should rewrite resources uploaded to CKAN's filestore, since datapusher takes the CKAN Site URL value for generating the resource URL. Default: False - datapusherRewriteResources: "True" - # Sets the rewrite URL that datapushed will rewrite resources that are uploaded to CKAN's filestore. Default: http://ckan:5000 - datapusherRewriteUrl: http://ckan - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 8000 - -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: [] - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/stable/ckan/charts/postgresql/.helmignore b/stable/ckan/charts/postgresql/.helmignore deleted file mode 100644 index f0c13194..00000000 --- a/stable/ckan/charts/postgresql/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/stable/ckan/charts/postgresql/Chart.lock b/stable/ckan/charts/postgresql/Chart.lock deleted file mode 100644 index 00ef8227..00000000 --- a/stable/ckan/charts/postgresql/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: https://charts.bitnami.com/bitnami - version: 1.1.2 -digest: sha256:5a5d1b6e8a55efef1c07768b6bb264c60c98e230792b9a63f85468b95cf58c45 -generated: "2020-12-11T12:22:28.510708+01:00" diff --git a/stable/ckan/charts/postgresql/Chart.yaml b/stable/ckan/charts/postgresql/Chart.yaml deleted file mode 100644 index 332cb965..00000000 --- a/stable/ckan/charts/postgresql/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -annotations: - category: Database -apiVersion: v2 -appVersion: 11.10.0 -dependencies: -- name: common - repository: https://charts.bitnami.com/bitnami - version: 1.x.x -description: Chart for PostgreSQL, an object-relational database management system - (ORDBMS) with an emphasis on extensibility and on standards-compliance. -home: https://github.com/bitnami/charts/tree/master/bitnami/postgresql -icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png -keywords: -- postgresql -- postgres -- database -- sql -- replication -- cluster -maintainers: -- email: containers@bitnami.com - name: Bitnami -- email: cedric@desaintmartin.fr - name: desaintmartin -name: postgresql -sources: -- https://github.com/bitnami/bitnami-docker-postgresql -- https://www.postgresql.org/ -version: 10.2.0 diff --git a/stable/ckan/charts/postgresql/README.md b/stable/ckan/charts/postgresql/README.md deleted file mode 100644 index 9cf7c412..00000000 --- a/stable/ckan/charts/postgresql/README.md +++ /dev/null @@ -1,798 +0,0 @@ -# PostgreSQL - -[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance. - -For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) - -## TL;DR - -```console -$ helm repo add bitnami https://charts.bitnami.com/bitnami -$ helm install my-release bitnami/postgresql -``` - -## Introduction - -This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 3.0-beta3+ -- PV provisioner support in the underlying infrastructure - -## Installing the Chart -To install the chart with the release name `my-release`: - -```console -$ helm install my-release bitnami/postgresql -``` - -The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm delete my-release -``` - -The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. - -To delete the PVC's associated with `my-release`: - -```console -$ kubectl delete pvc -l release=my-release -``` - -> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. - -## Parameters - -The following tables lists the configurable parameters of the PostgreSQL chart and their default values. - -| Parameter | Description | Default | -|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------| -| `global.imageRegistry` | Global Docker Image registry | `nil` | -| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` | -| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` | -| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` | -| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` | -| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` | -| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | -| `image.registry` | PostgreSQL Image registry | `docker.io` | -| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` | -| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` | -| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `image.debug` | Specify if debug values should be set | `false` | -| `nameOverride` | String to partially override common.names.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override common.names.fullname template with a string | `nil` | -| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | -| `volumePermissions.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | -| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | `0` | -| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` | -| `ldap.enabled` | Enable LDAP support | `false` | -| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` | -| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` | -| `ldap.server` | IP address or name of the LDAP server. | `nil` | -| `ldap.port` | Port number on the LDAP server to connect to | `nil` | -| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` | -| `ldap.tls` | Set to `1` to use TLS encryption | `nil` | -| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` | -| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` | -| `ldap.search_attr` | Attribute to match against the user name in the search | `nil` | -| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` | -| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` | -| `ldap.bindDN` | DN of user to bind to LDAP | `nil` | -| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` | -| `replication.enabled` | Enable replication | `false` | -| `replication.user` | Replication user | `repl_user` | -| `replication.password` | Replication user password | `repl_password` | -| `replication.readReplicas` | Number of read replicas replicas | `1` | -| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | -| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.readReplicas`. | `0` | -| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | -| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-postgres-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` | -| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ | -| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` | -| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ | -| `postgresqlDatabase` | PostgreSQL database | `nil` | -| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) | -| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` | -| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `nil` | -| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` | -| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` | -| `postgresqlConfiguration` | Runtime Config Parameters | `nil` | -| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` | -| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` | -| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | -| `postgresqlMaxConnections` | Maximum total connections | `nil` | -| `postgresqlPostgresConnectionLimit` | Maximum total connections for the postgres user | `nil` | -| `postgresqlDbUserConnectionLimit` | Maximum total connections for the non-admin user | `nil` | -| `postgresqlTcpKeepalivesInterval` | TCP keepalives interval | `nil` | -| `postgresqlTcpKeepalivesIdle` | TCP keepalives idle | `nil` | -| `postgresqlTcpKeepalivesCount` | TCP keepalives count | `nil` | -| `postgresqlStatementTimeout` | Statement timeout | `nil` | -| `postgresqlPghbaRemoveFilters` | Comma-separated list of patterns to remove from the pg_hba.conf file | `nil` | -| `customLivenessProbe` | Override default liveness probe | `nil` | -| `customReadinessProbe` | Override default readiness probe | `nil` | -| `audit.logHostname` | Add client hostnames to the log file | `false` | -| `audit.logConnections` | Add client log-in operations to the log file | `false` | -| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | -| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `nil` | -| `audit.clientMinMessages` | Message log level to share with the user | `nil` | -| `audit.logLinePrefix` | Template string for the log line prefix | `nil` | -| `audit.logTimezone` | Timezone for the log timestamps | `nil` | -| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` | -| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` | -| `initdbScripts` | Dictionary of initdb scripts | `nil` | -| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` | -| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | -| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.port` | PostgreSQL port | `5432` | -| `service.nodePort` | Kubernetes Service nodePort | `nil` | -| `service.annotations` | Annotations for PostgreSQL service | `{}` (evaluated as a template) | -| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` | -| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | `[]` (evaluated as a template) | -| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | -| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for primary and read replica(s) Pod(s) | `true` | -| `shmVolume.chmod.enabled` | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`) | `true` | -| `persistence.enabled` | Enable persistence using PVC | `true` | -| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` | -| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` | -| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` | -| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` | -| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | -| `persistence.annotations` | Annotations for the PVC | `{}` | -| `persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | -| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` | -| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | -| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | -| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` (evaluated as a template) | -| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` (evaluated as a template) | - -| `primary.anotations` | Map of annotations to add to the statefulset (postgresql primary) | `{}` | -| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | -| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | -| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | -| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `nil` | -| `primary.extraInitContainers` | Additional init containers to add to the pods (postgresql primary) | `[]` | -| `primary.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql primary) | `[]` | -| `primary.extraVolumes` | Additional volumes to add to the pods (postgresql primary) | `[]` | -| `primary.sidecars` | Add additional containers to the pod | `[]` | -| `primary.service.type` | Allows using a different service type for primary | `nil` | -| `primary.service.nodePort` | Allows using a different nodePort for primary | `nil` | -| `primary.service.clusterIP` | Allows using a different clusterIP for primary | `nil` | -| `primaryAsStandBy.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not. | `false` | -| `primaryAsStandBy.primaryHost` | The Host of replication primary in the other cluster. | `nil` | -| `primaryAsStandBy.primaryPort ` | The Port of replication primary in the other cluster. | `nil` | -| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | -| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | -| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | -| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | -| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | -| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` (evaluated as a template) | -| `readReplicas.anotations` | Map of annotations to add to the statefulsets (postgresql readReplicas) | `{}` | -| `readReplicas.resources` | CPU/Memory resource requests/limits override for readReplicass. Will fallback to `values.resources` if not defined. | `{}` | -| `readReplicas.labels` | Map of labels to add to the statefulsets (postgresql readReplicas) | `{}` | -| `readReplicas.podAnnotations` | Map of annotations to add to the pods (postgresql readReplicas) | `{}` | -| `readReplicas.podLabels` | Map of labels to add to the pods (postgresql readReplicas) | `{}` | -| `readReplicas.priorityClassName` | Priority Class to use for each pod (postgresql readReplicas) | `nil` | -| `readReplicas.extraInitContainers` | Additional init containers to add to the pods (postgresql readReplicas) | `[]` | -| `readReplicas.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql readReplicas) | `[]` | -| `readReplicas.extraVolumes` | Additional volumes to add to the pods (postgresql readReplicas) | `[]` | -| `readReplicas.sidecars` | Add additional containers to the pod | `[]` | -| `readReplicas.service.type` | Allows using a different service type for readReplicas | `nil` | -| `readReplicas.service.nodePort` | Allows using a different nodePort for readReplicas | `nil` | -| `readReplicas.service.clusterIP` | Allows using a different clusterIP for readReplicas | `nil` | -| `readReplicas.persistence.enabled` | Whether to enable readReplicas replicas persistence | `true` | -| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` | -| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` | -| `securityContext.*` | Other pod security context to be included as-is in the pod spec | `{}` | -| `securityContext.enabled` | Enable security context | `true` | -| `securityContext.fsGroup` | Group ID for the pod | `1001` | -| `containerSecurityContext.*` | Other container security context to be included as-is in the container spec | `{}` | -| `containerSecurityContext.enabled` | Enable container security context | `true` | -| `containerSecurityContext.runAsUser` | User ID for the container | `1001` | -| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` | -| `serviceAccount.name` | Name of existing service account | `nil` | -| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` | -| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` | -| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | -| `livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `livenessProbe.timeoutSeconds` | When the probe times out | 5 | -| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 | -| `readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `readinessProbe.timeoutSeconds` | When the probe times out | 5 | -| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `tls.enabled` | Enable TLS traffic support | `false` | -| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | -| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` | -| `tls.certFilename` | Certificate filename | `""` | -| `tls.certKeyFilename` | Certificate key filename | `""` | -| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. | `nil` | -| `tls.crlFilename` | File containing a Certificate Revocation List | `nil` | -| `metrics.enabled` | Start a prometheus exporter | `false` | -| `metrics.service.type` | Kubernetes Service type | `ClusterIP` | -| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | -| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` | -| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | -| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` | -| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` | -| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` | -| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql | -| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | -| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` | -| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` | -| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` | -| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `metrics.customMetrics` | Additional custom metrics | `nil` | -| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) | -| `metrics.securityContext.*` | Other container security context to be included as-is in the container spec | `{}` | -| `metrics.securityContext.enabled` | Enable security context for metrics | `false` | -| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` | -| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 | -| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 | -| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 | -| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 | -| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 | -| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 | -| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 | -| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 | -| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` | -| `psp.create` | Create Pod Security Policy | `false` | -| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | -| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template). | `nil` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -$ helm install my-release \ - --set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \ - bitnami/postgresql -``` - -The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install my-release -f values.yaml bitnami/postgresql -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Production configuration and horizontal scaling - -This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one. - -- Enable replication: -```diff -- replication.enabled: false -+ replication.enabled: true -``` - -- Number of read replicas: -```diff -- replication.readReplicas: 1 -+ replication.readReplicas: 2 -``` - -- Set synchronous commit mode: -```diff -- replication.synchronousCommit: "off" -+ replication.synchronousCommit: "on" -``` - -- Number of replicas that will have synchronous replication: -```diff -- replication.numSynchronousReplicas: 0 -+ replication.numSynchronousReplicas: 1 -``` - -- Start a prometheus exporter: -```diff -- metrics.enabled: false -+ metrics.enabled: true -``` - -To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above. - -### Customizing primary and read replica services in a replicated configuration - -At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. - -### Change PostgreSQL version - -To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. - -### postgresql.conf / pg_hba.conf files as configMap - -This helm chart also supports to customize the whole configuration file. - -Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server. - -Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}. - -In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options. - -### Allow settings to be loaded from files other than the default `postgresql.conf` - -If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory. -Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. - -Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option. - -### Initialize a fresh instance - -The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap. - -Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict. - -In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter. - -The allowed extensions are `.sh`, `.sql` and `.sql.gz`. - -### Securing traffic using TLS - -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: - -- `tls.enabled`: Enable TLS support. Defaults to `false` -- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. -- `tls.certFilename`: Certificate filename. No defaults. -- `tls.certKeyFilename`: Certificate key filename. No defaults. - -For example: - -* First, create the secret with the cetificates files: - - ```console - kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt - ``` - -* Then, use the following parameters: - - ```console - volumePermissions.enabled=true - tls.enabled=true - tls.certificatesSecret="certificates-tls-secret" - tls.certFilename="cert.crt" - tls.certKeyFilename="cert.key" - ``` - - > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. - -### Sidecars - -If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. - -```yaml -# For the PostgreSQL primary -primary: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -# For the PostgreSQL replicas -readReplicas: - sidecars: - - name: your-image-name - image: your-image - imagePullPolicy: Always - ports: - - name: portname - containerPort: 1234 -``` - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). - -The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. - -### Use of global variables - -In more complex scenarios, we may have the following tree of dependencies - -``` - +--------------+ - | | - +------------+ Chart 1 +-----------+ - | | | | - | --------+------+ | - | | | - | | | - | | | - | | | - v v v -+-------+------+ +--------+------+ +--------+------+ -| | | | | | -| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | -| | | | | | -+--------------+ +---------------+ +---------------+ -``` - -The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: - -``` -postgresql.postgresqlPassword=testtest -subchart1.postgresql.postgresqlPassword=testtest -subchart2.postgresql.postgresqlPassword=testtest -postgresql.postgresqlDatabase=db1 -subchart1.postgresql.postgresqlDatabase=db1 -subchart2.postgresql.postgresqlDatabase=db1 -``` - -If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: - -``` -global.postgresql.postgresqlPassword=testtest -global.postgresql.postgresqlDatabase=db1 -``` - -This way, the credentials will be available in all of the subcharts. - -## Persistence - -The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. - -Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. -See the [Parameters](#parameters) section to configure the PVC or to disable persistence. - -If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished. - -## NetworkPolicy - -To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - -```console -$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" -``` - -With NetworkPolicy enabled, traffic will be limited to just port 5432. - -For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. -This label will be displayed in the output of a successful install. - -## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - -- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. -- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. -- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false - -### Deploy chart using Docker Official PostgreSQL Image - -From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image. -Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory. - -``` -image.repository=postgres -image.tag=10.6 -postgresqlDataDir=/data/pgdata -persistence.mountPath=/data/ -``` - -### Setting Pod's affinity - -This chart allows you to set your custom affinity using the `XXX.affinity` paremeter(s). Find more infomation about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). - -As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. - -## Troubleshooting - -Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). - -## Upgrading - -It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart: - -```bash -$ helm upgrade my-release bitnami/postgresql \ - --set postgresqlPassword=[POSTGRESQL_PASSWORD] \ - --set replication.password=[REPLICATION_PASSWORD] -``` - -> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes. - -### To 10.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -**What changes were introduced in this major version?** - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Move dependency information from the *requirements.yaml* to the *Chart.yaml* -- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. - -**Considerations when upgrading to this version** - -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 - -**Useful links** - -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ - -#### Breaking changes - -- The term `master` has been replaced with `primary` and `slave` with `readReplicas` throughout the chart. Role names have changed from `master` and `slave` to `primary` and `read`. - -To upgrade to `10.0.0`, it should be done reusing the PVCs used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is `postgresql`): - -> NOTE: Please, create a backup of your database before running any of those actions. - -Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: - -```console -$ export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) -$ export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") -``` - -Delete the PostgreSQL statefulset. Notice the option `--cascade=false`: - -```console -$ kubectl delete statefulsets.apps postgresql-postgresql --cascade=false -``` - -Now the upgrade works: - -```console -$ helm upgrade postgresql bitnami/postgresql --set postgresqlPassword=$POSTGRESQL_PASSWORD --set persistence.existingClaim=$POSTGRESQL_PVC -``` - -You will have to delete the existing MariaDB pod and the new statefulset is going to create a new one - -```console -$ kubectl delete pod postgresql-postgresql-0 -``` - -Finally, you should see the lines below in MariaDB container logs: - -```console -$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") -... -postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... -... -``` - -### To 9.0.0 - -In this version the chart was adapted to follow the Helm label best practices, see [PR 3021](https://github.com/bitnami/charts/pull/3021). That means the backward compatibility is not guarantee when upgrading the chart to this major version. - -As a workaround, you can delete the existing statefulset (using the `--cascade=false` flag pods are not deleted) before upgrade the chart. For example, this can be a valid workflow: - -- Deploy an old version (8.X.X) - -```console -$ helm install postgresql bitnami/postgresql --version 8.10.14 -``` - -- Old version is up and running - -```console -$ helm ls -NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION -postgresql default 1 2020-08-04 13:39:54.783480286 +0000 UTC deployed postgresql-8.10.14 11.8.0 - -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -postgresql-postgresql-0 1/1 Running 0 76s -``` - -- The upgrade to the latest one (9.X.X) is going to fail - -```console -$ helm upgrade postgresql bitnami/postgresql -Error: UPGRADE FAILED: cannot patch "postgresql-postgresql" with kind StatefulSet: StatefulSet.apps "postgresql-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden -``` - -- Delete the statefulset - -```console -$ kubectl delete statefulsets.apps --cascade=false postgresql-postgresql -statefulset.apps "postgresql-postgresql" deleted -``` - -- Now the upgrade works - -```console -$ helm upgrade postgresql bitnami/postgresql -$ helm ls -NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION -postgresql default 3 2020-08-04 13:42:08.020385884 +0000 UTC deployed postgresql-9.1.2 11.8.0 -``` - -- We can kill the existing pod and the new statefulset is going to create a new one: - -```console -$ kubectl delete pod postgresql-postgresql-0 -pod "postgresql-postgresql-0" deleted - -$ kubectl get pods -NAME READY STATUS RESTARTS AGE -postgresql-postgresql-0 1/1 Running 0 19s -``` - -Please, note that without the `--cascade=false` both objects (statefulset and pod) are going to be removed and both objects will be deployed again with the `helm upgrade` command - -### To 8.0.0 - -Prefixes the port names with their protocols to comply with Istio conventions. - -If you depend on the port names in your setup, make sure to update them to reflect this change. - -### To 7.1.0 - -Adds support for LDAP configuration. - -### To 7.0.0 - -Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec. - -In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage. - -This major version bump signifies this change. - -### To 6.5.7 - -In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies: - -- protobuf -- protobuf-c -- json-c -- geos -- proj - -### To 5.0.0 - -In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/). - -For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs: - -```console -Welcome to the Bitnami postgresql container -Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql -Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues -Send us your feedback at containers@bitnami.com - -INFO ==> ** Starting PostgreSQL setup ** -NFO ==> Validating settings in POSTGRESQL_* env vars.. -INFO ==> Initializing PostgreSQL database... -INFO ==> postgresql.conf file not detected. Generating it... -INFO ==> pg_hba.conf file not detected. Generating it... -INFO ==> Deploying PostgreSQL with persisted data... -INFO ==> Configuring replication parameters -INFO ==> Loading custom scripts... -INFO ==> Enabling remote connections -INFO ==> Stopping PostgreSQL... -INFO ==> ** PostgreSQL setup finished! ** - -INFO ==> ** Starting PostgreSQL ** - [1] FATAL: database files are incompatible with server - [1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3. -``` - -In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one. - -### To 4.0.0 - -This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately. - -IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error - -``` -The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development -``` - -### To 3.0.0 - -This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods. -It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride. - -#### Breaking changes - -- `affinty` has been renamed to `master.affinity` and `slave.affinity`. -- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`. -- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`. - -### To 2.0.0 - -In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps: - -- Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running - -```console -$ kubectl get svc -``` - -- Install (not upgrade) the new version - -```console -$ helm repo update -$ helm install my-release bitnami/postgresql -``` - -- Connect to the new pod (you can obtain the name by running `kubectl get pods`): - -```console -$ kubectl exec -it NAME bash -``` - -- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart: - -```console -$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql -``` - -After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`). -This operation could take some time depending on the database size. - -- Once you have the backup file, you can restore it with a command like the one below: - -```console -$ psql -U postgres DATABASE_NAME < /tmp/backup.sql -``` - -In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt). - -If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below. - -```console -$ psql -U postgres -postgres=# drop database DATABASE_NAME; -postgres=# create database DATABASE_NAME; -postgres=# create user USER_NAME; -postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD'; -postgres=# grant all privileges on database DATABASE_NAME to USER_NAME; -postgres=# alter database DATABASE_NAME owner to USER_NAME; -``` diff --git a/stable/ckan/charts/postgresql/charts/common/.helmignore b/stable/ckan/charts/postgresql/charts/common/.helmignore deleted file mode 100644 index 50af0317..00000000 --- a/stable/ckan/charts/postgresql/charts/common/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/stable/ckan/charts/postgresql/charts/common/Chart.yaml b/stable/ckan/charts/postgresql/charts/common/Chart.yaml deleted file mode 100644 index 1bda8e2d..00000000 --- a/stable/ckan/charts/postgresql/charts/common/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - category: Infrastructure -apiVersion: v2 -appVersion: 1.1.1 -description: A Library Helm Chart for grouping common logic between bitnami charts. - This chart is not deployable by itself. -home: https://github.com/bitnami/charts/tree/master/bitnami/common -icon: https://bitnami.com/downloads/logos/bitnami-mark.png -keywords: -- common -- helper -- template -- function -- bitnami -maintainers: -- email: containers@bitnami.com - name: Bitnami -name: common -sources: -- https://github.com/bitnami/charts -- http://www.bitnami.com/ -type: library -version: 1.1.2 diff --git a/stable/ckan/charts/postgresql/charts/common/README.md b/stable/ckan/charts/postgresql/charts/common/README.md deleted file mode 100644 index a6889536..00000000 --- a/stable/ckan/charts/postgresql/charts/common/README.md +++ /dev/null @@ -1,309 +0,0 @@ -# Bitnami Common Library Chart - -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. - -## TL;DR - -```yaml -dependencies: - - name: common - version: 0.x.x - repository: https://charts.bitnami.com/bitnami -``` - -```bash -$ helm dependency update -``` - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }} -data: - myvalue: "Hello World" -``` - -## Introduction - -This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 3.0-beta3+ - -## Parameters - -The following table lists the helpers available in the library which are scoped in different sections. - -### Affinities - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | - -### Capabilities - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | -| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | -| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | - -### Errors - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | - -### Images - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | -| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | - -### Labels - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | -| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | - -### Names - -| Helper identifier | Description | Expected Inpput | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | -| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | -| `common.names.chart` | Chart name plus version | `.` Chart context | - -### Secrets - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | - -### Storage - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | - -### TplValues - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` | - -### Utils - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | -| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | -| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | - -### Validations - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "context" $` secret and field are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | -| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | -| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | -| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | -| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | -| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | -| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | - -### Warnings - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | - -## Special input schemas - -### ImageRoot - -```yaml -registry: - type: string - description: Docker registry where the image is located - example: docker.io - -repository: - type: string - description: Repository and image name - example: bitnami/nginx - -tag: - type: string - description: image tag - example: 1.16.1-debian-10-r63 - -pullPolicy: - type: string - description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - -pullSecrets: - type: array - items: - type: string - description: Optionally specify an array of imagePullSecrets. - -debug: - type: boolean - description: Set to true if you would like to see extra information on logs - example: false - -## An instance would be: -# registry: docker.io -# repository: bitnami/nginx -# tag: 1.16.1-debian-10-r63 -# pullPolicy: IfNotPresent -# debug: false -``` - -### Persistence - -```yaml -enabled: - type: boolean - description: Whether enable persistence. - example: true - -storageClass: - type: string - description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. - example: "-" - -accessMode: - type: string - description: Access mode for the Persistent Volume Storage. - example: ReadWriteOnce - -size: - type: string - description: Size the Persistent Volume Storage. - example: 8Gi - -path: - type: string - description: Path to be persisted. - example: /bitnami - -## An instance would be: -# enabled: true -# storageClass: "-" -# accessMode: ReadWriteOnce -# size: 8Gi -# path: /bitnami -``` - -### ExistingSecret - -```yaml -name: - type: string - description: Name of the existing secret. - example: mySecret -keyMapping: - description: Mapping between the expected key name and the name of the key in the existing secret. - type: object - -## An instance would be: -# name: mySecret -# keyMapping: -# password: myPasswordKey -``` - -#### Example of use - -When we store sensitive data for a deployment in a secret, some times we want to give to users the possiblity of using theirs existing secrets. - -```yaml -# templates/secret.yaml ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - labels: - app: {{ include "common.names.fullname" . }} -type: Opaque -data: - password: {{ .Values.password | b64enc | quote }} - -# templates/dpl.yaml ---- -... - env: - - name: PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} - key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} -... - -# values.yaml ---- -name: mySecret -keyMapping: - password: myPasswordKey -``` - -### ValidateValue - -#### NOTES.txt - -```console -{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} - -{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} -``` - -If we force those values to be empty we will see some alerts - -```console -$ helm install test mychart --set path.to.value00="",path.to.value01="" - 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: - - export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) - - 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: - - export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) -``` - -## Upgrading - -### To 1.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -**What changes were introduced in this major version?** - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts - -**Considerations when upgrading to this version** - -- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 - -**Useful links** - -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl deleted file mode 100644 index 1ff26d58..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_affinities.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a soft nodeAffinity definition -{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.soft" -}} -preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . }} - {{- end }} - weight: 1 -{{- end -}} - -{{/* -Return a hard nodeAffinity definition -{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.hard" -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . }} - {{- end }} -{{- end -}} - -{{/* -Return a nodeAffinity definition -{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.nodes.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.nodes.hard" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}} -*/}} -{{- define "common.affinities.pods.soft" -}} -{{- $component := default "" .component -}} -preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - namespaces: - - {{ .context.Release.Namespace }} - topologyKey: kubernetes.io/hostname - weight: 1 -{{- end -}} - -{{/* -Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}} -*/}} -{{- define "common.affinities.pods.hard" -}} -{{- $component := default "" .component -}} -requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - namespaces: - - {{ .context.Release.Namespace }} - topologyKey: kubernetes.io/hostname -{{- end -}} - -{{/* -Return a podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.pods" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.pods.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.pods.hard" . -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl deleted file mode 100644 index 143bef2a..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_capabilities.tpl +++ /dev/null @@ -1,33 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "apps/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress. -*/}} -{{- define "common.capabilities.ingress.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl deleted file mode 100644 index d6d3ec65..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_errors.tpl +++ /dev/null @@ -1,20 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Through error when upgrading using empty passwords values that must not be empty. - -Usage: -{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} -{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} -{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} - -Required password params: - - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. - - context - Context - Required. Parent context. -*/}} -{{- define "common.errors.upgrade.passwords.empty" -}} - {{- $validationErrors := join "" .validationErrors -}} - {{- if and $validationErrors .context.Release.IsUpgrade -}} - {{- $errorString := "\nPASSWORDS ERROR: you must provide your current passwords when upgrade the release%s" -}} - {{- printf $errorString $validationErrors | fail -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_images.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_images.tpl deleted file mode 100644 index aafde9f3..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_images.tpl +++ /dev/null @@ -1,43 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} -*/}} -{{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} -{{- $repositoryName := .imageRoot.repository -}} -{{- $tag := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} -{{- end -}} -{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} -*/}} -{{- define "common.images.pullSecrets" -}} - {{- $pullSecrets := list }} - - {{- if .global }} - {{- range .global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) }} -imagePullSecrets: - {{- range $pullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl deleted file mode 100644 index 252066c7..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_labels.tpl +++ /dev/null @@ -1,18 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Kubernetes standard labels -*/}} -{{- define "common.labels.standard" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -helm.sh/chart: {{ include "common.names.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector -*/}} -{{- define "common.labels.matchLabels" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_names.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_names.tpl deleted file mode 100644 index adf2a74f..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_names.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "common.names.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "common.names.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "common.names.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl deleted file mode 100644 index ebfb5d42..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_secrets.tpl +++ /dev/null @@ -1,57 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Generate secret name. - -Usage: -{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret - - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.secrets.name" -}} -{{- $name := (include "common.names.fullname" .context) -}} - -{{- if .defaultNameSuffix -}} -{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- with .existingSecret -}} -{{- if not (typeIs "string" .) -}} -{{- $name = .name -}} -{{- else -}} -{{- $name = . -}} -{{- end -}} -{{- end -}} - -{{- printf "%s" $name -}} -{{- end -}} - -{{/* -Generate secret key. - -Usage: -{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret - - key - String - Required. Name of the key in the secret. -*/}} -{{- define "common.secrets.key" -}} -{{- $key := .key -}} - -{{- if .existingSecret -}} - {{- if not (typeIs "string" .existingSecret) -}} - {{- if .existingSecret.keyMapping -}} - {{- $key = index .existingSecret.keyMapping $.key -}} - {{- end -}} - {{- end }} -{{- end -}} - -{{- printf "%s" $key -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl deleted file mode 100644 index 60e2a844..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_storage.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper Storage Class -{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} -*/}} -{{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} - -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl deleted file mode 100644 index 2db16685..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_tplvalues.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Renders a value that contains template. -Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "common.tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl deleted file mode 100644 index 74774a3c..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_utils.tpl +++ /dev/null @@ -1,45 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Print instructions to get a secret value. -Usage: -{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} -*/}} -{{- define "common.utils.secret.getvalue" -}} -{{- $varname := include "common.utils.fieldToEnvVar" . -}} -export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) -{{- end -}} - -{{/* -Build env var name given a field -Usage: -{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} -*/}} -{{- define "common.utils.fieldToEnvVar" -}} - {{- $fieldNameSplit := splitList "-" .field -}} - {{- $upperCaseFieldNameSplit := list -}} - - {{- range $fieldNameSplit -}} - {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} - {{- end -}} - - {{ join "_" $upperCaseFieldNameSplit }} -{{- end -}} - -{{/* -Gets a value from .Values given -Usage: -{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} -*/}} -{{- define "common.utils.getValueFromKey" -}} -{{- $splitKey := splitList "." .key -}} -{{- $value := "" -}} -{{- $latestObj := $.context.Values -}} -{{- range $splitKey -}} - {{- if not $latestObj -}} - {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} - {{- end -}} - {{- $value = ( index $latestObj . ) -}} - {{- $latestObj = $value -}} -{{- end -}} -{{- printf "%v" (default "" $value) -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl b/stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl deleted file mode 100644 index ae10fa41..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/_warnings.tpl +++ /dev/null @@ -1,14 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Warning about using rolling tag. -Usage: -{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} -*/}} -{{- define "common.warnings.rollingTag" -}} - -{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ -{{- end }} - -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl deleted file mode 100644 index 7a274a08..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/validations/_cassandra.tpl +++ /dev/null @@ -1,72 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Cassandra required passwords are not empty. - -Usage: -{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.cassandra.passwords" -}} - {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} - {{- $enabled := include "common.cassandra.values.enabled" . -}} - {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} - {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for existingSecret. - -Usage: -{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.dbUser.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for enabled cassandra. - -Usage: -{{ include "common.cassandra.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.cassandra.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.cassandra.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for the key dbUser - -Usage: -{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.key.dbUser" -}} - {{- if .subchart -}} - cassandra.dbUser - {{- else -}} - dbUser - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl deleted file mode 100644 index 3bf669dd..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/validations/_mariadb.tpl +++ /dev/null @@ -1,103 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MariaDB required passwords are not empty. - -Usage: -{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mariadb.passwords" -}} - {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mariadb.values.enabled" . -}} - {{- $architecture := include "common.mariadb.values.architecture" . -}} - {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for existingSecret. - -Usage: -{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for enabled mariadb. - -Usage: -{{ include "common.mariadb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mariadb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mariadb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for architecture - -Usage: -{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for the key auth - -Usage: -{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.key.auth" -}} - {{- if .subchart -}} - mariadb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl deleted file mode 100644 index 7e0c1cbc..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/validations/_mongodb.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MongoDB required passwords are not empty. - -Usage: -{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MongoDB values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mongodb.passwords" -}} - {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mongodb.values.enabled" . -}} - {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} - {{- $architecture := include "common.mongodb.values.architecture" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} - {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} - - {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - - {{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} - {{- if and $valueUsername $valueDatabase -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replicaset") -}} - {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for existingSecret. - -Usage: -{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for enabled mongodb. - -Usage: -{{ include "common.mongodb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mongodb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mongodb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for the key auth - -Usage: -{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.key.auth" -}} - {{- if .subchart -}} - mongodb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for architecture - -Usage: -{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl deleted file mode 100644 index f25e0ffb..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/validations/_postgresql.tpl +++ /dev/null @@ -1,131 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate PostgreSQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.postgresql.passwords" -}} - {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} - {{- $enabled := include "common.postgresql.values.enabled" . -}} - {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} - {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} - - {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} - {{- if (eq $enabledReplication "true") -}} - {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to decide whether evaluate global values. - -Usage: -{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} -Params: - - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" -*/}} -{{- define "common.postgresql.values.use.global" -}} - {{- if .context.Values.global -}} - {{- if .context.Values.global.postgresql -}} - {{- index .context.Values.global.postgresql .key | quote -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for existingSecret. - -Usage: -{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.existingSecret" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} - - {{- if .subchart -}} - {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} - {{- else -}} - {{- default (.context.Values.existingSecret | quote) $globalValue -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for enabled postgresql. - -Usage: -{{ include "common.postgresql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for the key postgressPassword. - -Usage: -{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.postgressPassword" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} - - {{- if not $globalValue -}} - {{- if .subchart -}} - postgresql.postgresqlPassword - {{- else -}} - postgresqlPassword - {{- end -}} - {{- else -}} - global.postgresql.postgresqlPassword - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for enabled.replication. - -Usage: -{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.enabled.replication" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.replication.enabled -}} - {{- else -}} - {{- printf "%v" .context.Values.replication.enabled -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for the key replication.password. - -Usage: -{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.replicationPassword" -}} - {{- if .subchart -}} - postgresql.replication.password - {{- else -}} - replication.password - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl deleted file mode 100644 index 2ccc04d2..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/validations/_redis.tpl +++ /dev/null @@ -1,72 +0,0 @@ - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Redis required passwords are not empty. - -Usage: -{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.redis.passwords" -}} - {{- $existingSecret := include "common.redis.values.existingSecret" . -}} - {{- $enabled := include "common.redis.values.enabled" . -}} - {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}} - {{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}} - {{- if eq $usePassword "true" -}} - {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Redis Auxiliar function to get the right value for existingSecret. - -Usage: -{{ include "common.redis.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.redis.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right value for enabled redis. - -Usage: -{{ include "common.redis.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.redis.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.redis.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliar function to get the right prefix path for the values - -Usage: -{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.keys.prefix" -}} - {{- if .subchart -}}redis.{{- else -}}{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl b/stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl deleted file mode 100644 index d4cf32c7..00000000 --- a/stable/ckan/charts/postgresql/charts/common/templates/validations/_validations.tpl +++ /dev/null @@ -1,44 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate values must not be empty. - -Usage: -{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} -{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" -*/}} -{{- define "common.validations.values.multiple.empty" -}} - {{- range .required -}} - {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} - {{- end -}} -{{- end -}} - -{{/* -Validate a value must not be empty. - -Usage: -{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" -*/}} -{{- define "common.validations.values.single.empty" -}} - {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} - - {{- if not $value -}} - {{- $varname := "my-value" -}} - {{- $getCurrentValue := "" -}} - {{- if and .secret .field -}} - {{- $varname = include "common.utils.fieldToEnvVar" . -}} - {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} - {{- end -}} - {{- printf "\n '%s' must not be empty, please add '--set %s=$%s' to the command.%s" .valueKey .valueKey $varname $getCurrentValue -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/charts/common/values.yaml b/stable/ckan/charts/postgresql/charts/common/values.yaml deleted file mode 100644 index 9ecdc93f..00000000 --- a/stable/ckan/charts/postgresql/charts/common/values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -## bitnami/common -## It is required by CI/CD tools and processes. -exampleValue: common-chart diff --git a/stable/ckan/charts/postgresql/ci/commonAnnotations.yaml b/stable/ckan/charts/postgresql/ci/commonAnnotations.yaml deleted file mode 100644 index 97e18a4c..00000000 --- a/stable/ckan/charts/postgresql/ci/commonAnnotations.yaml +++ /dev/null @@ -1,3 +0,0 @@ -commonAnnotations: - helm.sh/hook: "\"pre-install, pre-upgrade\"" - helm.sh/hook-weight: "-1" diff --git a/stable/ckan/charts/postgresql/ci/default-values.yaml b/stable/ckan/charts/postgresql/ci/default-values.yaml deleted file mode 100644 index fc2ba605..00000000 --- a/stable/ckan/charts/postgresql/ci/default-values.yaml +++ /dev/null @@ -1 +0,0 @@ -# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml b/stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml deleted file mode 100644 index 347d3b40..00000000 --- a/stable/ckan/charts/postgresql/ci/shmvolume-disabled-values.yaml +++ /dev/null @@ -1,2 +0,0 @@ -shmVolume: - enabled: false diff --git a/stable/ckan/charts/postgresql/files/README.md b/stable/ckan/charts/postgresql/files/README.md deleted file mode 100644 index 1813a2fe..00000000 --- a/stable/ckan/charts/postgresql/files/README.md +++ /dev/null @@ -1 +0,0 @@ -Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map. diff --git a/stable/ckan/charts/postgresql/files/conf.d/README.md b/stable/ckan/charts/postgresql/files/conf.d/README.md deleted file mode 100644 index 184c1875..00000000 --- a/stable/ckan/charts/postgresql/files/conf.d/README.md +++ /dev/null @@ -1,4 +0,0 @@ -If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files. -These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`. - -More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file). diff --git a/stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md b/stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md deleted file mode 100644 index cba38091..00000000 --- a/stable/ckan/charts/postgresql/files/docker-entrypoint-initdb.d/README.md +++ /dev/null @@ -1,3 +0,0 @@ -You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image. - -More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository. \ No newline at end of file diff --git a/stable/ckan/charts/postgresql/templates/NOTES.txt b/stable/ckan/charts/postgresql/templates/NOTES.txt deleted file mode 100644 index 4e98958c..00000000 --- a/stable/ckan/charts/postgresql/templates/NOTES.txt +++ /dev/null @@ -1,59 +0,0 @@ -** Please be patient while the chart is being deployed ** - -PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster: - - {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection -{{- if .Values.replication.enabled }} - {{ template "common.names.fullname" . }}-read.{{ .Release.Namespace }}.svc.cluster.local - Read only connection -{{- end }} - -{{- if not (eq (include "postgresql.username" .) "postgres") }} - -To get the password for "postgres" run: - - export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode) -{{- end }} - -To get the password for "{{ template "postgresql.username" . }}" run: - - export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode) - -To connect to your database run the following command: - - kubectl run {{ template "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} - --labels="{{ template "common.names.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "common.names.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} - -{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }} -Note: Since NetworkPolicy is enabled, only pods with label {{ template "common.names.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster. -{{- end }} - -To connect to your database from outside the cluster execute the following commands: - -{{- if contains "NodePort" .Values.service.type }} - - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} - -{{- else if contains "LoadBalancer" .Values.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} - -{{- else if contains "ClusterIP" .Values.service.type }} - - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} & - {{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }} - -{{- end }} - -{{- include "postgresql.validateValues" . -}} - -{{- include "common.warnings.rollingTag" .Values.image -}} - -{{- $passwordValidationErrors := include "common.validations.values.postgresql.passwords" (dict "secret" (include "common.names.fullname" .) "context" $) -}} - -{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}} diff --git a/stable/ckan/charts/postgresql/templates/_helpers.tpl b/stable/ckan/charts/postgresql/templates/_helpers.tpl deleted file mode 100644 index 7509941c..00000000 --- a/stable/ckan/charts/postgresql/templates/_helpers.tpl +++ /dev/null @@ -1,330 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "postgresql.primary.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}} -{{- if .Values.replication.enabled -}} -{{- printf "%s-%s" $fullname "primary" | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper PostgreSQL image name -*/}} -{{- define "postgresql.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper PostgreSQL metrics image name -*/}} -{{- define "postgresql.metrics.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper image name (for the init container volume-permissions image) -*/}} -{{- define "postgresql.volumePermissions.image" -}} -{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "postgresql.imagePullSecrets" -}} -{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} -{{- end -}} - -{{/* -Return PostgreSQL postgres user password -*/}} -{{- define "postgresql.postgres.password" -}} -{{- if .Values.global.postgresql.postgresqlPostgresPassword }} - {{- .Values.global.postgresql.postgresqlPostgresPassword -}} -{{- else if .Values.postgresqlPostgresPassword -}} - {{- .Values.postgresqlPostgresPassword -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL password -*/}} -{{- define "postgresql.password" -}} -{{- if .Values.global.postgresql.postgresqlPassword }} - {{- .Values.global.postgresql.postgresqlPassword -}} -{{- else if .Values.postgresqlPassword -}} - {{- .Values.postgresqlPassword -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL replication password -*/}} -{{- define "postgresql.replication.password" -}} -{{- if .Values.global.postgresql.replicationPassword }} - {{- .Values.global.postgresql.replicationPassword -}} -{{- else if .Values.replication.password -}} - {{- .Values.replication.password -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL username -*/}} -{{- define "postgresql.username" -}} -{{- if .Values.global.postgresql.postgresqlUsername }} - {{- .Values.global.postgresql.postgresqlUsername -}} -{{- else -}} - {{- .Values.postgresqlUsername -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL replication username -*/}} -{{- define "postgresql.replication.username" -}} -{{- if .Values.global.postgresql.replicationUser }} - {{- .Values.global.postgresql.replicationUser -}} -{{- else -}} - {{- .Values.replication.user -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL port -*/}} -{{- define "postgresql.port" -}} -{{- if .Values.global.postgresql.servicePort }} - {{- .Values.global.postgresql.servicePort -}} -{{- else -}} - {{- .Values.service.port -}} -{{- end -}} -{{- end -}} - -{{/* -Return PostgreSQL created database -*/}} -{{- define "postgresql.database" -}} -{{- if .Values.global.postgresql.postgresqlDatabase }} - {{- .Values.global.postgresql.postgresqlDatabase -}} -{{- else if .Values.postgresqlDatabase -}} - {{- .Values.postgresqlDatabase -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password secret. -*/}} -{{- define "postgresql.secretName" -}} -{{- if .Values.global.postgresql.existingSecret }} - {{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}} -{{- else if .Values.existingSecret -}} - {{- printf "%s" (tpl .Values.existingSecret $) -}} -{{- else -}} - {{- printf "%s" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if we should use an existingSecret. -*/}} -{{- define "postgresql.useExistingSecret" -}} -{{- if or .Values.global.postgresql.existingSecret .Values.existingSecret -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a secret object should be created -*/}} -{{- define "postgresql.createSecret" -}} -{{- if not (include "postgresql.useExistingSecret" .) -}} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the configuration ConfigMap name. -*/}} -{{- define "postgresql.configurationCM" -}} -{{- if .Values.configurationConfigMap -}} -{{- printf "%s" (tpl .Values.configurationConfigMap $) -}} -{{- else -}} -{{- printf "%s-configuration" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the extended configuration ConfigMap name. -*/}} -{{- define "postgresql.extendedConfigurationCM" -}} -{{- if .Values.extendedConfConfigMap -}} -{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}} -{{- else -}} -{{- printf "%s-extended-configuration" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Return true if a configmap should be mounted with PostgreSQL configuration -*/}} -{{- define "postgresql.mountConfigurationCM" -}} -{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} - {{- true -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts ConfigMap name. -*/}} -{{- define "postgresql.initdbScriptsCM" -}} -{{- if .Values.initdbScriptsConfigMap -}} -{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} -{{- else -}} -{{- printf "%s-init-scripts" (include "common.names.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the initialization scripts Secret name. -*/}} -{{- define "postgresql.initdbScriptsSecret" -}} -{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}} -{{- end -}} - -{{/* -Get the metrics ConfigMap name. -*/}} -{{- define "postgresql.metricsCM" -}} -{{- printf "%s-metrics" (include "common.names.fullname" .) -}} -{{- end -}} - -{{/* -Get the readiness probe command -*/}} -{{- define "postgresql.readinessProbeCommand" -}} -- | -{{- if (include "postgresql.database" .) }} - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} -{{- else }} - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} -{{- end }} -{{- if contains "bitnami/" .Values.image.repository }} - [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] -{{- end -}} -{{- end -}} - -{{/* -Compile all warnings into a single message, and call fail. -*/}} -{{- define "postgresql.validateValues" -}} -{{- $messages := list -}} -{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} -{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} -{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}} -{{- $messages := without $messages "" -}} -{{- $message := join "\n" $messages -}} - -{{- if $message -}} -{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} -{{- end -}} -{{- end -}} - -{{/* -Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap -*/}} -{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} -{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} -postgresql: ldap.url, ldap.server - You cannot set both `ldap.url` and `ldap.server` at the same time. - Please provide a unique way to configure LDAP. - More info at https://www.postgresql.org/docs/current/auth-ldap.html -{{- end -}} -{{- end -}} - -{{/* -Validate values of Postgresql - If PSP is enabled RBAC should be enabled too -*/}} -{{- define "postgresql.validateValues.psp" -}} -{{- if and .Values.psp.create (not .Values.rbac.create) }} -postgresql: psp.create, rbac.create - RBAC should be enabled if PSP is enabled in order for PSP to work. - More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for podsecuritypolicy. -*/}} -{{- define "podsecuritypolicy.apiVersion" -}} -{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "policy/v1beta1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "postgresql.networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -"extensions/v1beta1" -{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} -"networking.k8s.io/v1" -{{- end -}} -{{- end -}} - -{{/* -Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions -*/}} -{{- define "postgresql.validateValues.tls" -}} -{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} -postgresql: tls.enabled, volumePermissions.enabled - When TLS is enabled you must enable volumePermissions as well to ensure certificates files have - the right permissions. -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert file. -*/}} -{{- define "postgresql.tlsCert" -}} -{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} -{{- end -}} - -{{/* -Return the path to the cert key file. -*/}} -{{- define "postgresql.tlsCertKey" -}} -{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} -{{- end -}} - -{{/* -Return the path to the CA cert file. -*/}} -{{- define "postgresql.tlsCACert" -}} -{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} -{{- end -}} - -{{/* -Return the path to the CRL file. -*/}} -{{- define "postgresql.tlsCRL" -}} -{{- if .Values.tls.crlFilename -}} -{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/templates/configmap.yaml b/stable/ckan/charts/postgresql/templates/configmap.yaml deleted file mode 100644 index 4508f95a..00000000 --- a/stable/ckan/charts/postgresql/templates/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "common.names.fullname" . }}-configuration - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: -{{- if (.Files.Glob "files/postgresql.conf") }} -{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }} -{{- else if .Values.postgresqlConfiguration }} - postgresql.conf: | -{{- range $key, $value := default dict .Values.postgresqlConfiguration }} - {{ $key | snakecase }}={{ $value }} -{{- end }} -{{- end }} -{{- if (.Files.Glob "files/pg_hba.conf") }} -{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }} -{{- else if .Values.pgHbaConfiguration }} - pg_hba.conf: | -{{ .Values.pgHbaConfiguration | indent 4 }} -{{- end }} -{{ end }} diff --git a/stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml b/stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml deleted file mode 100644 index 5ccdb08f..00000000 --- a/stable/ckan/charts/postgresql/templates/extended-config-configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "common.names.fullname" . }}-extended-configuration - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: -{{- with .Files.Glob "files/conf.d/*.conf" }} -{{ .AsConfig | indent 2 }} -{{- end }} -{{ with .Values.postgresqlExtendedConf }} - override.conf: | -{{- range $key, $value := . }} - {{ $key | snakecase }}={{ $value }} -{{- end }} -{{- end }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/extra-list.yaml b/stable/ckan/charts/postgresql/templates/extra-list.yaml deleted file mode 100644 index 9ac65f9e..00000000 --- a/stable/ckan/charts/postgresql/templates/extra-list.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{- range .Values.extraDeploy }} ---- -{{ include "common.tplvalues.render" (dict "value" . "context" $) }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/initialization-configmap.yaml b/stable/ckan/charts/postgresql/templates/initialization-configmap.yaml deleted file mode 100644 index 074ed582..00000000 --- a/stable/ckan/charts/postgresql/templates/initialization-configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "common.names.fullname" . }}-init-scripts - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }} -binaryData: -{{- range $path, $bytes := . }} - {{ base $path }}: {{ $.Files.Get $path | b64enc | quote }} -{{- end }} -{{- end }} -data: -{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }} -{{ .AsConfig | indent 2 }} -{{- end }} -{{- with .Values.initdbScripts }} -{{ toYaml . | indent 2 }} -{{- end }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/metrics-configmap.yaml b/stable/ckan/charts/postgresql/templates/metrics-configmap.yaml deleted file mode 100644 index 6216eca8..00000000 --- a/stable/ckan/charts/postgresql/templates/metrics-configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "postgresql.metricsCM" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -data: - custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/metrics-svc.yaml b/stable/ckan/charts/postgresql/templates/metrics-svc.yaml deleted file mode 100644 index a8f7b331..00000000 --- a/stable/ckan/charts/postgresql/templates/metrics-svc.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" . }}-metrics - labels: - {{- include "common.labels.standard" . | nindent 4 }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- toYaml .Values.metrics.service.annotations | nindent 4 }} -spec: - type: {{ .Values.metrics.service.type }} - {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} - {{- end }} - ports: - - name: http-metrics - port: 9187 - targetPort: http-metrics - selector: - {{- include "common.labels.matchLabels" . | nindent 4 }} - role: primary -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/networkpolicy.yaml b/stable/ckan/charts/postgresql/templates/networkpolicy.yaml deleted file mode 100644 index ef48ba18..00000000 --- a/stable/ckan/charts/postgresql/templates/networkpolicy.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }} -metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 6 }} - ingress: - # Allow inbound connections - - ports: - - port: {{ template "postgresql.port" . }} - {{- if not .Values.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: - {{ template "common.names.fullname" . }}-client: "true" - {{- if .Values.networkPolicy.explicitNamespacesSelector }} - namespaceSelector: -{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} - {{- end }} - - podSelector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 14 }} - role: read - {{- end }} - {{- if .Values.metrics.enabled }} - # Allow prometheus scrapes - - ports: - - port: 9187 - {{- end }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml b/stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml deleted file mode 100644 index a79ebf16..00000000 --- a/stable/ckan/charts/postgresql/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.psp.create }} -apiVersion: {{ include "podsecuritypolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - privileged: false - volumes: - - 'configMap' - - 'secret' - - 'persistentVolumeClaim' - - 'emptyDir' - - 'projected' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/prometheusrule.yaml b/stable/ckan/charts/postgresql/templates/prometheusrule.yaml deleted file mode 100644 index d0f408c7..00000000 --- a/stable/ckan/charts/postgresql/templates/prometheusrule.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ template "common.names.fullname" . }} -{{- with .Values.metrics.prometheusRule.namespace }} - namespace: {{ . }} -{{- end }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- with .Values.metrics.prometheusRule.additionalLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: -{{- with .Values.metrics.prometheusRule.rules }} - groups: - - name: {{ template "postgresql.name" $ }} - rules: {{ tpl (toYaml .) $ | nindent 8 }} -{{- end }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/role.yaml b/stable/ckan/charts/postgresql/templates/role.yaml deleted file mode 100644 index 5a6de335..00000000 --- a/stable/ckan/charts/postgresql/templates/role.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create }} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -rules: - {{- if .Values.psp.create }} - - apiGroups: ["extensions"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ template "common.names.fullname" . }} - {{- end }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/rolebinding.yaml b/stable/ckan/charts/postgresql/templates/rolebinding.yaml deleted file mode 100644 index 2bdb1c5e..00000000 --- a/stable/ckan/charts/postgresql/templates/rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create }} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -roleRef: - kind: Role - name: {{ template "common.names.fullname" . }} - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/secrets.yaml b/stable/ckan/charts/postgresql/templates/secrets.yaml deleted file mode 100644 index 8351cbe8..00000000 --- a/stable/ckan/charts/postgresql/templates/secrets.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if (include "postgresql.createSecret" .) }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -type: Opaque -data: - postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }} - postgresql-password: {{ include "postgresql.password" . | b64enc | quote }} - {{- if .Values.replication.enabled }} - postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }} - {{- end }} - {{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}} - postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/postgresql/templates/serviceaccount.yaml b/stable/ckan/charts/postgresql/templates/serviceaccount.yaml deleted file mode 100644 index 8cba31e4..00000000 --- a/stable/ckan/charts/postgresql/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - {{- include "common.labels.standard" . | nindent 4 }} - name: {{ template "common.names.fullname" . }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/servicemonitor.yaml b/stable/ckan/charts/postgresql/templates/servicemonitor.yaml deleted file mode 100644 index 587ce85b..00000000 --- a/stable/ckan/charts/postgresql/templates/servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "common.names.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- end }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.metrics.serviceMonitor.additionalLabels }} - {{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }} - {{- end }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - -spec: - endpoints: - - port: http-metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml b/stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml deleted file mode 100644 index 1f5b9704..00000000 --- a/stable/ckan/charts/postgresql/templates/statefulset-readreplicas.yaml +++ /dev/null @@ -1,410 +0,0 @@ -{{- if .Values.replication.enabled }} -{{- $readReplicasResources := coalesce .Values.readReplicas.resources .Values.resources -}} -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: "{{ template "common.names.fullname" . }}-read" - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: read -{{- with .Values.readReplicas.labels }} -{{ toYaml . | indent 4 }} -{{- end }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- with .Values.readReplicas.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - serviceName: {{ template "common.names.fullname" . }}-headless - replicas: {{ .Values.replication.readReplicas }} - selector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 6 }} - role: read - template: - metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 8 }} - app.kubernetes.io/component: read - role: read -{{- with .Values.readReplicas.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} -{{- with .Values.readReplicas.podAnnotations }} - annotations: -{{ toYaml . | indent 8 }} -{{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} -{{- include "postgresql.imagePullSecrets" . | indent 6 }} - {{- if .Values.readReplicas.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.readReplicas.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.readReplicas.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - {{- if .Values.serviceAccount.enabled }} - serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}} - {{- end }} - {{- if or .Values.readReplicas.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} - initContainers: - {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} - - name: init-chmod-data - image: {{ template "postgresql.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -cx - - | - {{- if .Values.persistence.enabled }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} - {{- else }} - chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} - {{- end }} - mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} - chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} - find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - xargs chown -R `id -u`:`id -G | cut -d " " -f2` - {{- else }} - xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} - {{- end }} - {{- end }} - {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} - chmod -R 777 /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ - {{- else }} - chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ - {{- end }} - chmod 600 {{ template "postgresql.tlsCertKey" . }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - {{ if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- end }} - {{- end }} - {{- if .Values.readReplicas.extraInitContainers }} - {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraInitContainers "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.readReplicas.priorityClassName }} - priorityClassName: {{ .Values.readReplicas.priorityClassName }} - {{- end }} - containers: - - name: {{ template "common.names.fullname" . }} - image: {{ template "postgresql.image" . }} - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - {{- if $readReplicasResources }} - resources: {{- toYaml $readReplicasResources | nindent 12 }} - {{- end }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: POSTGRESQL_VOLUME_DIR - value: "{{ .Values.persistence.mountPath }}" - - name: POSTGRESQL_PORT_NUMBER - value: "{{ template "postgresql.port" . }}" - {{- if .Values.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - - name: POSTGRES_REPLICATION_MODE - value: "slave" - - name: POSTGRES_REPLICATION_USER - value: {{ include "postgresql.replication.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-replication-password - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - - name: POSTGRES_MASTER_HOST - value: {{ template "common.names.fullname" . }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ include "postgresql.port" . | quote }} - {{- if and (not (eq .Values.postgresqlUsername "postgres")) (or .Values.postgresqlPostgresPassword (include "postgresql.useExistingSecret" .)) }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" - {{- else }} - - name: POSTGRES_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-postgres-password - {{- end }} - {{- end }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - - name: POSTGRESQL_ENABLE_TLS - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS - value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} - - name: POSTGRESQL_TLS_CERT_FILE - value: {{ template "postgresql.tlsCert" . }} - - name: POSTGRESQL_TLS_KEY_FILE - value: {{ template "postgresql.tlsCertKey" . }} - {{- if .Values.tls.certCAFilename }} - - name: POSTGRESQL_TLS_CA_FILE - value: {{ template "postgresql.tlsCACert" . }} - {{- end }} - {{- if .Values.tls.crlFilename }} - - name: POSTGRESQL_TLS_CRL_FILE - value: {{ template "postgresql.tlsCRL" . }} - {{- end }} - {{- end }} - - name: POSTGRESQL_LOG_HOSTNAME - value: {{ .Values.audit.logHostname | quote }} - - name: POSTGRESQL_LOG_CONNECTIONS - value: {{ .Values.audit.logConnections | quote }} - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: {{ .Values.audit.logDisconnections | quote }} - {{- if .Values.audit.logLinePrefix }} - - name: POSTGRESQL_LOG_LINE_PREFIX - value: {{ .Values.audit.logLinePrefix | quote }} - {{- end }} - {{- if .Values.audit.logTimezone }} - - name: POSTGRESQL_LOG_TIMEZONE - value: {{ .Values.audit.logTimezone | quote }} - {{- end }} - {{- if .Values.audit.pgAuditLog }} - - name: POSTGRESQL_PGAUDIT_LOG - value: {{ .Values.audit.pgAuditLog | quote }} - {{- end }} - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: {{ .Values.audit.pgAuditLogCatalog | quote }} - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: {{ .Values.audit.clientMinMessages | quote }} - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} - {{- if .Values.postgresqlMaxConnections }} - - name: POSTGRESQL_MAX_CONNECTIONS - value: {{ .Values.postgresqlMaxConnections | quote }} - {{- end }} - {{- if .Values.postgresqlPostgresConnectionLimit }} - - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT - value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} - {{- end }} - {{- if .Values.postgresqlDbUserConnectionLimit }} - - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT - value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} - {{- end }} - {{- if .Values.postgresqlTcpKeepalivesInterval }} - - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL - value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} - {{- end }} - {{- if .Values.postgresqlTcpKeepalivesIdle }} - - name: POSTGRESQL_TCP_KEEPALIVES_IDLE - value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} - {{- end }} - {{- if .Values.postgresqlStatementTimeout }} - - name: POSTGRESQL_STATEMENT_TIMEOUT - value: {{ .Values.postgresqlStatementTimeout | quote }} - {{- end }} - {{- if .Values.postgresqlTcpKeealivesCount }} - - name: POSTGRESQL_TCP_KEEPALIVES_COUNT - value: {{ .Values.postgresqlTcpKeealivesCount | quote }} - {{- end }} - {{- if .Values.postgresqlPghbaRemoveFilters }} - - name: POSTGRESQL_PGHBA_REMOVE_FILTERS - value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} - {{- end }} - ports: - - name: tcp-postgresql - containerPort: {{ template "postgresql.port" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- else }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- end }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- else if .Values.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- else if .Values.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{ end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - mountPath: /bitnami/postgresql/conf/conf.d/ - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} - - name: postgresql-config - mountPath: /bitnami/postgresql/conf - {{- end }} - {{- if .Values.tls.enabled }} - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - readOnly: true - {{- end }} - {{- if .Values.readReplicas.extraVolumeMounts }} - {{- toYaml .Values.readReplicas.extraVolumeMounts | nindent 12 }} - {{- end }} -{{- if .Values.readReplicas.sidecars }} -{{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} -{{- end }} - volumes: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - secret: - secretName: {{ template "postgresql.secretName" . }} - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} - - name: postgresql-config - configMap: - name: {{ template "postgresql.configurationCM" . }} - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - configMap: - name: {{ template "postgresql.extendedConfigurationCM" . }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - secret: - secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} - - name: postgresql-certificates - emptyDir: {} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - emptyDir: - medium: Memory - sizeLimit: 1Gi - {{- end }} - {{- if or (not .Values.persistence.enabled) (not .Values.readReplicas.persistence.enabled) }} - - name: data - emptyDir: {} - {{- end }} - {{- if .Values.readReplicas.extraVolumes }} - {{- toYaml .Values.readReplicas.extraVolumes | nindent 8 }} - {{- end }} - updateStrategy: - type: {{ .Values.updateStrategy.type }} - {{- if (eq "Recreate" .Values.updateStrategy.type) }} - rollingUpdate: null - {{- end }} -{{- if and .Values.persistence.enabled .Values.readReplicas.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: data - {{- with .Values.persistence.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} - - {{- if .Values.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} - {{- end -}} -{{- end }} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/statefulset.yaml b/stable/ckan/charts/postgresql/templates/statefulset.yaml deleted file mode 100644 index 1c1d2dba..00000000 --- a/stable/ckan/charts/postgresql/templates/statefulset.yaml +++ /dev/null @@ -1,589 +0,0 @@ -apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} -kind: StatefulSet -metadata: - name: {{ template "postgresql.primary.fullname" . }} - labels: {{- include "common.labels.standard" . | nindent 4 }} - app.kubernetes.io/component: primary - {{- with .Values.primary.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- with .Values.primary.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - serviceName: {{ template "common.names.fullname" . }}-headless - replicas: 1 - updateStrategy: - type: {{ .Values.updateStrategy.type }} - {{- if (eq "Recreate" .Values.updateStrategy.type) }} - rollingUpdate: null - {{- end }} - selector: - matchLabels: - {{- include "common.labels.matchLabels" . | nindent 6 }} - role: primary - template: - metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 8 }} - role: primary - app.kubernetes.io/component: primary - {{- with .Values.primary.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.primary.podAnnotations }} - annotations: {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} -{{- include "postgresql.imagePullSecrets" . | indent 6 }} - {{- if .Values.primary.affinity }} - affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} - {{- else }} - affinity: - podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} - podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} - nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} - {{- end }} - {{- if .Values.primary.nodeSelector }} - nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.primary.tolerations }} - tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - {{- if .Values.serviceAccount.enabled }} - serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }} - {{- end }} - {{- if or .Values.primary.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }} - initContainers: - {{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }} - - name: init-chmod-data - image: {{ template "postgresql.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - command: - - /bin/sh - - -cx - - | - {{- if .Values.persistence.enabled }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.persistence.mountPath }} - {{- else }} - chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} - {{- end }} - mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} - chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }} - find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - xargs chown -R `id -u`:`id -G | cut -d " " -f2` - {{- else }} - xargs chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} - {{- end }} - {{- end }} - {{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }} - chmod -R 777 /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - cp /tmp/certs/* /opt/bitnami/postgresql/certs/ - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ - {{- else }} - chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ - {{- end }} - chmod 600 {{ template "postgresql.tlsCertKey" . }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - mountPath: /tmp/certs - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - {{- end }} - {{- end }} - {{- if .Values.primary.extraInitContainers }} - {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraInitContainers "context" $ ) | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.primary.priorityClassName }} - priorityClassName: {{ .Values.primary.priorityClassName }} - {{- end }} - containers: - - name: {{ template "common.names.fullname" . }} - image: {{ template "postgresql.image" . }} - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - {{- if .Values.resources }} - resources: {{- toYaml .Values.resources | nindent 12 }} - {{- end }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - env: - - name: BITNAMI_DEBUG - value: {{ ternary "true" "false" .Values.image.debug | quote }} - - name: POSTGRESQL_PORT_NUMBER - value: "{{ template "postgresql.port" . }}" - - name: POSTGRESQL_VOLUME_DIR - value: "{{ .Values.persistence.mountPath }}" - {{- if .Values.postgresqlInitdbArgs }} - - name: POSTGRES_INITDB_ARGS - value: {{ .Values.postgresqlInitdbArgs | quote }} - {{- end }} - {{- if .Values.postgresqlInitdbWalDir }} - - name: POSTGRES_INITDB_WALDIR - value: {{ .Values.postgresqlInitdbWalDir | quote }} - {{- end }} - {{- if .Values.initdbUser }} - - name: POSTGRESQL_INITSCRIPTS_USERNAME - value: {{ .Values.initdbUser }} - {{- end }} - {{- if .Values.initdbPassword }} - - name: POSTGRESQL_INITSCRIPTS_PASSWORD - value: {{ .Values.initdbPassword }} - {{- end }} - {{- if .Values.persistence.mountPath }} - - name: PGDATA - value: {{ .Values.postgresqlDataDir | quote }} - {{- end }} - {{- if .Values.primaryAsStandBy.enabled }} - - name: POSTGRES_MASTER_HOST - value: {{ .Values.primaryAsStandBy.primaryHost }} - - name: POSTGRES_MASTER_PORT_NUMBER - value: {{ .Values.primaryAsStandBy.primaryPort | quote }} - {{- end }} - {{- if or .Values.replication.enabled .Values.primaryAsStandBy.enabled }} - - name: POSTGRES_REPLICATION_MODE - {{- if .Values.primaryAsStandBy.enabled }} - value: "slave" - {{- else }} - value: "master" - {{- end }} - - name: POSTGRES_REPLICATION_USER - value: {{ include "postgresql.replication.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_REPLICATION_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password" - {{- else }} - - name: POSTGRES_REPLICATION_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-replication-password - {{- end }} - {{- if not (eq .Values.replication.synchronousCommit "off")}} - - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE - value: {{ .Values.replication.synchronousCommit | quote }} - - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS - value: {{ .Values.replication.numSynchronousReplicas | quote }} - {{- end }} - - name: POSTGRES_CLUSTER_APP_NAME - value: {{ .Values.replication.applicationName }} - {{- end }} - {{- if not (eq (include "postgresql.username" .) "postgres") }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password" - {{- else }} - - name: POSTGRES_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-postgres-password - {{- end }} - {{- end }} - - name: POSTGRES_USER - value: {{ include "postgresql.username" . | quote }} - {{- if .Values.usePasswordFile }} - - name: POSTGRES_PASSWORD_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - {{- if (include "postgresql.database" .) }} - - name: POSTGRES_DB - value: {{ (include "postgresql.database" .) | quote }} - {{- end }} - {{- if .Values.extraEnv }} - {{- include "common.tplvalues.render" (dict "value" .Values.extraEnv "context" $) | nindent 12 }} - {{- end }} - - name: POSTGRESQL_ENABLE_LDAP - value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} - {{- if .Values.ldap.enabled }} - - name: POSTGRESQL_LDAP_SERVER - value: {{ .Values.ldap.server }} - - name: POSTGRESQL_LDAP_PORT - value: {{ .Values.ldap.port | quote }} - - name: POSTGRESQL_LDAP_SCHEME - value: {{ .Values.ldap.scheme }} - {{- if .Values.ldap.tls }} - - name: POSTGRESQL_LDAP_TLS - value: "1" - {{- end }} - - name: POSTGRESQL_LDAP_PREFIX - value: {{ .Values.ldap.prefix | quote }} - - name: POSTGRESQL_LDAP_SUFFIX - value: {{ .Values.ldap.suffix | quote }} - - name: POSTGRESQL_LDAP_BASE_DN - value: {{ .Values.ldap.baseDN }} - - name: POSTGRESQL_LDAP_BIND_DN - value: {{ .Values.ldap.bindDN }} - {{- if (not (empty .Values.ldap.bind_password)) }} - - name: POSTGRESQL_LDAP_BIND_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-ldap-password - {{- end}} - - name: POSTGRESQL_LDAP_SEARCH_ATTR - value: {{ .Values.ldap.search_attr }} - - name: POSTGRESQL_LDAP_SEARCH_FILTER - value: {{ .Values.ldap.search_filter }} - - name: POSTGRESQL_LDAP_URL - value: {{ .Values.ldap.url }} - {{- end}} - - name: POSTGRESQL_ENABLE_TLS - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS - value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} - - name: POSTGRESQL_TLS_CERT_FILE - value: {{ template "postgresql.tlsCert" . }} - - name: POSTGRESQL_TLS_KEY_FILE - value: {{ template "postgresql.tlsCertKey" . }} - {{- if .Values.tls.certCAFilename }} - - name: POSTGRESQL_TLS_CA_FILE - value: {{ template "postgresql.tlsCACert" . }} - {{- end }} - {{- if .Values.tls.crlFilename }} - - name: POSTGRESQL_TLS_CRL_FILE - value: {{ template "postgresql.tlsCRL" . }} - {{- end }} - {{- end }} - - name: POSTGRESQL_LOG_HOSTNAME - value: {{ .Values.audit.logHostname | quote }} - - name: POSTGRESQL_LOG_CONNECTIONS - value: {{ .Values.audit.logConnections | quote }} - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: {{ .Values.audit.logDisconnections | quote }} - {{- if .Values.audit.logLinePrefix }} - - name: POSTGRESQL_LOG_LINE_PREFIX - value: {{ .Values.audit.logLinePrefix | quote }} - {{- end }} - {{- if .Values.audit.logTimezone }} - - name: POSTGRESQL_LOG_TIMEZONE - value: {{ .Values.audit.logTimezone | quote }} - {{- end }} - {{- if .Values.audit.pgAuditLog }} - - name: POSTGRESQL_PGAUDIT_LOG - value: {{ .Values.audit.pgAuditLog | quote }} - {{- end }} - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: {{ .Values.audit.pgAuditLogCatalog | quote }} - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: {{ .Values.audit.clientMinMessages | quote }} - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} - {{- if .Values.postgresqlMaxConnections }} - - name: POSTGRESQL_MAX_CONNECTIONS - value: {{ .Values.postgresqlMaxConnections | quote }} - {{- end }} - {{- if .Values.postgresqlPostgresConnectionLimit }} - - name: POSTGRESQL_POSTGRES_CONNECTION_LIMIT - value: {{ .Values.postgresqlPostgresConnectionLimit | quote }} - {{- end }} - {{- if .Values.postgresqlDbUserConnectionLimit }} - - name: POSTGRESQL_USERNAME_CONNECTION_LIMIT - value: {{ .Values.postgresqlDbUserConnectionLimit | quote }} - {{- end }} - {{- if .Values.postgresqlTcpKeepalivesInterval }} - - name: POSTGRESQL_TCP_KEEPALIVES_INTERVAL - value: {{ .Values.postgresqlTcpKeepalivesInterval | quote }} - {{- end }} - {{- if .Values.postgresqlTcpKeepalivesIdle }} - - name: POSTGRESQL_TCP_KEEPALIVES_IDLE - value: {{ .Values.postgresqlTcpKeepalivesIdle | quote }} - {{- end }} - {{- if .Values.postgresqlStatementTimeout }} - - name: POSTGRESQL_STATEMENT_TIMEOUT - value: {{ .Values.postgresqlStatementTimeout | quote }} - {{- end }} - {{- if .Values.postgresqlTcpKeealivesCount }} - - name: POSTGRESQL_TCP_KEEPALIVES_COUNT - value: {{ .Values.postgresqlTcpKeealivesCount | quote }} - {{- end }} - {{- if .Values.postgresqlPghbaRemoveFilters }} - - name: POSTGRESQL_PGHBA_REMOVE_FILTERS - value: {{ .Values.postgresqlPghbaRemoveFilters | quote }} - {{- end }} - {{- if .Values.extraEnvVarsCM }} - envFrom: - - configMapRef: - name: {{ tpl .Values.extraEnvVarsCM . }} - {{- end }} - ports: - - name: tcp-postgresql - containerPort: {{ template "postgresql.port" . }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - exec: - command: - - /bin/sh - - -c - {{- if (include "postgresql.database" .) }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- else }} - - exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }} - {{- end }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - {{- else if .Values.customLivenessProbe }} - livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - exec: - command: - - /bin/sh - - -c - - -e - {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - {{- else if .Values.customReadinessProbe }} - readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} - {{- end }} - volumeMounts: - {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - mountPath: /docker-entrypoint-initdb.d/ - {{- end }} - {{- if .Values.initdbScriptsSecret }} - - name: custom-init-scripts-secret - mountPath: /docker-entrypoint-initdb.d/secret - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - mountPath: /bitnami/postgresql/conf/conf.d/ - {{- end }} - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - readOnly: true - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - mountPath: /dev/shm - {{- end }} - {{- if .Values.persistence.enabled }} - - name: data - mountPath: {{ .Values.persistence.mountPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }} - - name: postgresql-config - mountPath: /bitnami/postgresql/conf - {{- end }} - {{- if .Values.primary.extraVolumeMounts }} - {{- toYaml .Values.primary.extraVolumeMounts | nindent 12 }} - {{- end }} -{{- if .Values.primary.sidecars }} -{{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} -{{- end }} -{{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "postgresql.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.metrics.securityContext.enabled }} - securityContext: {{- omit .Values.metrics.securityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - env: - {{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }} - {{- $sslmode := ternary "require" "disable" .Values.tls.enabled }} - {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} - - name: DATA_SOURCE_NAME - value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.port" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }} - {{- else }} - - name: DATA_SOURCE_URI - value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.port" .)) $database $sslmode }} - {{- end }} - {{- if .Values.usePasswordFile }} - - name: DATA_SOURCE_PASS_FILE - value: "/opt/bitnami/postgresql/secrets/postgresql-password" - {{- else }} - - name: DATA_SOURCE_PASS - valueFrom: - secretKeyRef: - name: {{ template "postgresql.secretName" . }} - key: postgresql-password - {{- end }} - - name: DATA_SOURCE_USER - value: {{ template "postgresql.username" . }} - {{- if .Values.metrics.extraEnvVars }} - {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: / - port: http-metrics - initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: / - port: http-metrics - initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: postgresql-password - mountPath: /opt/bitnami/postgresql/secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: postgresql-certificates - mountPath: /opt/bitnami/postgresql/certs - readOnly: true - {{- end }} - {{- if .Values.metrics.customMetrics }} - - name: custom-metrics - mountPath: /conf - readOnly: true - args: ["--extend.query-path", "/conf/custom-metrics.yaml"] - {{- end }} - ports: - - name: http-metrics - containerPort: 9187 - {{- if .Values.metrics.resources }} - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} -{{- end }} - volumes: - {{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}} - - name: postgresql-config - configMap: - name: {{ template "postgresql.configurationCM" . }} - {{- end }} - {{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }} - - name: postgresql-extended-config - configMap: - name: {{ template "postgresql.extendedConfigurationCM" . }} - {{- end }} - {{- if .Values.usePasswordFile }} - - name: postgresql-password - secret: - secretName: {{ template "postgresql.secretName" . }} - {{- end }} - {{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }} - - name: custom-init-scripts - configMap: - name: {{ template "postgresql.initdbScriptsCM" . }} - {{- end }} - {{- if .Values.initdbScriptsSecret }} - - name: custom-init-scripts-secret - secret: - secretName: {{ template "postgresql.initdbScriptsSecret" . }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: raw-certificates - secret: - secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} - - name: postgresql-certificates - emptyDir: {} - {{- end }} - {{- if .Values.primary.extraVolumes }} - {{- toYaml .Values.primary.extraVolumes | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} - - name: custom-metrics - configMap: - name: {{ template "postgresql.metricsCM" . }} - {{- end }} - {{- if .Values.shmVolume.enabled }} - - name: dshm - emptyDir: - medium: Memory - sizeLimit: 1Gi - {{- end }} -{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - - name: data - persistentVolumeClaim: -{{- with .Values.persistence.existingClaim }} - claimName: {{ tpl . $ }} -{{- end }} -{{- else if not .Values.persistence.enabled }} - - name: data - emptyDir: {} -{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} - volumeClaimTemplates: - - metadata: - name: data - {{- with .Values.persistence.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} - {{- if .Values.persistence.selector }} - selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }} - {{- end -}} -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/svc-headless.yaml b/stable/ckan/charts/postgresql/templates/svc-headless.yaml deleted file mode 100644 index 6ad0dd5f..00000000 --- a/stable/ckan/charts/postgresql/templates/svc-headless.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" . }}-headless - labels: - {{- include "common.labels.standard" . | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - # Use this annotation in addition to the actual publishNotReadyAddresses - # field below because the annotation will stop being respected soon but the - # field is broken in some versions of Kubernetes: - # https://github.com/kubernetes/kubernetes/issues/58662 - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: ClusterIP - clusterIP: None - # We want all pods in the StatefulSet to have their addresses published for - # the sake of the other Postgresql pods even before they're ready, since they - # have to be able to talk to each other in order to become ready. - publishNotReadyAddresses: true - ports: - - name: tcp-postgresql - port: {{ template "postgresql.port" . }} - targetPort: tcp-postgresql - selector: - {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/stable/ckan/charts/postgresql/templates/svc-read.yaml b/stable/ckan/charts/postgresql/templates/svc-read.yaml deleted file mode 100644 index 8c9ea54e..00000000 --- a/stable/ckan/charts/postgresql/templates/svc-read.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if .Values.replication.enabled }} -{{- $serviceAnnotations := coalesce .Values.readReplicas.service.annotations .Values.service.annotations -}} -{{- $serviceType := coalesce .Values.readReplicas.service.type .Values.service.type -}} -{{- $serviceLoadBalancerIP := coalesce .Values.readReplicas.service.loadBalancerIP .Values.service.loadBalancerIP -}} -{{- $serviceLoadBalancerSourceRanges := coalesce .Values.readReplicas.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} -{{- $serviceClusterIP := coalesce .Values.readReplicas.service.clusterIP .Values.service.clusterIP -}} -{{- $serviceNodePort := coalesce .Values.readReplicas.service.nodePort .Values.service.nodePort -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" . }}-read - labels: - {{- include "common.labels.standard" . | nindent 4 }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if $serviceAnnotations }} - {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: {{ $serviceType }} - {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} - loadBalancerIP: {{ $serviceLoadBalancerIP }} - {{- end }} - {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} - {{- end }} - {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} - clusterIP: {{ $serviceClusterIP }} - {{- end }} - ports: - - name: tcp-postgresql - port: {{ template "postgresql.port" . }} - targetPort: tcp-postgresql - {{- if $serviceNodePort }} - nodePort: {{ $serviceNodePort }} - {{- end }} - selector: - {{- include "common.labels.matchLabels" . | nindent 4 }} - role: read -{{- end }} diff --git a/stable/ckan/charts/postgresql/templates/svc.yaml b/stable/ckan/charts/postgresql/templates/svc.yaml deleted file mode 100644 index 5bc2b50e..00000000 --- a/stable/ckan/charts/postgresql/templates/svc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- $serviceAnnotations := coalesce .Values.primary.service.annotations .Values.service.annotations -}} -{{- $serviceType := coalesce .Values.primary.service.type .Values.service.type -}} -{{- $serviceLoadBalancerIP := coalesce .Values.primary.service.loadBalancerIP .Values.service.loadBalancerIP -}} -{{- $serviceLoadBalancerSourceRanges := coalesce .Values.primary.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}} -{{- $serviceClusterIP := coalesce .Values.primary.service.clusterIP .Values.service.clusterIP -}} -{{- $serviceNodePort := coalesce .Values.primary.service.nodePort .Values.service.nodePort -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "common.names.fullname" . }} - labels: - {{- include "common.labels.standard" . | nindent 4 }} - annotations: - {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} - {{- if $serviceAnnotations }} - {{- include "common.tplvalues.render" (dict "value" $serviceAnnotations "context" $) | nindent 4 }} - {{- end }} -spec: - type: {{ $serviceType }} - {{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }} - loadBalancerIP: {{ $serviceLoadBalancerIP }} - {{- end }} - {{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }} - loadBalancerSourceRanges: {{- include "common.tplvalues.render" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }} - {{- end }} - {{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }} - clusterIP: {{ $serviceClusterIP }} - {{- end }} - ports: - - name: tcp-postgresql - port: {{ template "postgresql.port" . }} - targetPort: tcp-postgresql - {{- if $serviceNodePort }} - nodePort: {{ $serviceNodePort }} - {{- end }} - selector: - {{- include "common.labels.matchLabels" . | nindent 4 }} - role: primary diff --git a/stable/ckan/charts/postgresql/values-production.yaml b/stable/ckan/charts/postgresql/values-production.yaml deleted file mode 100644 index 4e1ee041..00000000 --- a/stable/ckan/charts/postgresql/values-production.yaml +++ /dev/null @@ -1,791 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - postgresql: {} -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 11.10.0-debian-10-r24 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - ## - debug: false - -## String to partially override common.names.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override common.names.fullname template -## -# fullnameOverride: - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: false - image: - registry: docker.io - repository: bitnami/minideb - tag: buster - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container Security Context - ## Note: the chown of the data folder is done to securityContext.runAsUser - ## and not the below volumePermissions.securityContext.runAsUser - ## When runAsUser is set to special value "auto", init container will try to chwon the - ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` - ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). - ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with - ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false - ## - securityContext: - runAsUser: 0 - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: true - fsGroup: 1001 - -## Container Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -containerSecurityContext: - enabled: true - runAsUser: 1001 - -## Pod Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - enabled: false - ## Name of an already existing service account. Setting this value disables the automatic service account creation. - # name: - -## Pod Security Policy -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## -psp: - create: false - -## Creates role for ServiceAccount -## Required for PSP -## -rbac: - create: false - -replication: - enabled: true - user: repl_user - password: repl_password - readReplicas: 2 - ## Set synchronous commit mode: on, off, remote_apply, remote_write and local - ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL - ## - synchronousCommit: "on" - ## From the number of `readReplicas` defined above, set the number of those that will have synchronous replication - ## NOTE: It cannot be > readReplicas - ## - numSynchronousReplicas: 1 - ## Replication Cluster application name. Useful for defining multiple replication policies - ## - applicationName: my_application - -## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) -# postgresqlPostgresPassword: - -## PostgreSQL user (has superuser privileges if username is `postgres`) -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -postgresqlUsername: postgres - -## PostgreSQL password -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -# postgresqlPassword: - -## PostgreSQL password using existing secret -## existingSecret: secret -## - -## Mount PostgreSQL secret as a file instead of passing environment variable -# usePasswordFile: false - -## Create a database -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run -## -# postgresqlDatabase: - -## PostgreSQL data dir -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -postgresqlDataDir: /bitnami/postgresql/data - -## An array to add extra environment variables -## For example: -## extraEnv: -## - name: FOO -## value: "bar" -## -# extraEnv: -extraEnv: [] - -## Name of a ConfigMap containing extra env vars -## -# extraEnvVarsCM: - -## Specify extra initdb args -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbArgs: - -## Specify a custom location for the PostgreSQL transaction log -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbWalDir: - -## PostgreSQL configuration -## Specify runtime configuration parameters as a dict, using camelCase, e.g. -## {"sharedBuffers": "500MB"} -## Alternatively, you can put your postgresql.conf under the files/ directory -## ref: https://www.postgresql.org/docs/current/static/runtime-config.html -## -# postgresqlConfiguration: - -## PostgreSQL extended configuration -## As above, but _appended_ to the main configuration -## Alternatively, you can put your *.conf under the files/conf.d/ directory -## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf -## -# postgresqlExtendedConf: - -## Configure current cluster's primary server to be the standby server in other cluster. -## This will allow cross cluster replication and provide cross cluster high availability. -## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. -## -primaryAsStandBy: - enabled: false - # primaryHost: - # primaryPort: - -## PostgreSQL client authentication configuration -## Specify content for pg_hba.conf -## Default: do not create pg_hba.conf -## Alternatively, you can put your pg_hba.conf under the files/ directory -# pgHbaConfiguration: |- -# local all all trust -# host all all localhost trust -# host mydatabase mysuser 192.168.0.0/24 md5 - -## ConfigMap with PostgreSQL configuration -## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration -# configurationConfigMap: - -## ConfigMap with PostgreSQL extended configuration -# extendedConfConfigMap: - -## initdb scripts -## Specify dictionary of scripts to be run at first boot -## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory -## -# initdbScripts: -# my_init_script.sh: | -# #!/bin/sh -# echo "Do something." - -## Specify the PostgreSQL username and password to execute the initdb scripts -# initdbUser: -# initdbPassword: - -## ConfigMap with scripts to be run at first boot -## NOTE: This will override initdbScripts -# initdbScriptsConfigMap: - -## Secret with scripts to be run at first boot (in case it contains sensitive information) -## NOTE: This can work along initdbScripts or initdbScriptsConfigMap -# initdbScriptsSecret: - -## Optional duration in seconds the pod needs to terminate gracefully. -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -# terminationGracePeriodSeconds: 30 - -## LDAP configuration -## -ldap: - enabled: false - url: "" - server: "" - port: "" - prefix: "" - suffix: "" - baseDN: "" - bindDN: "" - bind_password: - search_attr: "" - search_filter: "" - scheme: "" - tls: {} - -## Audit settings -## https://github.com/bitnami/bitnami-docker-postgresql#auditing -## -audit: - ## Log client hostnames - ## - logHostname: false - ## Log connections to the server - ## - logConnections: false - ## Log disconnections - ## - logDisconnections: false - ## Operation to audit using pgAudit (default if not set) - ## - pgAuditLog: "" - ## Log catalog using pgAudit - ## - pgAuditLogCatalog: "off" - ## Log level for clients - ## - clientMinMessages: error - ## Template for log line prefix (default if not set) - ## - logLinePrefix: "" - ## Log timezone - ## - logTimezone: "" - -## Shared preload libraries -## -postgresqlSharedPreloadLibraries: "pgaudit" - -## Maximum total connections -## -postgresqlMaxConnections: - -## Maximum connections for the postgres user -## -postgresqlPostgresConnectionLimit: - -## Maximum connections for the created user -## -postgresqlDbUserConnectionLimit: - -## TCP keepalives interval -## -postgresqlTcpKeepalivesInterval: - -## TCP keepalives idle -## -postgresqlTcpKeepalivesIdle: - -## TCP keepalives count -## -postgresqlTcpKeepalivesCount: - -## Statement timeout -## -postgresqlStatementTimeout: - -## Remove pg_hba.conf lines with the following comma-separated patterns -## (cannot be used with custom pg_hba.conf) -## -postgresqlPghbaRemoveFilters: - -## PostgreSQL service configuration -## -service: - ## PosgresSQL service type - ## - type: ClusterIP - # clusterIP: None - port: 5432 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. Evaluated as a template. - ## - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - ## Load Balancer sources. Evaluated as a template. - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - -## Start primary and read replica(s) pod(s) without limitations on shm memory. -## By default docker and containerd (and possibly other container runtimes) -## limit `/dev/shm` to `64M` (see e.g. the -## [docker issue](https://github.com/docker-library/postgres/issues/416) and the -## [containerd issue](https://github.com/containerd/containerd/issues/3654), -## which could be not enough if PostgreSQL uses parallel workers heavily. -## -shmVolume: - ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove - ## this limitation. - ## - enabled: true - ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. - ## This option is ignored if `volumePermissions.enabled` is `false` - ## - chmod: - enabled: true - -## PostgreSQL data Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart - ## - # existingClaim: - - ## The path the volume will be mounted at, useful when using different - ## PostgreSQL images. - ## - mountPath: /bitnami/postgresql - - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: "" - - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - annotations: {} - ## selector can be used to match an existing PersistentVolume - ## selector: - ## matchLabels: - ## app: my-app - selector: {} - -## updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -## -updateStrategy: - type: RollingUpdate - -## -## PostgreSQL Primary parameters -## -primary: - ## PostgreSQL Primary pod affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAffinityPreset: "" - - ## PostgreSQL Primary pod anti-affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAntiAffinityPreset: soft - - ## PostgreSQL Primary node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## Allowed values: soft, hard - ## - nodeAffinityPreset: - ## Node affinity type - ## Allowed values: soft, hard - type: "" - ## Node label key to match - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## Node label values to match - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - - ## Affinity for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - - ## Node labels for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - - ## Tolerations for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - priorityClassName: "" - ## Additional PostgreSQL Primary Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Primary Volumes - ## - extraVolumes: [] - ## Add sidecars to the pod - ## - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - - ## Override the service configuration for Primary - ## - service: {} - # type: - # nodePort: - # clusterIP: - -## -## PostgreSQL Read Only Replica parameters -## -readReplicas: - ## PostgreSQL read only pod affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAffinityPreset: "" - - ## PostgreSQL read only pod anti-affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAntiAffinityPreset: soft - - ## PostgreSQL read only node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## Allowed values: soft, hard - ## - nodeAffinityPreset: - ## Node affinity type - ## Allowed values: soft, hard - type: "" - ## Node label key to match - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## Node label values to match - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - - ## Affinity for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: readReplicas.podAffinityPreset, readReplicas.podAntiAffinityPreset, and readReplicas.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - - ## Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - priorityClassName: "" - ## Extra init containers - ## Example - ## - ## extraInitContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - extraInitContainers: [] - ## Additional PostgreSQL Read Replica Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL Read Replica Volumes - ## - extraVolumes: [] - ## Add sidecars to the pod - ## - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - - ## Override the service configuration for Read Replicas - ## - service: {} - # type: - # nodePort: - # clusterIP: - ## Whether to enable PostgreSQL readReplicas replicas data Persistent - ## - persistence: - enabled: true - - # Override the resource configuration for readReplicas - resources: {} - # requests: - # memory: 256Mi - # cpu: 250m - -## Configure resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -resources: - requests: - memory: 256Mi - cpu: 250m - -## Add annotations to all the deployed resources -## -commonAnnotations: {} - -networkPolicy: - ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. - ## - enabled: false - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port PostgreSQL is listening - ## on. When true, PostgreSQL will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - - ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace - ## and that match other criteria, the ones that have the good label, can reach the DB. - ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this - ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. - ## - ## Example: - ## explicitNamespacesSelector: - ## matchLabels: - ## role: frontend - ## matchExpressions: - ## - {key: role, operator: In, values: [frontend]} - ## - explicitNamespacesSelector: {} - -## Configure extra options for liveness and readiness probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) -## -livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -## Custom Liveness probe -## -customLivenessProbe: {} - -## Custom Rediness probe -## -customReadinessProbe: {} - -## -## TLS configuration -## -tls: - # Enable TLS traffic - enabled: false - # - # Whether to use the server's TLS cipher preferences rather than the client's. - preferServerCiphers: true - # - # Name of the Secret that contains the certificates - certificatesSecret: "" - # - # Certificate filename - certFilename: "" - # - # Certificate Key filename - certKeyFilename: "" - # - # CA Certificate filename - # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate - # ref: https://www.postgresql.org/docs/9.6/auth-methods.html - certCAFilename: - # - # File containing a Certificate Revocation List - crlFilename: - -## Configure metrics exporter -## -metrics: - enabled: true - # resources: {} - service: - type: ClusterIP - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9187" - loadBalancerIP: - serviceMonitor: - enabled: false - additionalLabels: {} - # namespace: monitoring - # interval: 30s - # scrapeTimeout: 10s - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - enabled: false - additionalLabels: {} - namespace: "" - ## These are just examples rules, please adapt them to your needs. - ## Make sure to constraint the rules to the current postgresql service. - ## rules: - ## - alert: HugeReplicationLag - ## expr: pg_replication_lag{service="{{ template "common.names.fullname" . }}-metrics"} / 3600 > 1 - ## for: 1m - ## labels: - ## severity: critical - ## annotations: - ## description: replication for {{ template "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). - ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). - ## - rules: [] - - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.8.0-debian-10-r293 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Define additional custom metrics - ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file - # customMetrics: - # pg_database: - # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" - # metrics: - # - name: - # usage: "LABEL" - # description: "Name of the database" - # - size_bytes: - # usage: "GAUGE" - # description: "Size of the database in bytes" - ## An array to add extra env vars to configure postgres-exporter - ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables - ## For example: - # extraEnvVars: - # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS - # value: "true" - extraEnvVars: {} - - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## - securityContext: - enabled: false - runAsUser: 1001 - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## Configure extra options for liveness and readiness probes - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 diff --git a/stable/ckan/charts/postgresql/values.schema.json b/stable/ckan/charts/postgresql/values.schema.json deleted file mode 100644 index 66a2a9dd..00000000 --- a/stable/ckan/charts/postgresql/values.schema.json +++ /dev/null @@ -1,103 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "postgresqlUsername": { - "type": "string", - "title": "Admin user", - "form": true - }, - "postgresqlPassword": { - "type": "string", - "title": "Password", - "form": true - }, - "persistence": { - "type": "object", - "properties": { - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi" - } - } - }, - "resources": { - "type": "object", - "title": "Required Resources", - "description": "Configure resource requests", - "form": true, - "properties": { - "requests": { - "type": "object", - "properties": { - "memory": { - "type": "string", - "form": true, - "render": "slider", - "title": "Memory Request", - "sliderMin": 10, - "sliderMax": 2048, - "sliderUnit": "Mi" - }, - "cpu": { - "type": "string", - "form": true, - "render": "slider", - "title": "CPU Request", - "sliderMin": 10, - "sliderMax": 2000, - "sliderUnit": "m" - } - } - } - } - }, - "replication": { - "type": "object", - "form": true, - "title": "Replication Details", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable Replication", - "form": true - }, - "readReplicas": { - "type": "integer", - "title": "read Replicas", - "form": true, - "hidden": { - "value": false, - "path": "replication/enabled" - } - } - } - }, - "volumePermissions": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable Init Containers", - "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" - } - } - }, - "metrics": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "title": "Configure metrics exporter", - "form": true - } - } - } - } -} diff --git a/stable/ckan/charts/postgresql/values.yaml b/stable/ckan/charts/postgresql/values.yaml deleted file mode 100644 index cdf5db47..00000000 --- a/stable/ckan/charts/postgresql/values.yaml +++ /dev/null @@ -1,813 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - postgresql: {} -# imageRegistry: myRegistryName -# imagePullSecrets: -# - myRegistryKeySecretName -# storageClass: myStorageClass - -## Bitnami PostgreSQL image version -## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ -## -image: - registry: docker.io - repository: bitnami/postgresql - tag: 11.10.0-debian-10-r24 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Set to true if you would like to see extra information on logs - ## It turns BASH and NAMI debugging in minideb - ## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging - ## - debug: false - -## String to partially override common.names.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override common.names.fullname template -## -# fullnameOverride: - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: false - image: - registry: docker.io - repository: bitnami/minideb - tag: buster - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Init container Security Context - ## Note: the chown of the data folder is done to securityContext.runAsUser - ## and not the below volumePermissions.securityContext.runAsUser - ## When runAsUser is set to special value "auto", init container will try to chwon the - ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` - ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). - ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with - ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false - ## - securityContext: - runAsUser: 0 - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -## Pod Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -securityContext: - enabled: true - fsGroup: 1001 - -## Container Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -containerSecurityContext: - enabled: true - runAsUser: 1001 - -## Pod Service Account -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ -## -serviceAccount: - enabled: false - ## Name of an already existing service account. Setting this value disables the automatic service account creation. - # name: - -## Pod Security Policy -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## -psp: - create: false - -## Creates role for ServiceAccount -## Required for PSP -## -rbac: - create: false - -replication: - enabled: false - user: repl_user - password: repl_password - readReplicas: 1 - ## Set synchronous commit mode: on, off, remote_apply, remote_write and local - ## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL - synchronousCommit: 'off' - ## From the number of `readReplicas` defined above, set the number of those that will have synchronous replication - ## NOTE: It cannot be > readReplicas - numSynchronousReplicas: 0 - ## Replication Cluster application name. Useful for defining multiple replication policies - ## - applicationName: my_application - -## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`) -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!) -# postgresqlPostgresPassword: - -## PostgreSQL user (has superuser privileges if username is `postgres`) -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -postgresqlUsername: postgres - -## PostgreSQL password -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run -## -# postgresqlPassword: - -## PostgreSQL password using existing secret -## existingSecret: secret -## - -## Mount PostgreSQL secret as a file instead of passing environment variable -# usePasswordFile: false - -## Create a database -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run -## -# postgresqlDatabase: - -## PostgreSQL data dir -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -postgresqlDataDir: /bitnami/postgresql/data - -## An array to add extra environment variables -## For example: -## extraEnv: -## - name: FOO -## value: "bar" -## -# extraEnv: -extraEnv: [] - -## Name of a ConfigMap containing extra env vars -## -# extraEnvVarsCM: - -## Specify extra initdb args -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbArgs: - -## Specify a custom location for the PostgreSQL transaction log -## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md -## -# postgresqlInitdbWalDir: - -## PostgreSQL configuration -## Specify runtime configuration parameters as a dict, using camelCase, e.g. -## {"sharedBuffers": "500MB"} -## Alternatively, you can put your postgresql.conf under the files/ directory -## ref: https://www.postgresql.org/docs/current/static/runtime-config.html -## -# postgresqlConfiguration: - -## PostgreSQL extended configuration -## As above, but _appended_ to the main configuration -## Alternatively, you can put your *.conf under the files/conf.d/ directory -## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf -## -# postgresqlExtendedConf: - -## Configure current cluster's primary server to be the standby server in other cluster. -## This will allow cross cluster replication and provide cross cluster high availability. -## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. -## -primaryAsStandBy: - enabled: false - # primaryHost: - # primaryPort: - -## PostgreSQL client authentication configuration -## Specify content for pg_hba.conf -## Default: do not create pg_hba.conf -## Alternatively, you can put your pg_hba.conf under the files/ directory -# pgHbaConfiguration: |- -# local all all trust -# host all all localhost trust -# host mydatabase mysuser 192.168.0.0/24 md5 - -## ConfigMap with PostgreSQL configuration -## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration -# configurationConfigMap: - -## ConfigMap with PostgreSQL extended configuration -# extendedConfConfigMap: - -## initdb scripts -## Specify dictionary of scripts to be run at first boot -## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory -## -# initdbScripts: -# my_init_script.sh: | -# #!/bin/sh -# echo "Do something." - -## ConfigMap with scripts to be run at first boot -## NOTE: This will override initdbScripts -# initdbScriptsConfigMap: - -## Secret with scripts to be run at first boot (in case it contains sensitive information) -## NOTE: This can work along initdbScripts or initdbScriptsConfigMap -# initdbScriptsSecret: - -## Specify the PostgreSQL username and password to execute the initdb scripts -# initdbUser: -# initdbPassword: - -## Audit settings -## https://github.com/bitnami/bitnami-docker-postgresql#auditing -## -audit: - ## Log client hostnames - ## - logHostname: false - ## Log connections to the server - ## - logConnections: false - ## Log disconnections - ## - logDisconnections: false - ## Operation to audit using pgAudit (default if not set) - ## - pgAuditLog: "" - ## Log catalog using pgAudit - ## - pgAuditLogCatalog: "off" - ## Log level for clients - ## - clientMinMessages: error - ## Template for log line prefix (default if not set) - ## - logLinePrefix: "" - ## Log timezone - ## - logTimezone: "" - -## Shared preload libraries -## -postgresqlSharedPreloadLibraries: "pgaudit" - -## Maximum total connections -## -postgresqlMaxConnections: - -## Maximum connections for the postgres user -## -postgresqlPostgresConnectionLimit: - -## Maximum connections for the created user -## -postgresqlDbUserConnectionLimit: - -## TCP keepalives interval -## -postgresqlTcpKeepalivesInterval: - -## TCP keepalives idle -## -postgresqlTcpKeepalivesIdle: - -## TCP keepalives count -## -postgresqlTcpKeepalivesCount: - -## Statement timeout -## -postgresqlStatementTimeout: - -## Remove pg_hba.conf lines with the following comma-separated patterns -## (cannot be used with custom pg_hba.conf) -## -postgresqlPghbaRemoveFilters: - -## Optional duration in seconds the pod needs to terminate gracefully. -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -# terminationGracePeriodSeconds: 30 - -## LDAP configuration -## -ldap: - enabled: false - url: '' - server: '' - port: '' - prefix: '' - suffix: '' - baseDN: '' - bindDN: '' - bind_password: - search_attr: '' - search_filter: '' - scheme: '' - tls: {} - -## PostgreSQL service configuration -## -service: - ## PosgresSQL service type - ## - type: ClusterIP - # clusterIP: None - port: 5432 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. Evaluated as a template. - ## - annotations: {} - ## Set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - # loadBalancerIP: - ## Load Balancer sources. Evaluated as a template. - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## - # loadBalancerSourceRanges: - # - 10.10.10.0/24 - -## Start primary and read(s) pod(s) without limitations on shm memory. -## By default docker and containerd (and possibly other container runtimes) -## limit `/dev/shm` to `64M` (see e.g. the -## [docker issue](https://github.com/docker-library/postgres/issues/416) and the -## [containerd issue](https://github.com/containerd/containerd/issues/3654), -## which could be not enough if PostgreSQL uses parallel workers heavily. -## -shmVolume: - ## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove - ## this limitation. - ## - enabled: true - ## Set to `true` to `chmod 777 /dev/shm` on a initContainer. - ## This option is ignored if `volumePermissions.enabled` is `false` - ## - chmod: - enabled: true - -## PostgreSQL data Persistent Volume Storage Class -## If defined, storageClassName: -## If set to "-", storageClassName: "", which disables dynamic provisioning -## If undefined (the default) or set to null, no storageClassName spec is -## set, choosing the default provisioner. (gp2 on AWS, standard on -## GKE, AWS & OpenStack) -## -persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## If defined, PVC must be created manually before volume will be bound - ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart - ## - # existingClaim: - - ## The path the volume will be mounted at, useful when using different - ## PostgreSQL images. - ## - mountPath: /bitnami/postgresql - - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: '' - - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - annotations: {} - ## selector can be used to match an existing PersistentVolume - ## selector: - ## matchLabels: - ## app: my-app - selector: {} - -## updateStrategy for PostgreSQL StatefulSet and its reads StatefulSets -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -## -updateStrategy: - type: RollingUpdate - -## -## PostgreSQL Primary parameters -## -primary: - ## PostgreSQL Primary pod affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAffinityPreset: "" - - ## PostgreSQL Primary pod anti-affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAntiAffinityPreset: soft - - ## PostgreSQL Primary node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## Allowed values: soft, hard - ## - nodeAffinityPreset: - ## Node affinity type - ## Allowed values: soft, hard - type: "" - ## Node label key to match - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## Node label values to match - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - - ## Affinity for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - - ## Node labels for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - - ## Tolerations for PostgreSQL primary pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - priorityClassName: '' - ## Extra init containers - ## Example - ## - ## extraInitContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - extraInitContainers: [] - - ## Additional PostgreSQL primary Volume mounts - ## - extraVolumeMounts: [] - ## Additional PostgreSQL primary Volumes - ## - extraVolumes: [] - ## Add sidecars to the pod - ## - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - - ## Override the service configuration for primary - ## - service: {} - # type: - # nodePort: - # clusterIP: - -## -## PostgreSQL read only replica parameters -## -readReplicas: - ## PostgreSQL read only pod affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAffinityPreset: "" - - ## PostgreSQL read only pod anti-affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity - ## Allowed values: soft, hard - ## - podAntiAffinityPreset: soft - - ## PostgreSQL read only node affinity preset - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity - ## Allowed values: soft, hard - ## - nodeAffinityPreset: - ## Node affinity type - ## Allowed values: soft, hard - type: "" - ## Node label key to match - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## Node label values to match - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] - - ## Affinity for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity - ## Note: readReplicas.podAffinityPreset, readReplicas.podAntiAffinityPreset, and readReplicas.nodeAffinityPreset will be ignored when it's set - ## - affinity: {} - - ## Node labels for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ - ## - nodeSelector: {} - - ## Tolerations for PostgreSQL read only pods assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - tolerations: [] - labels: {} - annotations: {} - podLabels: {} - podAnnotations: {} - priorityClassName: '' - - ## Extra init containers - ## Example - ## - ## extraInitContainers: - ## - name: do-something - ## image: busybox - ## command: ['do', 'something'] - ## - extraInitContainers: [] - - ## Additional PostgreSQL read replicas Volume mounts - ## - extraVolumeMounts: [] - - ## Additional PostgreSQL read replicas Volumes - ## - extraVolumes: [] - - ## Add sidecars to the pod - ## - ## For example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - - ## Override the service configuration for read - ## - service: {} - # type: - # nodePort: - # clusterIP: - - ## Whether to enable PostgreSQL read replicas data Persistent - ## - persistence: - enabled: true - - # Override the resource configuration for read replicas - resources: {} - # requests: - # memory: 256Mi - # cpu: 250m - -## Configure resource requests and limits -## ref: http://kubernetes.io/docs/user-guide/compute-resources/ -## -resources: - requests: - memory: 256Mi - cpu: 250m - -## Add annotations to all the deployed resources -## -commonAnnotations: {} - -networkPolicy: - ## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. - ## - enabled: false - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port PostgreSQL is listening - ## on. When true, PostgreSQL will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - - ## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace - ## and that match other criteria, the ones that have the good label, can reach the DB. - ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this - ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. - ## - ## Example: - ## explicitNamespacesSelector: - ## matchLabels: - ## role: frontend - ## matchExpressions: - ## - {key: role, operator: In, values: [frontend]} - ## - explicitNamespacesSelector: {} - -## Configure extra options for liveness and readiness probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) -## -livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -## Custom Liveness probe -## -customLivenessProbe: {} - -## Custom Rediness probe -## -customReadinessProbe: {} - -## -## TLS configuration -## -tls: - # Enable TLS traffic - enabled: false - # - # Whether to use the server's TLS cipher preferences rather than the client's. - preferServerCiphers: true - # - # Name of the Secret that contains the certificates - certificatesSecret: '' - # - # Certificate filename - certFilename: '' - # - # Certificate Key filename - certKeyFilename: '' - # - # CA Certificate filename - # If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate - # ref: https://www.postgresql.org/docs/9.6/auth-methods.html - certCAFilename: - # - # File containing a Certificate Revocation List - crlFilename: - -## Configure metrics exporter -## -metrics: - enabled: false - # resources: {} - service: - type: ClusterIP - annotations: - prometheus.io/scrape: 'true' - prometheus.io/port: '9187' - loadBalancerIP: - serviceMonitor: - enabled: false - additionalLabels: {} - # namespace: monitoring - # interval: 30s - # scrapeTimeout: 10s - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - enabled: false - additionalLabels: {} - namespace: '' - ## These are just examples rules, please adapt them to your needs. - ## Make sure to constraint the rules to the current postgresql service. - ## rules: - ## - alert: HugeReplicationLag - ## expr: pg_replication_lag{service="{{ template "common.names.fullname" . }}-metrics"} / 3600 > 1 - ## for: 1m - ## labels: - ## severity: critical - ## annotations: - ## description: replication for {{ template "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). - ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). - ## - rules: [] - - image: - registry: docker.io - repository: bitnami/postgres-exporter - tag: 0.8.0-debian-10-r293 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - ## Define additional custom metrics - ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file - # customMetrics: - # pg_database: - # query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" - # metrics: - # - name: - # usage: "LABEL" - # description: "Name of the database" - # - size_bytes: - # usage: "GAUGE" - # description: "Size of the database in bytes" - # - ## An array to add extra env vars to configure postgres-exporter - ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables - ## For example: - # extraEnvVars: - # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS - # value: "true" - extraEnvVars: {} - - ## Pod Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - ## - securityContext: - enabled: false - runAsUser: 1001 - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## Configure extra options for liveness and readiness probes - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 - -## Array with extra yaml to deploy with the chart. Evaluated as a template -## -extraDeploy: [] diff --git a/stable/ckan/charts/redis/.helmignore b/stable/ckan/charts/redis/.helmignore deleted file mode 100644 index f0c13194..00000000 --- a/stable/ckan/charts/redis/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/stable/ckan/charts/redis/Chart.lock b/stable/ckan/charts/redis/Chart.lock deleted file mode 100644 index 69cc5b92..00000000 --- a/stable/ckan/charts/redis/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: https://charts.bitnami.com/bitnami - version: 1.4.2 -digest: sha256:4e3ec38e0e27e9fc1defb2a13f67a0aa12374bf0b15f06a6c13b1b46df6bffeb -generated: "2021-04-05T11:40:59.141264592Z" diff --git a/stable/ckan/charts/redis/Chart.yaml b/stable/ckan/charts/redis/Chart.yaml deleted file mode 100644 index dd36c43e..00000000 --- a/stable/ckan/charts/redis/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -annotations: - category: Database -apiVersion: v2 -appVersion: 6.0.12 -dependencies: -- name: common - repository: https://charts.bitnami.com/bitnami - tags: - - bitnami-common - version: 1.x.x -description: Open source, advanced key-value store. It is often referred to as a data - structure server since keys can contain strings, hashes, lists, sets and sorted - sets. -home: https://github.com/bitnami/charts/tree/master/bitnami/redis -icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png -keywords: -- redis -- keyvalue -- database -maintainers: -- email: containers@bitnami.com - name: Bitnami -- email: cedric@desaintmartin.fr - name: desaintmartin -name: redis -sources: -- https://github.com/bitnami/bitnami-docker-redis -- http://redis.io/ -version: 12.10.1 diff --git a/stable/ckan/charts/redis/README.md b/stable/ckan/charts/redis/README.md deleted file mode 100644 index ef3e2563..00000000 --- a/stable/ckan/charts/redis/README.md +++ /dev/null @@ -1,738 +0,0 @@ -# RedisTM Chart packaged by Bitnami - -[RedisTM](http://redis.io/) is an advanced key-value cache and store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets, sorted sets, bitmaps and hyperloglogs. - -Disclaimer: REDIS® is a registered trademark of Redis Labs Ltd.Any rights therein are reserved to Redis Labs Ltd. Any use by Bitnami is for referential purposes only and does not indicate any sponsorship, endorsement, or affiliation between Redis Labs Ltd. - -## TL;DR - -```bash -$ helm repo add bitnami https://charts.bitnami.com/bitnami -$ helm install my-release bitnami/redis -``` - -## Introduction - -This chart bootstraps a [RedisTM](https://github.com/bitnami/bitnami-docker-redis) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/). - -### Choose between RedisTM Helm Chart and RedisTM Cluster Helm Chart - -You can choose any of the two RedisTM Helm charts for deploying a RedisTM cluster. -While [RedisTM Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis) will deploy a master-slave cluster using RedisTM Sentinel, the [RedisTM Cluster Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) will deploy a RedisTM Cluster topology with sharding. -The main features of each chart are the following: - -| RedisTM | RedisTM Cluster | -|--------------------------------------------------------|------------------------------------------------------------------------| -| Supports multiple databases | Supports only one database. Better if you have a big dataset | -| Single write point (single master) | Multiple write points (multiple masters) | -| ![RedisTM Topology](img/redis-topology.png) | ![RedisTM Cluster Topology](img/redis-cluster-topology.png) | - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 3.1.0 -- PV provisioner support in the underlying infrastructure - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```bash -$ helm install my-release bitnami/redis -``` - -The command deploys RedisTM on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```bash -$ helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Parameters - -The following table lists the configurable parameters of the RedisTM chart and their default values. - -| Parameter | Description | Default | -|:------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------| -| `global.imageRegistry` | Global Docker image registry | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `global.storageClass` | Global storage class for dynamic provisioning | `nil` | -| `global.redis.password` | RedisTM password (overrides `password`) | `nil` | -| `image.registry` | RedisTM Image registry | `docker.io` | -| `image.repository` | RedisTM Image name | `bitnami/redis` | -| `image.tag` | RedisTM Image tag | `{TAG_NAME}` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | -| `nameOverride` | String to partially override redis.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override redis.fullname template with a string | `nil` | -| `cluster.enabled` | Use master-slave topology | `true` | -| `cluster.slaveCount` | Number of slaves | `2` | -| `existingSecret` | Name of existing secret object (for password authentication) | `nil` | -| `existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `nil` | -| `usePassword` | Use password | `true` | -| `usePasswordFile` | Mount passwords as files instead of environment variables | `false` | -| `password` | RedisTM password (ignored if existingSecret set) | Randomly generated | -| `configmap` | Additional common RedisTM node configuration (this value is evaluated as a template) | See values.yaml | -| `clusterDomain` | Kubernetes DNS Domain name to use | `cluster.local` | -| `extraVolumes` | Array of extra volumes to be added to master & slave nodes (evaluated as a template) | `[]` | -| `extraVolumeMounts` | Array of extra volume mounts to be added to master & slave nodes (evaluated as a template) | `[]` | -| `networkPolicy.enabled` | Enable NetworkPolicy | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | -| `networkPolicy.ingressNSMatchLabels` | Allow connections from other namespaces | `{}` | -| `networkPolicy.ingressNSPodMatchLabels` | For other namespaces match by pod labels and namespace labels | `{}` | -| `securityContext.*` | Other pod security context to be included as-is in the pod spec | `{}` | -| `securityContext.enabled` | Enable security context (both redis master and slave pods) | `true` | -| `securityContext.fsGroup` | Group ID for the container (both redis master and slave pods) | `1001` | -| `containerSecurityContext.*` | Other container security context to be included as-is in the container spec | `{}` | -| `containerSecurityContext.enabled` | Enable security context (both redis master and slave containers) | `true` | -| `containerSecurityContext.runAsUser` | User ID for the container (both redis master and slave containers) | `1001` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` | -| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template | -| `serviceAccount.annotations` | Specifies annotations to add to ServiceAccount. | `nil` | -| `rbac.create` | Specifies whether RBAC resources should be created | `false` | -| `rbac.role.rules` | Rules to create | `[]` | -| `metrics.enabled` | Start a side-car prometheus exporter | `false` | -| `metrics.image.registry` | RedisTM exporter image registry | `docker.io` | -| `metrics.image.repository` | RedisTM exporter image name | `bitnami/redis-exporter` | -| `metrics.image.tag` | RedisTM exporter image tag | `{TAG_NAME}` | -| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | -| `metrics.extraArgs` | Extra arguments for the binary; possible values [here](https://github.com/oliver006/redis_exporter#flags) | {} | -| `metrics.podLabels` | Additional labels for Metrics exporter pod | {} | -| `metrics.podAnnotations` | Additional annotations for Metrics exporter pod | {} | -| `metrics.resources` | Exporter resource requests/limit | Memory: `256Mi`, CPU: `100m` | -| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | -| `metrics.serviceMonitor.namespace` | Optional namespace which Prometheus is running in | `nil` | -| `metrics.serviceMonitor.interval` | How frequently to scrape metrics (use by default, falling back to Prometheus' default) | `nil` | -| `metrics.serviceMonitor.selector` | Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install | `{ prometheus: kube-prometheus }` | -| `metrics.serviceMonitor.relabelings` | ServiceMonitor relabelings. Value is evaluated as a template | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | ServiceMonitor metricRelabelings. Value is evaluated as a template | `[]` | -| `metrics.service.type` | Kubernetes Service type (redis metrics) | `ClusterIP` | -| `metrics.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | -| `metrics.service.annotations` | Annotations for the services to monitor (redis master and redis slave service) | {} | -| `metrics.service.labels` | Additional labels for the metrics service | {} | -| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | -| `metrics.priorityClassName` | Metrics exporter pod priorityClassName | `nil` | -| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | -| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | -| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | Same namespace as redis | -| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` | -| `metrics.redisTargetHost` | way to specify an alternative redis hostname, if you set a local endpoint in hostAliases to match specific redis server certificate CN/SAN for example. - | `localhost` | -| `persistence.existingClaim` | Provide an existing PersistentVolumeClaim | `nil` | -| `master.persistence.enabled` | Use a PVC to persist data (master node) | `true` | -| `master.hostAliases` | Add deployment host aliases | `[]` | -| `master.persistence.path` | Path to mount the volume at, to use other images | `/data` | -| `master.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `master.persistence.storageClass` | Storage class of backing PVC | `generic` | -| `master.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` | -| `master.persistence.size` | Size of data volume | `8Gi` | -| `master.persistence.matchLabels` | matchLabels persistent volume selector | `{}` | -| `master.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` | -| `master.persistence.volumes` | Additional volumes without creating PVC | `{}` | -| `master.statefulset.labels` | Additional labels for redis master StatefulSet | `{}` | -| `master.statefulset.annotations` | Additional annotations for redis master StatefulSet | `{}` | -| `master.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete | -| `master.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` | -| `master.statefulset.volumeClaimTemplates.labels` | Additional labels for redis master StatefulSet volumeClaimTemplates | `{}` | -| `master.statefulset.volumeClaimTemplates.annotations` | Additional annotations for redis master StatefulSet volumeClaimTemplates | `{}` | -| `master.podLabels` | Additional labels for RedisTM master pod | {} | -| `master.podAnnotations` | Additional annotations for RedisTM master pod | {} | -| `master.extraEnvVars` | Additional Environment Variables passed to the pod of the master's stateful set set | `[]` | -| `master.extraEnvVarCMs` | Additional Environment Variables ConfigMappassed to the pod of the master's stateful set set | `[]` | -| `master.extraEnvVarsSecret` | Additional Environment Variables Secret passed to the master's stateful set | `[]` | -| `master.extraVolumes` | Array of extra volumes to be added to master pod (evaluated as a template) | `[]` | -| `master.extraVolumeMounts` | Array of extra volume mounts to be added to master pod (evaluated as a template) | `[]` | -| `podDisruptionBudget.enabled` | Pod Disruption Budget toggle | `false` | -| `podDisruptionBudget.minAvailable` | Minimum available pods | `1` | -| `podDisruptionBudget.maxUnavailable` | Maximum unavailable | `nil` | -| `redisPort` | RedisTM port (in both master and slaves) | `6379` | -| `tls.enabled` | Enable TLS support for replication traffic | `false` | -| `tls.authClients` | Require clients to authenticate or not | `true` | -| `tls.certificatesSecret` | Name of the secret that contains the certificates | `nil` | -| `tls.certFilename` | Certificate filename | `nil` | -| `tls.certKeyFilename` | Certificate key filename | `nil` | -| `tls.certCAFilename` | CA Certificate filename | `nil` | -| `tls.dhParamsFilename` | DH params (in order to support DH based ciphers) | `nil` | -| `master.command` | RedisTM master entrypoint string. The command `redis-server` is executed if this is not provided. Note this is prepended with `exec` | `/run.sh` | -| `master.preExecCmds` | Text to inset into the startup script immediately prior to `master.command`. Use this if you need to run other ad-hoc commands as part of startup | `nil` | -| `master.configmap` | Additional RedisTM configuration for the master nodes (this value is evaluated as a template) | `nil` | -| `master.disableCommands` | Array of RedisTM commands to disable (master) | `["FLUSHDB", "FLUSHALL"]` | -| `master.extraFlags` | RedisTM master additional command line flags | [] | -| `master.nodeSelector` | RedisTM master Node labels for pod assignment | {"beta.kubernetes.io/arch": "amd64"} | -| `master.tolerations` | Toleration labels for RedisTM master pod assignment | [] | -| `master.affinity` | Affinity settings for RedisTM master pod assignment | {} | -| `master.schedulerName` | Name of an alternate scheduler | `nil` | -| `master.service.type` | Kubernetes Service type (redis master) | `ClusterIP` | -| `master.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | -| `master.service.port` | Kubernetes Service port (redis master) | `6379` | -| `master.service.nodePort` | Kubernetes Service nodePort (redis master) | `nil` | -| `master.service.annotations` | annotations for redis master service | {} | -| `master.service.labels` | Additional labels for redis master service | {} | -| `master.service.loadBalancerIP` | loadBalancerIP if redis master service type is `LoadBalancer` | `nil` | -| `master.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if redis master service type is `LoadBalancer` | `nil` | -| `master.resources` | RedisTM master CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `100m` | -| `master.livenessProbe.enabled` | Turn on and off liveness probe (redis master pod) | `true` | -| `master.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis master pod) | `5` | -| `master.livenessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `5` | -| `master.livenessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `5` | -| `master.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` | -| `master.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | -| `master.readinessProbe.enabled` | Turn on and off readiness probe (redis master pod) | `true` | -| `master.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated (redis master pod) | `5` | -| `master.readinessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `5` | -| `master.readinessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `1` | -| `master.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` | -| `master.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | -| `master.shareProcessNamespace` | RedisTM Master pod `shareProcessNamespace` option. Enables /pause reap zombie PIDs. | `false` | -| `master.priorityClassName` | RedisTM Master pod priorityClassName | `nil` | -| `volumePermissions.enabled` | Enable init container that changes volume permissions in the registry (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `"10"` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | -| `volumePermissions.resources ` | Init container volume-permissions CPU/Memory resource requests/limits | {} | -| `volumePermissions.securityContext.*` | Security context of the init container | `{}` | -| `volumePermissions.securityContext.runAsUser` | UserID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | 0 | -| `slave.hostAliases` | Add deployment host aliases | `[]` | -| `slave.service.type` | Kubernetes Service type (redis slave) | `ClusterIP` | -| `slave.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | -| `slave.service.nodePort` | Kubernetes Service nodePort (redis slave) | `nil` | -| `slave.service.annotations` | annotations for redis slave service | {} | -| `slave.service.labels` | Additional labels for redis slave service | {} | -| `slave.service.port` | Kubernetes Service port (redis slave) | `6379` | -| `slave.service.loadBalancerIP` | LoadBalancerIP if RedisTM slave service type is `LoadBalancer` | `nil` | -| `slave.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if RedisTM slave service type is `LoadBalancer` | `nil` | -| `slave.command` | RedisTM slave entrypoint string. The command `redis-server` is executed if this is not provided. Note this is prepended with `exec` | `/run.sh` | -| `slave.preExecCmds` | Text to inset into the startup script immediately prior to `slave.command`. Use this if you need to run other ad-hoc commands as part of startup | `nil` | -| `slave.configmap` | Additional RedisTM configuration for the slave nodes (this value is evaluated as a template) | `nil` | -| `slave.disableCommands` | Array of RedisTM commands to disable (slave) | `[FLUSHDB, FLUSHALL]` | -| `slave.extraFlags` | RedisTM slave additional command line flags | `[]` | -| `slave.livenessProbe.enabled` | Turn on and off liveness probe (redis slave pod) | `true` | -| `slave.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis slave pod) | `5` | -| `slave.livenessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `5` | -| `slave.livenessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `5` | -| `slave.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` | -| `slave.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | -| `slave.readinessProbe.enabled` | Turn on and off slave.readiness probe (redis slave pod) | `true` | -| `slave.readinessProbe.initialDelaySeconds` | Delay before slave.readiness probe is initiated (redis slave pod) | `5` | -| `slave.readinessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `5` | -| `slave.readinessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `1` | -| `slave.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` | -| `slave.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis slave pod) | `5` | -| `slave.shareProcessNamespace` | RedisTM slave pod `shareProcessNamespace` option. Enables /pause reap zombie PIDs. | `false` | -| `slave.persistence.enabled` | Use a PVC to persist data (slave node) | `true` | -| `slave.persistence.path` | Path to mount the volume at, to use other images | `/data` | -| `slave.persistence.subPath` | Subdirectory of the volume to mount at | `""` | -| `slave.persistence.storageClass` | Storage class of backing PVC | `generic` | -| `slave.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` | -| `slave.persistence.size` | Size of data volume | `8Gi` | -| `slave.persistence.matchLabels` | matchLabels persistent volume selector | `{}` | -| `slave.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` | -| `slave.statefulset.labels` | Additional labels for redis slave StatefulSet | `{}` | -| `slave.statefulset.annotations` | Additional annotations for redis slave StatefulSet | `{}` | -| `slave.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete | -| `slave.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` | -| `slave.statefulset.volumeClaimTemplates.labels` | Additional labels for redis slave StatefulSet volumeClaimTemplates | `{}` | -| `slave.statefulset.volumeClaimTemplates.annotations` | Additional annotations for redis slave StatefulSet volumeClaimTemplates | `{}` | -| `slave.extraEnvVars` | Additional Environment Variables passed to the pod of the slave's stateful set set | `[]` | -| `slave.extraEnvVarCMs` | Additional Environment Variables ConfigMappassed to the pod of the slave's stateful set set | `[]` | -| `masslaveter.extraEnvVarsSecret` | Additional Environment Variables Secret passed to the slave's stateful set | `[]` | -| `slave.extraVolumes` | Array of extra volumes to be added to slave pod (evaluated as a template) | `[]` | -| `slave.extraVolumeMounts` | Array of extra volume mounts to be added to slave pod (evaluated as a template) | `[]` | -| `slave.podLabels` | Additional labels for RedisTM slave pod | `master.podLabels` | -| `slave.podAnnotations` | Additional annotations for RedisTM slave pod | `master.podAnnotations` | -| `slave.schedulerName` | Name of an alternate scheduler | `nil` | -| `slave.resources` | RedisTM slave CPU/Memory resource requests/limits | `{}` | -| `slave.affinity` | Enable node/pod affinity for slaves | {} | -| `slave.tolerations` | Toleration labels for RedisTM slave pod assignment | [] | -| `slave.spreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) for RedisTM slave pod | {} | -| `slave.priorityClassName` | RedisTM Slave pod priorityClassName | `nil` | -| `sentinel.enabled` | Enable sentinel containers | `false` | -| `sentinel.usePassword` | Use password for sentinel containers | `true` | -| `sentinel.masterSet` | Name of the sentinel master set | `mymaster` | -| `sentinel.initialCheckTimeout` | Timeout for querying the redis sentinel service for the active sentinel list | `5` | -| `sentinel.quorum` | Quorum for electing a new master | `2` | -| `sentinel.downAfterMilliseconds` | Timeout for detecting a RedisTM node is down | `60000` | -| `sentinel.failoverTimeout` | Timeout for performing a election failover | `18000` | -| `sentinel.parallelSyncs` | Number of parallel syncs in the cluster | `1` | -| `sentinel.port` | RedisTM Sentinel port | `26379` | -| `sentinel.cleanDelaySeconds` | Delay seconds before issuing the the cleaning in the next node | `5` | -| `sentinel.configmap` | Additional RedisTM configuration for the sentinel nodes (this value is evaluated as a template) | `nil` | -| `sentinel.staticID` | Enable static IDs for sentinel replicas (If disabled IDs will be randomly generated on startup) | `false` | -| `sentinel.service.type` | Kubernetes Service type (redis sentinel) | `ClusterIP` | -| `sentinel.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | -| `sentinel.service.nodePort` | Kubernetes Service nodePort (redis sentinel) | `nil` | -| `sentinel.service.annotations` | annotations for redis sentinel service | {} | -| `sentinel.service.labels` | Additional labels for redis sentinel service | {} | -| `sentinel.service.redisPort` | Kubernetes Service port for RedisTM read only operations | `6379` | -| `sentinel.service.sentinelPort` | Kubernetes Service port for RedisTM sentinel | `26379` | -| `sentinel.service.redisNodePort` | Kubernetes Service node port for RedisTM read only operations | `` | -| `sentinel.service.sentinelNodePort` | Kubernetes Service node port for RedisTM sentinel | `` | -| `sentinel.service.loadBalancerIP` | LoadBalancerIP if RedisTM sentinel service type is `LoadBalancer` | `nil` | -| `sentinel.livenessProbe.enabled` | Turn on and off liveness probe (redis sentinel pod) | `true` | -| `sentinel.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis sentinel pod) | `5` | -| `sentinel.livenessProbe.periodSeconds` | How often to perform the probe (redis sentinel container) | `5` | -| `sentinel.livenessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `5` | -| `sentinel.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` | -| `sentinel.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` | -| `sentinel.readinessProbe.enabled` | Turn on and off sentinel.readiness probe (redis sentinel pod) | `true` | -| `sentinel.readinessProbe.initialDelaySeconds` | Delay before sentinel.readiness probe is initiated (redis sentinel pod) | `5` | -| `sentinel.readinessProbe.periodSeconds` | How often to perform the probe (redis sentinel pod) | `5` | -| `sentinel.readinessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `1` | -| `sentinel.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` | -| `sentinel.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis sentinel container) | `5` | -| `sentinel.resources` | RedisTM sentinel CPU/Memory resource requests/limits | `{}` | -| `sentinel.image.registry` | RedisTM Sentinel Image registry | `docker.io` | -| `sentinel.image.repository` | RedisTM Sentinel Image name | `bitnami/redis-sentinel` | -| `sentinel.image.tag` | RedisTM Sentinel Image tag | `{TAG_NAME}` | -| `sentinel.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `sentinel.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` | -| `sentinel.extraEnvVars` | Additional Environment Variables passed to the pod of the sentinel node stateful set set | `[]` | -| `sentinel.extraEnvVarCMs` | Additional Environment Variables ConfigMappassed to the pod of the sentinel node stateful set set | `[]` | -| `sentinel.extraEnvVarsSecret` | Additional Environment Variables Secret passed to the sentinel node statefulset | `[]` | -| `sentinel.extraVolumes` | Array of extra volumes to be added to sentinel node (evaluated as a template) | `[]` | -| `sentinel.extraVolumeMounts` | Array of extra volume mounts to be added to sentinel node (evaluated as a template) | `[]` | -| `sentinel.preExecCmds` | Text to inset into the startup script immediately prior to `sentinel.command`. Use this if you need to run other ad-hoc commands as part of startup | `nil` | -| `sentinel.metrics.enabled` | Start a side-car prometheus sentinel exporter | `false` | -| `sentinel.metrics.image.registry` | Redis Sentinel exporter image registry | `docker.io` | -| `sentinel.metrics.image.repository` | Redis Sentinel exporter image name | `bitnami/redis-sentinel-exporter` | -| `sentinel.metrics.image.tag` | Redis Sentinel exporter image tag | `{TAG_NAME}` | -| `sentinel.metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `sentinel.metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `sentinel.metrics.extraArgs` | Extra arguments for the binary; possible values [here](https://github.com/leominov/redis_sentinel_exporter#configuration) | `{}` | -| `sentinel.metrics.resources` | Exporter resource requests/limit | `{}` | -| `sentinel.metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `sentinel.metrics.enabled` to be `true`) | `false` | -| `sentinel.metrics.serviceMonitor.namespace` | Optional namespace which Prometheus is running in | `nil` | -| `sentinel.metrics.serviceMonitor.interval` | How frequently to scrape metrics (use by default, falling back to Prometheus' default) | `nil` | -| `sentinel.metrics.serviceMonitor.selector` | Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install | `{ prometheus: kube-prometheus }` | -| `sentinel.metrics.service.type` | Kubernetes Service type (redis sentinel metrics) | `ClusterIP` | -| `sentinel.metrics.service.port` | Kubernetes service port (redis sentinel metrics) | `9355` | -| `sentinel.metrics.service.externalTrafficPolicy` | External traffic policy (when service type is LoadBalancer) | `Cluster` | -| `sentinel.metrics.service.annotations` | Annotations for the services to monitor (redis sentinel metrics service) | {} | -| `sentinel.metrics.service.labels` | Additional labels for the Sentinel metrics service | {} | -| `sentinel.metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` | -| `sentinel.metrics.priorityClassName` | Sentinel metrics exporter pod priorityClassName | `nil` | -| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | `false` | -| `sysctlImage.command` | sysctlImage command to execute | [] | -| `sysctlImage.registry` | sysctlImage Init container registry | `docker.io` | -| `sysctlImage.repository` | sysctlImage Init container name | `bitnami/bitnami-shell` | -| `sysctlImage.tag` | sysctlImage Init container tag | `"10"` | -| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | `Always` | -| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` | -| `sysctlImage.resources` | sysctlImage Init container CPU/Memory resource requests/limits | {} | -| `podSecurityPolicy.create` | Specifies whether a PodSecurityPolicy should be created | `false` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```bash -$ helm install my-release \ - --set password=secretpassword \ - bitnami/redis -``` - -The above command sets the RedisTM server password to `secretpassword`. - -> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```bash -$ helm install my-release -f values.yaml bitnami/redis -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -> **Note for minikube users**: Current versions of minikube (v0.24.1 at the time of writing) provision `hostPath` persistent volumes that are only writable by root. Using chart defaults cause pod failure for the RedisTM pod as it attempts to write to the `/bitnami` directory. Consider installing RedisTM with `--set persistence.enabled=false`. See minikube issue [1990](https://github.com/kubernetes/minikube/issues/1990) for more information. - -## Configuration and installation details - -### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) - -It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. - -Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. - -### Change RedisTM version - -To modify the RedisTM version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/redis/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters. - -### Cluster topologies - -#### Default: Master-Slave - -When installing the chart with `cluster.enabled=true`, it will deploy a RedisTM master StatefulSet (only one master node allowed) and a RedisTM slave StatefulSet. The slaves will be read-replicas of the master. Two services will be exposed: - - - RedisTM Master service: Points to the master, where read-write operations can be performed - - RedisTM Slave service: Points to the slaves, where only read operations are allowed. - -In case the master crashes, the slaves will wait until the master node is respawned again by the Kubernetes Controller Manager. - -#### Master-Slave with Sentinel - -When installing the chart with `cluster.enabled=true` and `sentinel.enabled=true`, it will deploy a RedisTM master StatefulSet (only one master allowed) and a RedisTM slave StatefulSet. In this case, the pods will contain an extra container with RedisTM Sentinel. This container will form a cluster of RedisTM Sentinel nodes, which will promote a new master in case the actual one fails. In addition to this, only one service is exposed: - - - RedisTM service: Exposes port 6379 for RedisTM read-only operations and port 26379 for accessing RedisTM Sentinel. - -For read-only operations, access the service using port 6379. For write operations, it's necessary to access the RedisTM Sentinel cluster and query the current master using the command below (using redis-cli or similar: - -``` -SENTINEL get-master-addr-by-name -``` -This command will return the address of the current master, which can be accessed from inside the cluster. - -In case the current master crashes, the Sentinel containers will elect a new master node. - -### Using password file -To use a password file for RedisTM you need to create a secret containing the password. - -> *NOTE*: It is important that the file with the password must be called `redis-password` - -And then deploy the Helm Chart using the secret name as parameter: - -```console -usePassword=true -usePasswordFile=true -existingSecret=redis-password-file -sentinels.enabled=true -metrics.enabled=true -``` - -### Securing traffic using TLS - -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: - -- `tls.enabled`: Enable TLS support. Defaults to `false` -- `tls.certificatesSecret`: Name of the secret that contains the certificates. No defaults. -- `tls.certFilename`: Certificate filename. No defaults. -- `tls.certKeyFilename`: Certificate key filename. No defaults. -- `tls.certCAFilename`: CA Certificate filename. No defaults. - -For example: - -First, create the secret with the cetificates files: - -```console -kubectl create secret generic certificates-tls-secret --from-file=./cert.pem --from-file=./cert.key --from-file=./ca.pem -``` - -Then, use the following parameters: - -```console -tls.enabled="true" -tls.certificatesSecret="certificates-tls-secret" -tls.certFilename="cert.pem" -tls.certKeyFilename="cert.key" -tls.certCAFilename="ca.pem" -``` - -### Metrics - -The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9121) is exposed in the service. Metrics can be scraped from within the cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). If metrics are to be scraped from outside the cluster, the Kubernetes API proxy can be utilized to access the endpoint. - -If you have enabled TLS by specifying `tls.enabled=true` you also need to specify TLS option to the metrics exporter. You can do that via `metrics.extraArgs`. You can find the metrics exporter CLI flags for TLS [here](https://github.com/oliver006/redis_exporter#command-line-flags). For example: - -You can either specify `metrics.extraArgs.skip-tls-verification=true` to skip TLS verification or providing the following values under `metrics.extraArgs` for TLS client authentication: - -```console -tls-client-key-file -tls-client-cert-file -tls-ca-cert-file -``` - -### Host Kernel Settings - -RedisTM may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. -To do so, you can set up a privileged initContainer with the `sysctlImage` config values, for example: - -``` -sysctlImage: - enabled: true - mountHostSys: true - command: - - /bin/sh - - -c - - |- - sysctl -w net.core.somaxconn=10000 - echo never > /host-sys/kernel/mm/transparent_hugepage/enabled -``` - -Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure sysctls for master and slave pods. Example: - -```yaml -securityContext: - sysctls: - - name: net.core.somaxconn - value: "10000" -``` - -Note that this will not disable transparent huge tables. - -## Persistence - -By default, the chart mounts a [Persistent Volume](http://kubernetes.io/docs/user-guide/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation. - -### Existing PersistentVolumeClaim - -1. Create the PersistentVolume -2. Create the PersistentVolumeClaim -3. Install the chart - -```bash -$ helm install my-release --set persistence.existingClaim=PVC_NAME bitnami/redis -``` - -## Backup and restore - -### Backup - -To perform a backup you will need to connect to one of the nodes and execute: - -```bash -$ kubectl exec -it my-redis-master-0 bash - -$ redis-cli -127.0.0.1:6379> auth your_current_redis_password -OK -127.0.0.1:6379> save -OK -``` - -Then you will need to get the created dump file form the redis node: - -```bash -$ kubectl cp my-redis-master-0:/data/dump.rdb dump.rdb -c redis -``` - -### Restore - -To restore in a new cluster, you will need to change a parameter in the redis.conf file and then upload the `dump.rdb` to the volume. - -Follow the following steps: - -- First you will need to set in the `values.yaml` the parameter `appendonly` to `no`, if it is already `no` you can skip this step. - -```yaml -configmap: |- - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly no - # Disable RDB persistence, AOF persistence already enabled. - save "" -``` - -- Start the new cluster to create the PVCs. - -For example, : - -```bash -helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 -``` - -- Now that the PVC were created, stop it and copy the `dump.rdp` on the persisted data by using a helping pod. - -``` -$ helm delete new-redis - -$ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' -{ - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "redisvolpod" - }, - "spec": { - "containers": [{ - "command": [ - "tail", - "-f", - "/dev/null" - ], - "image": "bitnami/minideb", - "name": "mycontainer", - "volumeMounts": [{ - "mountPath": "/mnt", - "name": "redisdata" - }] - }], - "restartPolicy": "Never", - "volumes": [{ - "name": "redisdata", - "persistentVolumeClaim": { - "claimName": "redis-data-new-redis-master-0" - } - }] - } -}' --image="bitnami/minideb" - -$ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb -$ kubectl delete pod volpod -``` - -- Start again the cluster: - -``` -helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 -``` - -## NetworkPolicy - -To enable network policy for RedisTM, install -[a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), -and set `networkPolicy.enabled` to `true`. - -For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting -the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: - - kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" - -With NetworkPolicy enabled, only pods with the generated client label will be -able to connect to RedisTM. This label will be displayed in the output -after a successful install. - -With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: - -``` -networkPolicy: - enabled: true - ingressNSMatchLabels: - redis: external - ingressNSPodMatchLabels: - redis-client: true -``` - -## Troubleshooting - -Find more information about how to deal with common errors related to Bitnami’s Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). - -## Upgrading an existing Release to a new major version - -A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an -incompatible breaking change needing manual actions. - -### To 11.0.0 - -When using sentinel, a new statefulset called `-node` was introduced. This will break upgrading from a previous version where the statefulsets are called master and slave. Hence the PVC will not match the new naming and won't be reused. If you want to keep your data, you will need to perform a backup and then a restore the data in this new version. - -### To 10.0.0 - -For releases with `usePassword: true`, the value `sentinel.usePassword` controls whether the password authentication also applies to the sentinel port. This defaults to `true` for a secure configuration, however it is possible to disable to account for the following cases: - -- Using a version of redis-sentinel prior to `5.0.1` where the authentication feature was introduced. -- Where redis clients need to be updated to support sentinel authentication. - -If using a master/slave topology, or with `usePassword: false`, no action is required. - -### To 8.0.18 - -For releases with `metrics.enabled: true` the default tag for the exporter image is now `v1.x.x`. This introduces many changes including metrics names. You'll want to use [this dashboard](https://github.com/oliver006/redis_exporter/blob/master/contrib/grafana_prometheus_redis_dashboard.json) now. Please see the [redis_exporter github page](https://github.com/oliver006/redis_exporter#upgrading-from-0x-to-1x) for more details. - -### To 7.0.0 - -This version causes a change in the RedisTM Master StatefulSet definition, so the command helm upgrade would not work out of the box. As an alternative, one of the following could be done: - -- Recommended: Create a clone of the RedisTM Master PVC (for example, using projects like [this one](https://github.com/edseymour/pvc-transfer)). Then launch a fresh release reusing this cloned PVC. - - ``` - helm install my-release bitnami/redis --set persistence.existingClaim= - ``` - -- Alternative (not recommended, do at your own risk): `helm delete --purge` does not remove the PVC assigned to the RedisTM Master StatefulSet. As a consequence, the following commands can be done to upgrade the release - - ``` - helm delete --purge - helm install bitnami/redis - ``` - -Previous versions of the chart were not using persistence in the slaves, so this upgrade would add it to them. Another important change is that no values are inherited from master to slaves. For example, in 6.0.0 `slaves.readinessProbe.periodSeconds`, if empty, would be set to `master.readinessProbe.periodSeconds`. This approach lacked transparency and was difficult to maintain. From now on, all the slave parameters must be configured just as it is done with the masters. - -Some values have changed as well: - -- `master.port` and `slave.port` have been changed to `redisPort` (same value for both master and slaves) -- `master.securityContext` and `slave.securityContext` have been changed to `securityContext`(same values for both master and slaves) - -By default, the upgrade will not change the cluster topology. In case you want to use RedisTM Sentinel, you must explicitly set `sentinel.enabled` to `true`. - -### To 6.0.0 - -Previous versions of the chart were using an init-container to change the permissions of the volumes. This was done in case the `securityContext` directive in the template was not enough for that (for example, with cephFS). In this new version of the chart, this container is disabled by default (which should not affect most of the deployments). If your installation still requires that init container, execute `helm upgrade` with the `--set volumePermissions.enabled=true`. - -### To 5.0.0 - -The default image in this release may be switched out for any image containing the `redis-server` -and `redis-cli` binaries. If `redis-server` is not the default image ENTRYPOINT, `master.command` -must be specified. - -#### Breaking changes - -- `master.args` and `slave.args` are removed. Use `master.command` or `slave.command` instead in order to override the image entrypoint, or `master.extraFlags` to pass additional flags to `redis-server`. -- `disableCommands` is now interpreted as an array of strings instead of a string of comma separated values. -- `master.persistence.path` now defaults to `/data`. - -### 4.0.0 - -This version removes the `chart` label from the `spec.selector.matchLabels` -which is immutable since `StatefulSet apps/v1beta2`. It has been inadvertently -added, causing any subsequent upgrade to fail. See https://github.com/helm/charts/issues/7726. - -It also fixes https://github.com/helm/charts/issues/7726 where a deployment `extensions/v1beta1` can not be upgraded if `spec.selector` is not explicitly set. - -Finally, it fixes https://github.com/helm/charts/issues/7803 by removing mutable labels in `spec.VolumeClaimTemplate.metadata.labels` so that it is upgradable. - -In order to upgrade, delete the RedisTM StatefulSet before upgrading: - -```bash -kubectl delete statefulsets.apps --cascade=false my-release-redis-master -``` - -And edit the RedisTM slave (and metrics if enabled) deployment: - -```bash -kubectl patch deployments my-release-redis-slave --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' -kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' -``` - -## Upgrading - -### To 12.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -**What changes were introduced in this major version?** - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts - -**Considerations when upgrading to this version** - -- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 - -**Useful links** - -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ - -### To 11.0.0 - -When deployed with sentinel enabled, only a group of nodes is deployed and the master/slave role is handled in the group. To avoid breaking the compatibility, the settings for this nodes are given through the `slave.xxxx` parameters in `values.yaml` - -### To 9.0.0 - -The metrics exporter has been changed from a separate deployment to a sidecar container, due to the latest changes in the RedisTM exporter code. Check the [official page](https://github.com/oliver006/redis_exporter/) for more information. The metrics container image was changed from oliver006/redis_exporter to bitnami/redis-exporter (Bitnami's maintained package of oliver006/redis_exporter). - -### To 7.0.0 - -In order to improve the performance in case of slave failure, we added persistence to the read-only slaves. That means that we moved from Deployment to StatefulSets. This should not affect upgrades from previous versions of the chart, as the deployments did not contain any persistence at all. - -This version also allows enabling RedisTM Sentinel containers inside of the RedisTM Pods (feature disabled by default). In case the master crashes, a new RedisTM node will be elected as master. In order to query the current master (no redis master service is exposed), you need to query first the Sentinel cluster. Find more information [in this section](#master-slave-with-sentinel). diff --git a/stable/ckan/charts/redis/charts/common/.helmignore b/stable/ckan/charts/redis/charts/common/.helmignore deleted file mode 100644 index 50af0317..00000000 --- a/stable/ckan/charts/redis/charts/common/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/stable/ckan/charts/redis/charts/common/Chart.yaml b/stable/ckan/charts/redis/charts/common/Chart.yaml deleted file mode 100644 index bcc3808d..00000000 --- a/stable/ckan/charts/redis/charts/common/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - category: Infrastructure -apiVersion: v2 -appVersion: 1.4.2 -description: A Library Helm Chart for grouping common logic between bitnami charts. - This chart is not deployable by itself. -home: https://github.com/bitnami/charts/tree/master/bitnami/common -icon: https://bitnami.com/downloads/logos/bitnami-mark.png -keywords: -- common -- helper -- template -- function -- bitnami -maintainers: -- email: containers@bitnami.com - name: Bitnami -name: common -sources: -- https://github.com/bitnami/charts -- http://www.bitnami.com/ -type: library -version: 1.4.2 diff --git a/stable/ckan/charts/redis/charts/common/README.md b/stable/ckan/charts/redis/charts/common/README.md deleted file mode 100644 index 7287cbb5..00000000 --- a/stable/ckan/charts/redis/charts/common/README.md +++ /dev/null @@ -1,322 +0,0 @@ -# Bitnami Common Library Chart - -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. - -## TL;DR - -```yaml -dependencies: - - name: common - version: 0.x.x - repository: https://charts.bitnami.com/bitnami -``` - -```bash -$ helm dependency update -``` - -```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.names.fullname" . }} -data: - myvalue: "Hello World" -``` - -## Introduction - -This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. - -Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 3.1.0 - -## Parameters - -The following table lists the helpers available in the library which are scoped in different sections. - -### Affinities - -| Helper identifier | Description | Expected Input | -|-------------------------------|------------------------------------------------------|------------------------------------------------| -| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.node.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | -| `common.affinities.pod.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | -| `common.affinities.pod.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | - -### Capabilities - -| Helper identifier | Description | Expected Input | -|----------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| -| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | -| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | -| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | -| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | -| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | -| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | -| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | - -### Errors - -| Helper identifier | Description | Expected Input | -|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| -| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | - -### Images - -| Helper identifier | Description | Expected Input | -|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| -| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | -| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | - -### Ingress - -| Helper identifier | Description | Expected Input | -|--------------------------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | - -### Labels - -| Helper identifier | Description | Expected Input | -|-----------------------------|------------------------------------------------------|-------------------| -| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | -| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context | - -### Names - -| Helper identifier | Description | Expected Inpput | -|-------------------------|------------------------------------------------------------|-------------------| -| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | -| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | -| `common.names.chart` | Chart name plus version | `.` Chart context | - -### Secrets - -| Helper identifier | Description | Expected Input | -|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | -| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | -| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | -| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | - -### Storage - -| Helper identifier | Description | Expected Input | -|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| -| `common.affinities.node.soft` | Return a soft nodeAffinity definition | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | - -### TplValues - -| Helper identifier | Description | Expected Input | -|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | - -### Utils - -| Helper identifier | Description | Expected Input | -|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| -| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | -| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | -| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | -| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | - -### Validations - -| Helper identifier | Description | Expected Input | -|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | -| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | -| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | -| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | -| `common.validations.values.redis.passwords` | This helper will ensure required password for RedisTM are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | -| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | -| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | - -### Warnings - -| Helper identifier | Description | Expected Input | -|------------------------------|----------------------------------|------------------------------------------------------------| -| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | - -## Special input schemas - -### ImageRoot - -```yaml -registry: - type: string - description: Docker registry where the image is located - example: docker.io - -repository: - type: string - description: Repository and image name - example: bitnami/nginx - -tag: - type: string - description: image tag - example: 1.16.1-debian-10-r63 - -pullPolicy: - type: string - description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - -pullSecrets: - type: array - items: - type: string - description: Optionally specify an array of imagePullSecrets. - -debug: - type: boolean - description: Set to true if you would like to see extra information on logs - example: false - -## An instance would be: -# registry: docker.io -# repository: bitnami/nginx -# tag: 1.16.1-debian-10-r63 -# pullPolicy: IfNotPresent -# debug: false -``` - -### Persistence - -```yaml -enabled: - type: boolean - description: Whether enable persistence. - example: true - -storageClass: - type: string - description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. - example: "-" - -accessMode: - type: string - description: Access mode for the Persistent Volume Storage. - example: ReadWriteOnce - -size: - type: string - description: Size the Persistent Volume Storage. - example: 8Gi - -path: - type: string - description: Path to be persisted. - example: /bitnami - -## An instance would be: -# enabled: true -# storageClass: "-" -# accessMode: ReadWriteOnce -# size: 8Gi -# path: /bitnami -``` - -### ExistingSecret - -```yaml -name: - type: string - description: Name of the existing secret. - example: mySecret -keyMapping: - description: Mapping between the expected key name and the name of the key in the existing secret. - type: object - -## An instance would be: -# name: mySecret -# keyMapping: -# password: myPasswordKey -``` - -#### Example of use - -When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. - -```yaml -# templates/secret.yaml ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.names.fullname" . }} - labels: - app: {{ include "common.names.fullname" . }} -type: Opaque -data: - password: {{ .Values.password | b64enc | quote }} - -# templates/dpl.yaml ---- -... - env: - - name: PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} - key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} -... - -# values.yaml ---- -name: mySecret -keyMapping: - password: myPasswordKey -``` - -### ValidateValue - -#### NOTES.txt - -```console -{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} - -{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} -``` - -If we force those values to be empty we will see some alerts - -```console -$ helm install test mychart --set path.to.value00="",path.to.value01="" - 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: - - export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 --decode) - - 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: - - export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 --decode) -``` - -## Upgrading - -### To 1.0.0 - -[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. - -**What changes were introduced in this major version?** - -- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. -- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. -- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts - -**Considerations when upgrading to this version** - -- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues -- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore -- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 - -**Useful links** - -- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ -- https://helm.sh/docs/topics/v2_v3_migration/ -- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ diff --git a/stable/ckan/charts/redis/charts/common/templates/_affinities.tpl b/stable/ckan/charts/redis/charts/common/templates/_affinities.tpl deleted file mode 100644 index 493a6dc7..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_affinities.tpl +++ /dev/null @@ -1,94 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Return a soft nodeAffinity definition -{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.soft" -}} -preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . }} - {{- end }} - weight: 1 -{{- end -}} - -{{/* -Return a hard nodeAffinity definition -{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes.hard" -}} -requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: {{ .key }} - operator: In - values: - {{- range .values }} - - {{ . }} - {{- end }} -{{- end -}} - -{{/* -Return a nodeAffinity definition -{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.nodes" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.nodes.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.nodes.hard" . -}} - {{- end -}} -{{- end -}} - -{{/* -Return a soft podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.soft" (dict "component" "FOO" "context" $) -}} -*/}} -{{- define "common.affinities.pods.soft" -}} -{{- $component := default "" .component -}} -preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - namespaces: - - {{ .context.Release.Namespace | quote }} - topologyKey: kubernetes.io/hostname - weight: 1 -{{- end -}} - -{{/* -Return a hard podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods.hard" (dict "component" "FOO" "context" $) -}} -*/}} -{{- define "common.affinities.pods.hard" -}} -{{- $component := default "" .component -}} -requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} - {{- if not (empty $component) }} - {{ printf "app.kubernetes.io/component: %s" $component }} - {{- end }} - namespaces: - - {{ .context.Release.Namespace | quote }} - topologyKey: kubernetes.io/hostname -{{- end -}} - -{{/* -Return a podAffinity/podAntiAffinity definition -{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} -*/}} -{{- define "common.affinities.pods" -}} - {{- if eq .type "soft" }} - {{- include "common.affinities.pods.soft" . -}} - {{- else if eq .type "hard" }} - {{- include "common.affinities.pods.hard" . -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl b/stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl deleted file mode 100644 index 4dde56a3..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_capabilities.tpl +++ /dev/null @@ -1,95 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Return the target Kubernetes version -*/}} -{{- define "common.capabilities.kubeVersion" -}} -{{- if .Values.global }} - {{- if .Values.global.kubeVersion }} - {{- .Values.global.kubeVersion -}} - {{- else }} - {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} - {{- end -}} -{{- else }} -{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "common.capabilities.deployment.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for statefulset. -*/}} -{{- define "common.capabilities.statefulset.apiVersion" -}} -{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "apps/v1beta1" -}} -{{- else -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress. -*/}} -{{- define "common.capabilities.ingress.apiVersion" -}} -{{- if .Values.ingress -}} -{{- if .Values.ingress.apiVersion -}} -{{- .Values.ingress.apiVersion -}} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end }} -{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for RBAC resources. -*/}} -{{- define "common.capabilities.rbac.apiVersion" -}} -{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "rbac.authorization.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "rbac.authorization.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for CRDs. -*/}} -{{- define "common.capabilities.crd.apiVersion" -}} -{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "apiextensions.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "apiextensions.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the used Helm version is 3.3+. -A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. -This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. -**To be removed when the catalog's minimun Helm version is 3.3** -*/}} -{{- define "common.capabilities.supportsHelmVersion" -}} -{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_errors.tpl b/stable/ckan/charts/redis/charts/common/templates/_errors.tpl deleted file mode 100644 index a79cc2e3..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_errors.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Through error when upgrading using empty passwords values that must not be empty. - -Usage: -{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} -{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} -{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} - -Required password params: - - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. - - context - Context - Required. Parent context. -*/}} -{{- define "common.errors.upgrade.passwords.empty" -}} - {{- $validationErrors := join "" .validationErrors -}} - {{- if and $validationErrors .context.Release.IsUpgrade -}} - {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} - {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} - {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} - {{- $errorString = print $errorString "\n%s" -}} - {{- printf $errorString $validationErrors | fail -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_images.tpl b/stable/ckan/charts/redis/charts/common/templates/_images.tpl deleted file mode 100644 index 60f04fd6..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_images.tpl +++ /dev/null @@ -1,47 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper image name -{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} -*/}} -{{- define "common.images.image" -}} -{{- $registryName := .imageRoot.registry -}} -{{- $repositoryName := .imageRoot.repository -}} -{{- $tag := .imageRoot.tag | toString -}} -{{- if .global }} - {{- if .global.imageRegistry }} - {{- $registryName = .global.imageRegistry -}} - {{- end -}} -{{- end -}} -{{- if $registryName }} -{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- else -}} -{{- printf "%s:%s" $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} -*/}} -{{- define "common.images.pullSecrets" -}} - {{- $pullSecrets := list }} - - {{- if .global }} - {{- range .global.imagePullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- range .images -}} - {{- range .pullSecrets -}} - {{- $pullSecrets = append $pullSecrets . -}} - {{- end -}} - {{- end -}} - - {{- if (not (empty $pullSecrets)) }} -imagePullSecrets: - {{- range $pullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_ingress.tpl b/stable/ckan/charts/redis/charts/common/templates/_ingress.tpl deleted file mode 100644 index 622ef50e..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_ingress.tpl +++ /dev/null @@ -1,42 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{/* -Generate backend entry that is compatible with all Kubernetes API versions. - -Usage: -{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} - -Params: - - serviceName - String. Name of an existing service backend - - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.ingress.backend" -}} -{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} -{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} -serviceName: {{ .serviceName }} -servicePort: {{ .servicePort }} -{{- else -}} -service: - name: {{ .serviceName }} - port: - {{- if typeIs "string" .servicePort }} - name: {{ .servicePort }} - {{- else if typeIs "int" .servicePort }} - number: {{ .servicePort }} - {{- end }} -{{- end -}} -{{- end -}} - -{{/* -Print "true" if the API pathType field is supported -Usage: -{{ include "common.ingress.supportsPathType" . }} -*/}} -{{- define "common.ingress.supportsPathType" -}} -{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_labels.tpl b/stable/ckan/charts/redis/charts/common/templates/_labels.tpl deleted file mode 100644 index 252066c7..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_labels.tpl +++ /dev/null @@ -1,18 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Kubernetes standard labels -*/}} -{{- define "common.labels.standard" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -helm.sh/chart: {{ include "common.names.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector -*/}} -{{- define "common.labels.matchLabels" -}} -app.kubernetes.io/name: {{ include "common.names.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_names.tpl b/stable/ckan/charts/redis/charts/common/templates/_names.tpl deleted file mode 100644 index adf2a74f..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_names.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "common.names.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "common.names.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "common.names.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_secrets.tpl b/stable/ckan/charts/redis/charts/common/templates/_secrets.tpl deleted file mode 100644 index 60b84a70..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_secrets.tpl +++ /dev/null @@ -1,129 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Generate secret name. - -Usage: -{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret - - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. - - context - Dict - Required. The context for the template evaluation. -*/}} -{{- define "common.secrets.name" -}} -{{- $name := (include "common.names.fullname" .context) -}} - -{{- if .defaultNameSuffix -}} -{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- with .existingSecret -}} -{{- if not (typeIs "string" .) -}} -{{- with .name -}} -{{- $name = . -}} -{{- end -}} -{{- else -}} -{{- $name = . -}} -{{- end -}} -{{- end -}} - -{{- printf "%s" $name -}} -{{- end -}} - -{{/* -Generate secret key. - -Usage: -{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} - -Params: - - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user - to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. - +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret - - key - String - Required. Name of the key in the secret. -*/}} -{{- define "common.secrets.key" -}} -{{- $key := .key -}} - -{{- if .existingSecret -}} - {{- if not (typeIs "string" .existingSecret) -}} - {{- if .existingSecret.keyMapping -}} - {{- $key = index .existingSecret.keyMapping $.key -}} - {{- end -}} - {{- end }} -{{- end -}} - -{{- printf "%s" $key -}} -{{- end -}} - -{{/* -Generate secret password or retrieve one if already created. - -Usage: -{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - key - String - Required - Name of the key in the secret. - - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. - - length - int - Optional - Length of the generated random password. - - strong - Boolean - Optional - Whether to add symbols to the generated random password. - - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. - - context - Context - Required - Parent context. -*/}} -{{- define "common.secrets.passwords.manage" -}} - -{{- $password := "" }} -{{- $subchart := "" }} -{{- $chartName := default "" .chartName }} -{{- $passwordLength := default 10 .length }} -{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} -{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} -{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} -{{- if $secret }} - {{- if index $secret.data .key }} - {{- $password = index $secret.data .key }} - {{- end -}} -{{- else if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString | b64enc | quote }} -{{- else }} - - {{- if .context.Values.enabled }} - {{- $subchart = $chartName }} - {{- end -}} - - {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} - {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} - {{- $passwordValidationErrors := list $requiredPasswordError -}} - {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} - - {{- if .strong }} - {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} - {{- $password = randAscii $passwordLength }} - {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} - {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} - {{- else }} - {{- $password = randAlphaNum $passwordLength | b64enc | quote }} - {{- end }} -{{- end -}} -{{- printf "%s" $password -}} -{{- end -}} - -{{/* -Returns whether a previous generated secret already exists - -Usage: -{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} - -Params: - - secret - String - Required - Name of the 'Secret' resource where the password is stored. - - context - Context - Required - Parent context. -*/}} -{{- define "common.secrets.exists" -}} -{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} -{{- if $secret }} - {{- true -}} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_storage.tpl b/stable/ckan/charts/redis/charts/common/templates/_storage.tpl deleted file mode 100644 index 60e2a844..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_storage.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Return the proper Storage Class -{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} -*/}} -{{- define "common.storage.class" -}} - -{{- $storageClass := .persistence.storageClass -}} -{{- if .global -}} - {{- if .global.storageClass -}} - {{- $storageClass = .global.storageClass -}} - {{- end -}} -{{- end -}} - -{{- if $storageClass -}} - {{- if (eq "-" $storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" $storageClass -}} - {{- end -}} -{{- end -}} - -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl b/stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl deleted file mode 100644 index 2db16685..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_tplvalues.tpl +++ /dev/null @@ -1,13 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Renders a value that contains template. -Usage: -{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "common.tplvalues.render" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_utils.tpl b/stable/ckan/charts/redis/charts/common/templates/_utils.tpl deleted file mode 100644 index ea083a24..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_utils.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Print instructions to get a secret value. -Usage: -{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} -*/}} -{{- define "common.utils.secret.getvalue" -}} -{{- $varname := include "common.utils.fieldToEnvVar" . -}} -export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 --decode) -{{- end -}} - -{{/* -Build env var name given a field -Usage: -{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} -*/}} -{{- define "common.utils.fieldToEnvVar" -}} - {{- $fieldNameSplit := splitList "-" .field -}} - {{- $upperCaseFieldNameSplit := list -}} - - {{- range $fieldNameSplit -}} - {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} - {{- end -}} - - {{ join "_" $upperCaseFieldNameSplit }} -{{- end -}} - -{{/* -Gets a value from .Values given -Usage: -{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} -*/}} -{{- define "common.utils.getValueFromKey" -}} -{{- $splitKey := splitList "." .key -}} -{{- $value := "" -}} -{{- $latestObj := $.context.Values -}} -{{- range $splitKey -}} - {{- if not $latestObj -}} - {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} - {{- end -}} - {{- $value = ( index $latestObj . ) -}} - {{- $latestObj = $value -}} -{{- end -}} -{{- printf "%v" (default "" $value) -}} -{{- end -}} - -{{/* -Returns first .Values key with a defined value or first of the list if all non-defined -Usage: -{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} -*/}} -{{- define "common.utils.getKeyFromList" -}} -{{- $key := first .keys -}} -{{- $reverseKeys := reverse .keys }} -{{- range $reverseKeys }} - {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} - {{- if $value -}} - {{- $key = . }} - {{- end -}} -{{- end -}} -{{- printf "%s" $key -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/_warnings.tpl b/stable/ckan/charts/redis/charts/common/templates/_warnings.tpl deleted file mode 100644 index ae10fa41..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/_warnings.tpl +++ /dev/null @@ -1,14 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Warning about using rolling tag. -Usage: -{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} -*/}} -{{- define "common.warnings.rollingTag" -}} - -{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ -{{- end }} - -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl deleted file mode 100644 index 8679ddff..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/validations/_cassandra.tpl +++ /dev/null @@ -1,72 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Cassandra required passwords are not empty. - -Usage: -{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.cassandra.passwords" -}} - {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} - {{- $enabled := include "common.cassandra.values.enabled" . -}} - {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} - {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.dbUser.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled cassandra. - -Usage: -{{ include "common.cassandra.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.cassandra.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.cassandra.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key dbUser - -Usage: -{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false -*/}} -{{- define "common.cassandra.values.key.dbUser" -}} - {{- if .subchart -}} - cassandra.dbUser - {{- else -}} - dbUser - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl deleted file mode 100644 index bb5ed725..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/validations/_mariadb.tpl +++ /dev/null @@ -1,103 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MariaDB required passwords are not empty. - -Usage: -{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mariadb.passwords" -}} - {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mariadb.values.enabled" . -}} - {{- $architecture := include "common.mariadb.values.architecture" . -}} - {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- if not (empty $valueUsername) -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replication") -}} - {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mariadb. - -Usage: -{{ include "common.mariadb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mariadb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mariadb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mariadb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mariadb.values.key.auth" -}} - {{- if .subchart -}} - mariadb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl deleted file mode 100644 index 7d5ecbcc..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/validations/_mongodb.tpl +++ /dev/null @@ -1,108 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate MongoDB(R) required passwords are not empty. - -Usage: -{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where MongoDB(R) values are stored, e.g: "mongodb-passwords-secret" - - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.mongodb.passwords" -}} - {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} - {{- $enabled := include "common.mongodb.values.enabled" . -}} - {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} - {{- $architecture := include "common.mongodb.values.architecture" . -}} - {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} - {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} - {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} - {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} - {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} - {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} - - {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} - - {{- if and (not $existingSecret) (eq $enabled "true") (eq $authEnabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} - - {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} - {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} - {{- if and $valueUsername $valueDatabase -}} - {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} - {{- end -}} - - {{- if (eq $architecture "replicaset") -}} - {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.auth.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.auth.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.auth.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled mongodb. - -Usage: -{{ include "common.mongodb.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.mongodb.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.mongodb.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key auth - -Usage: -{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MongoDB(R) is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.key.auth" -}} - {{- if .subchart -}} - mongodb.auth - {{- else -}} - auth - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for architecture - -Usage: -{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false -*/}} -{{- define "common.mongodb.values.architecture" -}} - {{- if .subchart -}} - {{- .context.Values.mongodb.architecture -}} - {{- else -}} - {{- .context.Values.architecture -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl deleted file mode 100644 index 992bcd39..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/validations/_postgresql.tpl +++ /dev/null @@ -1,131 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate PostgreSQL required passwords are not empty. - -Usage: -{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.postgresql.passwords" -}} - {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} - {{- $enabled := include "common.postgresql.values.enabled" . -}} - {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} - {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} - - {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} - {{- if (eq $enabledReplication "true") -}} - {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to decide whether evaluate global values. - -Usage: -{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} -Params: - - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" -*/}} -{{- define "common.postgresql.values.use.global" -}} - {{- if .context.Values.global -}} - {{- if .context.Values.global.postgresql -}} - {{- index .context.Values.global.postgresql .key | quote -}} - {{- end -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.existingSecret" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} - - {{- if .subchart -}} - {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} - {{- else -}} - {{- default (.context.Values.existingSecret | quote) $globalValue -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled postgresql. - -Usage: -{{ include "common.postgresql.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.postgresql.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key postgressPassword. - -Usage: -{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.postgressPassword" -}} - {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} - - {{- if not $globalValue -}} - {{- if .subchart -}} - postgresql.postgresqlPassword - {{- else -}} - postgresqlPassword - {{- end -}} - {{- else -}} - global.postgresql.postgresqlPassword - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled.replication. - -Usage: -{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.enabled.replication" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.postgresql.replication.enabled -}} - {{- else -}} - {{- printf "%v" .context.Values.replication.enabled -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for the key replication.password. - -Usage: -{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false -*/}} -{{- define "common.postgresql.values.key.replicationPassword" -}} - {{- if .subchart -}} - postgresql.replication.password - {{- else -}} - replication.password - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl deleted file mode 100644 index 3e2a47c0..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/validations/_redis.tpl +++ /dev/null @@ -1,72 +0,0 @@ - -{{/* vim: set filetype=mustache: */}} -{{/* -Validate Redis(TM) required passwords are not empty. - -Usage: -{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} -Params: - - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.validations.values.redis.passwords" -}} - {{- $existingSecret := include "common.redis.values.existingSecret" . -}} - {{- $enabled := include "common.redis.values.enabled" . -}} - {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} - {{- $valueKeyRedisPassword := printf "%s%s" $valueKeyPrefix "password" -}} - {{- $valueKeyRedisUsePassword := printf "%s%s" $valueKeyPrefix "usePassword" -}} - - {{- if and (not $existingSecret) (eq $enabled "true") -}} - {{- $requiredPasswords := list -}} - - {{- $usePassword := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUsePassword "context" .context) -}} - {{- if eq $usePassword "true" -}} - {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} - {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} - {{- end -}} - - {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} - {{- end -}} -{{- end -}} - -{{/* -Redis Auxiliary function to get the right value for existingSecret. - -Usage: -{{ include "common.redis.values.existingSecret" (dict "context" $) }} -Params: - - subchart - Boolean - Optional. Whether Redis(TM) is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.existingSecret" -}} - {{- if .subchart -}} - {{- .context.Values.redis.existingSecret | quote -}} - {{- else -}} - {{- .context.Values.existingSecret | quote -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right value for enabled redis. - -Usage: -{{ include "common.redis.values.enabled" (dict "context" $) }} -*/}} -{{- define "common.redis.values.enabled" -}} - {{- if .subchart -}} - {{- printf "%v" .context.Values.redis.enabled -}} - {{- else -}} - {{- printf "%v" (not .context.Values.enabled) -}} - {{- end -}} -{{- end -}} - -{{/* -Auxiliary function to get the right prefix path for the values - -Usage: -{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} -Params: - - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false -*/}} -{{- define "common.redis.values.keys.prefix" -}} - {{- if .subchart -}}redis.{{- else -}}{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl b/stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl deleted file mode 100644 index 9a814cf4..00000000 --- a/stable/ckan/charts/redis/charts/common/templates/validations/_validations.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Validate values must not be empty. - -Usage: -{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} -{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} -{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" -*/}} -{{- define "common.validations.values.multiple.empty" -}} - {{- range .required -}} - {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} - {{- end -}} -{{- end -}} - -{{/* -Validate a value must not be empty. - -Usage: -{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} - -Validate value params: - - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" - - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" - - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" - - subchart - String - Optional - Name of the subchart that the validated password is part of. -*/}} -{{- define "common.validations.values.single.empty" -}} - {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} - {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} - - {{- if not $value -}} - {{- $varname := "my-value" -}} - {{- $getCurrentValue := "" -}} - {{- if and .secret .field -}} - {{- $varname = include "common.utils.fieldToEnvVar" . -}} - {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} - {{- end -}} - {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} - {{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/charts/common/values.yaml b/stable/ckan/charts/redis/charts/common/values.yaml deleted file mode 100644 index 9ecdc93f..00000000 --- a/stable/ckan/charts/redis/charts/common/values.yaml +++ /dev/null @@ -1,3 +0,0 @@ -## bitnami/common -## It is required by CI/CD tools and processes. -exampleValue: common-chart diff --git a/stable/ckan/charts/redis/ci/default-values.yaml b/stable/ckan/charts/redis/ci/default-values.yaml deleted file mode 100644 index fc2ba605..00000000 --- a/stable/ckan/charts/redis/ci/default-values.yaml +++ /dev/null @@ -1 +0,0 @@ -# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/stable/ckan/charts/redis/ci/extra-flags-values.yaml b/stable/ckan/charts/redis/ci/extra-flags-values.yaml deleted file mode 100644 index 71132f76..00000000 --- a/stable/ckan/charts/redis/ci/extra-flags-values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -master: - extraFlags: - - --maxmemory-policy allkeys-lru - persistence: - enabled: false -slave: - extraFlags: - - --maxmemory-policy allkeys-lru - persistence: - enabled: false -usePassword: false diff --git a/stable/ckan/charts/redis/ci/production-sentinel-values.yaml b/stable/ckan/charts/redis/ci/production-sentinel-values.yaml deleted file mode 100644 index 009a3718..00000000 --- a/stable/ckan/charts/redis/ci/production-sentinel-values.yaml +++ /dev/null @@ -1,682 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - # imageRegistry: myRegistryName - # imagePullSecrets: - # - myRegistryKeySecretName - # storageClass: myStorageClass - redis: {} - -## Bitnami Redis(TM) image version -## ref: https://hub.docker.com/r/bitnami/redis/tags/ -## -image: - registry: docker.io - repository: bitnami/redis - ## Bitnami Redis(TM) image tag - ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links - ## - tag: 5.0.9-debian-10-r0 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - -## String to partially override redis.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override redis.fullname template -## -# fullnameOverride: - -## Cluster settings -cluster: - enabled: true - slaveCount: 3 - -## Use redis sentinel in the redis pod. This will disable the master and slave services and -## create one redis service with ports to the sentinel and the redis instances -sentinel: - enabled: true - ## Require password authentication on the sentinel itself - ## ref: https://redis.io/topics/sentinel - usePassword: true - ## Bitnami Redis(TM) Sentintel image version - ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ - ## - image: - registry: docker.io - repository: bitnami/redis-sentinel - ## Bitnami Redis(TM) image tag - ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links - ## - tag: 5.0.9-debian-10-r0 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - masterSet: mymaster - initialCheckTimeout: 5 - quorum: 2 - downAfterMilliseconds: 60000 - failoverTimeout: 18000 - parallelSyncs: 1 - port: 26379 - ## Additional Redis(TM) configuration for the sentinel nodes - ## ref: https://redis.io/topics/config - ## - configmap: - ## Enable or disable static sentinel IDs for each replicas - ## If disabled each sentinel will generate a random id at startup - ## If enabled, each replicas will have a constant ID on each start-up - ## - staticID: false - ## Configure extra options for Redis(TM) Sentinel liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - customLivenessProbe: {} - customReadinessProbe: {} - ## Redis(TM) Sentinel resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - ## Redis(TM) Sentinel Service properties - service: - ## Redis(TM) Sentinel Service type - type: ClusterIP - sentinelPort: 26379 - redisPort: 6379 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # sentinelNodePort: - # redisNodePort: - - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - labels: {} - loadBalancerIP: - -## Specifies the Kubernetes Cluster's Domain Name. -## -clusterDomain: cluster.local - -networkPolicy: - ## Specifies whether a NetworkPolicy should be created - ## - enabled: true - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port Redis(TM) is listening - ## on. When true, Redis(TM) will accept connections from any source - ## (with the correct destination port). - ## - # allowExternal: true - - ## Allow connections from other namespacess. Just set label for namespace and set label for pods (optional). - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} - -serviceAccount: - ## Specifies whether a ServiceAccount should be created - ## - create: false - ## The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the fullname template - name: - -rbac: - ## Specifies whether RBAC resources should be created - ## - create: false - - role: - ## Rules to create. It follows the role specification - # rules: - # - apiGroups: - # - extensions - # resources: - # - podsecuritypolicies - # verbs: - # - use - # resourceNames: - # - gce.unprivileged - rules: [] - -## Redis(TM) pod Security Context -securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 - ## sysctl settings for master and slave pods - ## - ## Uncomment the setting below to increase the net.core.somaxconn value - ## - # sysctls: - # - name: net.core.somaxconn - # value: "10000" - -## Use password authentication -usePassword: true -## Redis(TM) password (both master and slave) -## Defaults to a random 10-character alphanumeric string if not set and usePassword is true -## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run -## -password: -## Use existing secret (ignores previous password) -# existingSecret: -## Password key to be retrieved from Redis(TM) secret -## -# existingSecretPasswordKey: - -## Mount secrets as files instead of environment variables -usePasswordFile: false - -## Persist data to a persistent volume (Redis(TM) Master) -persistence: - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - existingClaim: - -# Redis(TM) port -redisPort: 6379 - -## -## Redis(TM) Master parameters -## -master: - ## Redis(TM) command arguments - ## - ## Can be used to specify command line arguments, for example: - ## - command: "/run.sh" - ## Additional Redis(TM) configuration for the master nodes - ## ref: https://redis.io/topics/config - ## - configmap: - ## Redis(TM) additional command line flags - ## - ## Can be used to specify command line flags, for example: - ## - ## extraFlags: - ## - "--maxmemory-policy volatile-ttl" - ## - "--repl-backlog-size 1024mb" - extraFlags: [] - ## Comma-separated list of Redis(TM) commands to disable - ## - ## Can be used to disable Redis(TM) commands for security reasons. - ## Commands will be completely disabled by renaming each to an empty string. - ## ref: https://redis.io/topics/security#disabling-of-specific-commands - ## - disableCommands: - - FLUSHDB - - FLUSHALL - - ## Redis(TM) Master additional pod labels and annotations - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - podLabels: {} - podAnnotations: {} - - ## Redis(TM) Master resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - ## Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - # schedulerName: - - ## Configure extra options for Redis(TM) Master liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - - ## Configure custom probes for images other images like - ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 - ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false - ## - # customLivenessProbe: - # tcpSocket: - # port: 6379 - # initialDelaySeconds: 10 - # periodSeconds: 5 - # customReadinessProbe: - # initialDelaySeconds: 30 - # periodSeconds: 10 - # timeoutSeconds: 5 - # exec: - # command: - # - "container-entrypoint" - # - "bash" - # - "-c" - # - "redis-cli set liveness-probe \"`date`\" | grep OK" - customLivenessProbe: {} - customReadinessProbe: {} - - ## Redis(TM) Master Node selectors and tolerations for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - ## - # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} - # tolerations: [] - ## Redis(TM) Master pod/node affinity/anti-affinity - ## - affinity: {} - - ## Redis(TM) Master Service properties - service: - ## Redis(TM) Master Service type - type: ClusterIP - port: 6379 - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - labels: {} - loadBalancerIP: - # loadBalancerSourceRanges: ["10.0.0.0/8"] - - ## Enable persistence using Persistent Volume Claims - ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - enabled: true - ## The path the volume will be mounted at, useful when using different - ## Redis(TM) images. - path: /data - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - subPath: "" - ## redis data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - ## Persistent Volume selectors - ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector - matchLabels: {} - matchExpressions: {} - - ## Update strategy, can be set to RollingUpdate or onDelete by default. - ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets - statefulset: - updateStrategy: RollingUpdate - ## Partition update strategy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions - # rollingUpdatePartition: - - ## Redis(TM) Master pod priorityClassName - ## - priorityClassName: {} - -## -## Redis(TM) Slave properties -## Note: service.type is a mandatory parameter -## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis(TM) Master -## -slave: - ## Slave Service properties - service: - ## Redis(TM) Slave Service type - type: ClusterIP - ## Redis(TM) port - port: 6379 - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - labels: {} - loadBalancerIP: - # loadBalancerSourceRanges: ["10.0.0.0/8"] - - ## Redis(TM) slave port - port: 6379 - ## Can be used to specify command line arguments, for example: - ## - command: "/run.sh" - ## Additional Redis(TM) configuration for the slave nodes - ## ref: https://redis.io/topics/config - ## - configmap: - ## Redis(TM) extra flags - extraFlags: [] - ## List of Redis(TM) commands to disable - disableCommands: - - FLUSHDB - - FLUSHALL - - ## Redis(TM) Slave pod/node affinity/anti-affinity - ## - affinity: {} - - ## Configure extra options for Redis(TM) Slave liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - - ## Configure custom probes for images other images like - ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 - ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false - ## - # customLivenessProbe: - # tcpSocket: - # port: 6379 - # initialDelaySeconds: 10 - # periodSeconds: 5 - # customReadinessProbe: - # initialDelaySeconds: 30 - # periodSeconds: 10 - # timeoutSeconds: 5 - # exec: - # command: - # - "container-entrypoint" - # - "bash" - # - "-c" - # - "redis-cli set liveness-probe \"`date`\" | grep OK" - customLivenessProbe: {} - customReadinessProbe: {} - - ## Redis(TM) slave Resource - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - - ## Redis(TM) slave selectors and tolerations for pod assignment - # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} - # tolerations: [] - - ## Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - # schedulerName: - - ## Redis(TM) slave pod Annotation and Labels - podLabels: {} - podAnnotations: {} - - ## Redis(TM) slave pod priorityClassName - # priorityClassName: {} - - ## Enable persistence using Persistent Volume Claims - ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - enabled: true - ## The path the volume will be mounted at, useful when using different - ## Redis(TM) images. - path: /data - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - subPath: "" - ## redis data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - ## Persistent Volume selectors - ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector - matchLabels: {} - matchExpressions: {} - - ## Update strategy, can be set to RollingUpdate or onDelete by default. - ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets - statefulset: - updateStrategy: RollingUpdate - ## Partition update strategy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions - # rollingUpdatePartition: - -## Prometheus Exporter / Metrics -## -metrics: - enabled: true - - image: - registry: docker.io - repository: bitnami/redis-exporter - tag: 1.5.3-debian-10-r14 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Metrics exporter resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - # resources: {} - - ## Extra arguments for Metrics exporter, for example: - ## extraArgs: - ## check-keys: myKey,myOtherKey - # extraArgs: {} - - ## Metrics exporter pod Annotation and Labels - podAnnotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9121" - # podLabels: {} - - # Enable this if you're using https://github.com/coreos/prometheus-operator - serviceMonitor: - enabled: false - ## Specify a namespace if needed - # namespace: monitoring - # fallback to the prometheus default unless specified - # interval: 10s - ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) - ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) - ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) - selector: - prometheus: kube-prometheus - - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - prometheusRule: - enabled: false - additionalLabels: {} - namespace: "" - ## Redis(TM) prometheus rules - ## These are just examples rules, please adapt them to your needs. - ## Make sure to constraint the rules to the current postgresql service. - # rules: - # - alert: RedisDown - # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0 - # for: 2m - # labels: - # severity: error - # annotations: - # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} down - # description: Redis(TM) instance {{ "{{ $labels.instance }}" }} is down - # - alert: RedisMemoryHigh - # expr: > - # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100 - # / - # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"} - # > 90 - # for: 2m - # labels: - # severity: error - # annotations: - # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} is using too much memory - # description: | - # Redis(TM) instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. - # - alert: RedisKeyEviction - # expr: | - # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0 - # for: 1s - # labels: - # severity: error - # annotations: - # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted keys - # description: | - # Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. - rules: [] - - ## Metrics exporter pod priorityClassName - # priorityClassName: {} - service: - type: ClusterIP - ## Use serviceLoadBalancerIP to request a specific static IP, - ## otherwise leave blank - # loadBalancerIP: - annotations: {} - labels: {} - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: false - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: "10" - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - resources: {} - # resources: - # requests: - # memory: 128Mi - # cpu: 100m - -## Redis(TM) config file -## ref: https://redis.io/topics/config -## -configmap: |- - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly yes - # Disable RDB persistence, AOF persistence already enabled. - save "" - -## Sysctl InitContainer -## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) -sysctlImage: - enabled: false - command: [] - registry: docker.io - repository: bitnami/bitnami-shell - tag: "10" - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - mountHostSys: false - resources: {} - # resources: - # requests: - # memory: 128Mi - # cpu: 100m - -## PodSecurityPolicy configuration -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## -podSecurityPolicy: - ## Specifies whether a PodSecurityPolicy should be created - ## - create: false diff --git a/stable/ckan/charts/redis/img/redis-cluster-topology.png b/stable/ckan/charts/redis/img/redis-cluster-topology.png deleted file mode 100644 index f0a02a9f8835381302731c9cb000b2835a45e7c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11448 zcmeI2cUx22x9_8Zh@yyC0I4cPR3wC|kVp$H5PB1ZB#;m~gf1}_1O)^|QB*Y2#4gyt zMlbeAQxFvp712m>hX{m(GZyaOx!ZkSz`gf*j(>!>GS^(QjWNFCGu9zzC!56!6&9jU zsKs`+R<0=2Tv-%qj{Ji8aAni0vR)KQEHl>HJ2pI#N)HP{sbegEe^b}f4US~Qs$;Cw z_4G(lQ96Ni5-o-l&d`YniiJz?dw66Zok|Z1{M|-RS5J47uKp%8#vQGzjxpCah7XLM zj-j5O@9*{`T2RE_9UAE9LI+xoBnmwuHj)v%{&$O@SQ71bZ+Kl2DH#*!W~guJ6YNcK zHZTeO`>F9kF${WS#P4QkJslGrH2U}5u}M)uzb^*{#nUN4$W@Fr%;@i-!xQO$57ytD z8g7NACsAo=gGf@4U2vq4|L;yBNa25X;tb>6G}|@C+Q2i|iEP41uyWQ#JBJ%4#8?F< zhJ?qHVxj_RUKr=dpkNn9ac?y zjjf4Zb6GNz?1!C-z2!T|`I6FNrJxgzEdNh&X5<(5KrG*81T6sFq zW4#j0(FP$=R0ktuGQKhJ>5aE1x<}i)7{Yf-uoVV+b&Uyx|9F@?Q)9v%9i!kom8xr_ zZyDi8quLlJ$HoMDMv5Etu;N25ccDbf0|Q5Hey zuy9hmyN{lmxi_9+6lmk*8e~ZKun3K`af^yY(`;?=K0&@@N^D4|ZmdgqQerIL%hrxy zM`KVuoedc@Cs*&NU@z}TC!YjoOLVwfgp0XBq^=QOH`LfZDk)yy$}P!&oMd9pNV2eV za19GKbTn|V3?&(oC>TsM-pj)_-XqzO!f>`XcTI{5(F-#P4|eb+*@i_q#RWz9Cb}lU zY#Dly5oBMwdxVb>J|ZxR=Hn2B(esIp*C%@g#keGsV#(gFfsDuqU)z`@qaaF%b3~+m zaCivCJ1!{#Z-OS0%&mNabUj@xDKwK12OC|CUMSr<(LBO6#=*zKmh2FMcXPB0wAZ(G zOLT#y3^MdVd+FN4H&{DMs+$|$6}}_mun)3ByGD6M!*@NGc#37RH*(}cY~w5(g7s}^ zzJ{deP$OjHtPIHRcv})F*daVJ9OLS0Leg`Niu1-BQNyAVy)cG$-t^cQdT5*_#!w#< z6bFATlk}s>LCIl6HxqO;(KpT^F4{I2o&%lvSS5MJQIi?*1e?StBg+V5BGsE18|WMZ zW@PMb;;rjJh)Z(TCxklSlZ>ctaW=Yo)I?_w8+1I}9FDPYfEk{Rp z-ILpbFFK4J$#eW+T6n?W^l5qJZKu}h5eQ&HLB6NEPly?kFMd+9B*;21U%BtZEs%?pK-aOJA&_a1j0}?4#_1KVkJ~ zb1N$=!~T5LHEY(Ki6ShOkvZyUtN}kg)=-p%p8{pGCE=%=k}YB~GBVw%{}0_J=Dl%c zNm&_1!2faZ@ZlzI_bqfh*IP+9=vgI}rUzo0%pyLDCQ>#KFyN?VT{J-WBp zCg)?vCAY`Vo>`JeY8zKB+H+FMc}Q(BfZHZ_r67MSRsc_F7C zywt+dvh}JDW@2iJ{P>7kKAJK=H#hgl*|VFbw_3cM9SuWCQ8xa>xpUb;&rXoK%1McR zdnJ}CDoP!Dk~;a<;97Nc@fy+86}OQmPoC7l)OA^+lzf7Q)M`ViYrc0ZqM~%M)1#Jw zfq};3$}t=HHo0Bw?;rEaU97FebB`UnQf>OC*hZRgcFPL?lreG9^k2lGzd~ZiK3a#p zy)Aj;;m?Kl6GpPH?|86AUw`=-!|+_};cth8N7wOf@{BbUz8)iD>yD^dMsdu3sjgcm zW@l$t760Qj&u4MW_&1NM{x!;Vb#<@w7h9$;X)0sy)@H8k+&6o3!pHoJ>1>urexUjA z{*xzH?Mxn059_{ZJ+&^q>tPZG7Orn-Nb**9*6rK+L&p|ya{?=HmlwBKDP8rsHUCla zcztmWHlwP_c!*J;ZD_dCY!|w?1!4%~4*Dqs@kWrCfWZ=WDk*3@9_9&Rg z5F_^U)4UCdKkmGFRb;&gdi0)Bv?Q|{S_2<>6TK>ZjGG z9{XfuWax&!)fbyTe+?S#0yhM(;#x%99AT%DK(HZO64jEUVl(pL5m;Fr&fwZPdwct( z%F5ZbwcE;A()V1-YtksJyA;;q7Ewg>BpOX=mYSHHB=uG^+sd@U;l8gOmt?7&bDNkM zu3c;-9?ml75dN@2UC14Kwt46Ayu3oYV;XHVV{t*d3K&7wJ2t7s>ig?!V=XEy zTei8u;}z>#O<*5YkYo515Ix`}TT?sxu@^5d`*D}*ybg@r&so3e+v-a$5 zZUo2RH_Wjx%ILh}MVX!$Yom3g3NIn!T+5S?3nT>6XvGdEb=qi07N;DkD{zvz0b5=XcjZ z%dB}4OKjOLo4Fig7=&v@&9~z!vfyUH!r>W8>ohdhn40=cWhIkX&B#nMgdSzQe698C z&HwuHqLib$HKeUX^6As3C7g@0e3~gTl8)Z9$CYK#Xmq|lJ(njRXfx1~)AFtJO6k9w zkVqt3A`$kLt7TxY0_>xW)*>D8sh7e;aXnntiCP%~e12HDO9BW)FCB@FA<~X*CewMZ8<>mEH4zkm8a-`u%DeyvRRBF-r^R>#fZ%=tc?G*uabB8b?O`
      gt0u3YK+3VbZ)7Cr=g*&)YecY;+uHRLladT3#L-cG+Z4CN zKHgdOtr;9@>`b#Ba+WJ_{4yh$6P!auoRD{nC(pX_v#ErxkgbB-IsWFP&W_}s%qJmt z*68S5|2A?sI~z}@uitaVzm50v=e`T{#J^q`x%l~|^x)X1PD%ECQ3)6r7}&pZlW#!x z&7i92f%*0h4r6aaZ}j74CZ$tSQjUNV{3&o&kyxTw>qazFXX3Act31{S^Z5WvqP%;8 zRA3x!@p~>={SD~@*D62Me{9N}gIbv>4iVJ*7S*vcbLjhxnzRda8yg$XpFfY95st75=?aFC9}wq0 zF)@LdjmM0RV|#f>r?%h2M3;$#Pa{fO)5_jR(9T%&W!y0{L3|lv0qAhQ-1KmF^PQ#ZP>O;1`%Dz!7D2~MQU ziWTB2Dk_SwVr4}3^O^Dya_Y^8?nk&h01c(e<# zn#xC@6l4*7aQx)S269E;yL${|OE<2}jM=QQ;)KaRrkkog^P>D`le>${Uf8$b)1Kp> zs|yMWF0X0_-=xd4u&0Y3+CqaAK$nqa%A?fkq#lyJoui-Hen2>X}amW4T zsHl&Pl3-Q+5SF_hB#eanpW7uIe*?#A_w<-e)@q~SyPJD|z&6%iOR!QgO3a%bavc#AD>^6l_mA0H!azv|NZlSo-Y>{7yA@;9CP`qRRbUn%6+e)_JqE@(-#Tj($SLZ+CP~bsy z^z=kD2pv1Nx#8&8SRE{FDJOU-zYL2!Y4}F2TC*4mHh4*NbaWfddEQmOd&^+c{tSn~ z1k|3gva*{asc|0Qw8G!sK8kJ7>0&1%@zj--rXaiP*RVBWzVhzUM4V8cKhnFInYN=G zH(rj*4J;8!8EBy5Shg7(^gc>&AhW&&K%fp5%101T+q}K=U2!!ZR+L`2pe;1(yhCD5 zwZLA;2r!@WQK-ns$WLFsz)Bk!GrmY|iT$d|OtY-O3CYmGMWK8=bZ|_=(b>~egE`;B z&DC`utbzl(e>s=PLdF(@$Qo;F>;K4_clR(EnVF@3${I-&7|nq*XIAU@RjD#F9Ja!- z1gAUx{SAmEZGM?Fa-d@lh@@~DD8%M>?%ZkX;BXAvqz+>)+VLR1jdqa4x`}xGPujwJ zjrkWlZqbNgA0GNlNuA6sD9GCRDA|r(xQNS{?CRYFpMIBcClzE-x)A0>$IUe54MLV{ z5YKI7rd=<`4U$-_CQ(64=M>`}9L2G*vBc3jiKCFeFf-JY%#xS?czdS-j34BuI)Bic zdm|o%rQaRgNkv&y6rbx8JJcqgxpGr3w#j*=j^6?ni&d~S!D(vw4hk!~PV_BJXp*+! z*WgV`k!x(MK7_Aw8b^7^?KuC1QSW&W@?d1=cj}_1HTsUh>3@C-(>ADeNNAuaxTPcrHRdNQYOyka!)+4~pt_Se?%`LR z;xnbVV}q7fEhKKOH~ewy)Ya|Slm*-y!(D7)Ma_K*%o**nUm81s`t?3R<$}}M49N5# zO;E?-RNO8Q>V&^~b0AxTn{2rwaMM6V%>xSL3uu>2xLgQhlQT=!U!rWP1^I{yYZ~lH zCiu;Dr4yU|b(q->0jx?`SqgmC)WAIw&;orf@uOty$OokjUf03z=V70$*Vfi9CpRq= z6BFxuqRFa7_Xe7xHZ?Q6iq)$~_dm)_vy2nS?9xW&ct6KH?@M@!S2w7Qj z=(&&|);AuKJ$mZYdgjW#!lRHK-s#T|KF`4lq}0^Zf;%qCq)Ex|YizU%>b>pm?R_vc zRSXGr(F4tL*c4;KurAeqW_0EIH*LSGYHF$oXUzJ|^&Mz>+qx9d`YfxIVcpv04@u z7P_>TibzHZ0gUm@th>A0*2$^4z=W}M*)l}U-VX0sxfY*Qo3UcUk-WUm9lIV^fIX2} z*E1>gbxsAwdp~^&w6d{TYiukBsv-@H2jbq;uaTU`k8PiyHdu7U^IHAuYulqIMoAFE z)@W)<+`D%Vl!lF+oh0gfNr@P^e{hY~PEJeofU`lfu=n>@z+N=MaRRq@2)rNV)8nJT z@2b%EV~6$~IkFUaoQa9NiHS*l&Du`{aQhXwH+5(=#3Ug)*1bHtRYpZ6C+V**r214z zInzX4$S#&HU5fJe_fOoltD&J`-itFv$e}!K6uCrNS{k|d=FO@(bLK2qw5Xx4Za)P6 z0|_6JB*5sp?lCk$heZuEFCHT1#U4bGY#KpPcA?gW4GpmOE{Mljcuy6aXct?-SY!Dp z3!^+du-4Tf9pP_A2VlmeeOgNzIH%HHIGOnLW(iBYVtfv6^)iTckbN8)b|_e zoVEKYtaXQkm(nQ~GAVfY2Jx!TxY1AzKg z4W8SD1hSHnb$$=x9jC6&zn46&{rZM~PG4U@@aeQd%k+=!L|h&=GXz-6GC}dyXhKH= z2RD-ik+|;JvqhU9@s`~U>t4gmwFDg}4-1F*+3qmBukUG|ofzK+)Lv&ArD)0Pt3LZd z-u1WIs95{?74S@)R;*r~3HkcRiWX(dl$3`&lRqTHrj?s_W*^34BcsF5WXY98Q$y+qe39R*cE(Z(E%W;ALmX4_goK$fL!PTdlU!K_L zGZ#S${GQ0RvabpPh7{k+h|59y-9z+iMMVWtafpeDDIuauU^oMX>B{wQ?}V2ATkEct z1-3xFh3IQt>T@|OYirQg8@QaLu3rBN++g$_kzWV_bX-8s-S9SA)$!xUm-D{1T24vr z2w=Sg{!3!L9JEK2I^=1iqodoX)C;`zI_trjLECF>-h2{kEhacNi=@1UIHQz$az!l| z8)%lcvZ~uaCu?84c=5SCkAqGC7kmLkoDB}^lYD!N{7&jB&RM& zLL_Grvo2fFWDTItH85H@m+%ZR2)7Vtv%1**&5dUws}CJmvmB zGtS1^z4OMP90a2@w6(J{cXmF)lV1!SAerA&p@-{k0=K79n$nUDi8{9rS~df41@yU! zPg8_JTD8h3G71pC{{UNtA{1TRzuwRQ1S%=35%6pHJ^Yjj1%R3w-0SN*GK-4VKt?7H z+!zW;Nl8h@(I3T-s)4h!D)aJ1NHvB;hl3ET%cg*faQRJkm08o#)4X;fbmidWztg>;!#64Q4Gor0j7EW=${<=D*66b5 zujA|8puV!ZCvyl$p>fKDE~*bq0LeZf$BO##)&K#p0HJ_%O}wcQ9Y9h)n8zMKySw-s zXZgX*^dPPxyvOhfvCXxg%sc?h3$;R^(_K(P3*UU9 zmo=l*kS={AxsHB14URAhG(H6XjehrIFNH9@s`H1Z0V^NwC<~Q+g!6yY>m|$gN=Rl^ zC)eE2fUMg+rTS^MrFP;Z-c2n#cY!_uVPeiZze#uwRB7j-`Ucr7 z1d%86&I~B~qfip>kaqztb`AD8{~L0y=zSrD@@I~B`d2Tngq+?T{yoYEXi*LkuBUpH z0H|_0bQSw`DM}TKRR+*p$t3cnann&fH_kwO9H+mvI*@?5h2v`?1mF>%Lx?i#e=%R@ zUH7lahQrdIgA+lKduYc@^~aB7Sa?aW0Ti5oJ6nWrkqTQAxuWOM%e$d(bO`56eWtQ} zAwti*<#NWldf&6c`I?qc=!pDa3fZy)Qd5EY%4(=&UH>3%Ritcc}65Wn3V;U zGj2e~MHl15QJ{w7^`fl(h_e)2ahe3|wfW)bzFeGAc0@N6uhW(&X@lDYn22!P7*?JX zS_5i1OF&7$Q0K$m87KWL`6GbnHRhxCfFD-V(Sg!n$ez3nUTd_q?Wd&9l;h%{m%vmJ zYTjW<6sS6P{@L>DPstVMK}`bn6c@P7#^Y}sX9^jr!V9FNkWys-P#L=!m_#Y3d=bA4 zshnkXunU{T&JRo5MO)*iN!DDV5)vM-K@C$91wg?Pk52;}n%U9eURqOj-w@Jegh-NE zX+Y}we*8ELCNYG$IG^^iz#NJ$PzKfFm-!=I+`%_M==-;pa)8z>^u1K?EVY%s@=l- zy!B2{l-)a99)1PoVKEd^t^nOjr_({?$m#Ja;%i|Y6XALlsj?* z>f2SmNb!5t=79F8f=nm{tq1iagrj;_Mx5oXzuzcQ%oKKJ3r$X3;Sc6QhcC~WWrCv& zXf3jCE0cQ)RgQir2!ajTv5P`MK6d%PFUPe+eHQt}6WlYhv(uo|$me#iWoEQhPkvbq zRiQcH$&UT0Oko%H9MdEgMfO%NSiHCiiXkN&7kd{M8Aw*3GGGEM3_qo)KC5{Der=#X z{~{HX6C8=gD>te$AQ(BYi$kGmp1&nd8(e8RqDB}}dyzL1z;k#dz?_lSAL=Aj`lBCJ~vZaRd#_rNgaC%{d^a1(O*c4V(IEKPIWeu+|! z%s41R;Cpis01Q##f4*n&tq)o>%MwlZf?K7)8x|0Q+B8i-h>9Z>i#>Z#rjwtJ+1lD3 z!9G!kDkObY&CdG<*>PCB)+SAnpzcWopr+1YmyVP=wr>GG+}yaX!FnYg^j|U!I@Z5A*1U%+~3V zCPXPnD)TY4C4fAUv>D!~AU7VA@vb0?g9P~_1vT!1n$8ix_3$2(n1nwesZB`Vk~c;^CATva2ZRgf1zp?(eu{DL2oO*VOmYB7 zBSIoS4h$fnf{?E}XTO9r-rHMl?%cV3-@h+{@KL~<7Y!45Ic+v z^)Lto6Ar$AW@U!Y=x^d~2*j3yWE7t4A3^l?BOoM{bpL#lP?Yxy3?WM>=}9Omx&{Tw zdU(5f2D|!)$OaI|a0%}F2YPrDy$K$F+9=8^${&_jKCGaGRZx&n(pFN24@E^;byWqs zKkZ#T2?2ixRFRd30S=kEx_bwZ14Fzd|Fj^GT|NJdW~Fl2&%!mz$V#6`a8_3jwp5Pr z{?jIm5FFwi81Sc=0*o&UkNX`DIWmaw=duSO%-fy7xT=JLH~JeoJkk4au+G{41$dfjkSY4t(D}p^=!R^ z)U|CKrYmJoGw(?iivqLLdoBFF*ll?<2 z{d}S{4I;xL&BN8)(F%r&3f=@&csYzVH1I;Yo0Ig+@#@xYm`Gbo z6;m~mpLZnL*4@I=+EvXe#N5m`(AL<@!_3GsBE%yyGAcA&UeVCaP}fffP1ZH`@bDwr zhD2D}kpm6o6;)Mze6)RWD3Yg@kB^c!$`GxJM4>$4F##cp{%-QFkw)lnTQgk~MI&8P z9Tk10zyNPEcN7YiN#By}ZyI8$7_3L|v~!E_G_ke}4lu`u==l2t+o5oZCgwN=4ABVf zui&QcjmD~akyP<08^&v>n44=yl98cgJ8fdPxxR9gqDi2sKN3SAn}o{~-Th!}D@b7- zBK+@V8i5Z|Ggr5W#Ca+Q!5y+WQr{-X&)36BG1AnE5r%G*B_;-qhuCJ z3XxYc5B0Jokc_ z1Ak8sy+8wFWt6*~nwd6M)r1rorlJ;Lr9cdJSMxSgQB?OfRkKvnLmDd)4PlJ%D3S^z zavWp#D8Z=u|LmCG+Xw#siwR1ok~bZf5C~C(k)Ad-qG*2D7mHoyXI?BnJ}PN*Kx35p zB0Edh32l>qHgUl2g57l&%5g8&D_%rGS=zPh21n3VO3m93Nq4b_7)maAO;F`;?+;dI z-ItZmu3&nclXqOPbM=E;&Mi0Mw-@mX$2tScS4HKOIzK$%kW*?FHp&rSe6q*<=x6aE zqfMNg>J+N6p7{PeDbDP4JY7#u(T%p7vpxBL@S=FafS-O?m}=Pk;F*MkEia0-M7p}V zc-4c&*_k(Q+Pt~zwx>CH=JnS3p_-(c8nsiWPJNi4&-gY!bOoI+J3VmwAhdCn=amm0 zH+=HsiKwjX&TZSa_22d72@Vdnu(y|9yOvYvO3Uev{k8tx(8%cV+qw`=LBVvVhN#Cw zLjofsBfQ6=l+*S1@0E2(-XWms^8M5B)An}lxHwI-iyCKMzs6v(*hW9q&9zRg+}zxU z4j*ozS(RlK7iSg~34VOnAdr%hg0FI6f)VsHg)^$E+^rb`NfeiQbaZvIb8=46=~7+QAA^@?ael-1x%chcmnFW9`5+-`|sGz2%raXVf(`V0i3#DLBQH>AZa&2a2=T~O^{ytu7 z_ntkdHWCdMm|YOL>og08J_eIBjl3EpgIlwDo-b!G)p3ziNGKycoxO{cpb_=;P-$uD ztGW=+n+|mtvLNPAp49N0p}>*sdv4gE+APmW+f;m@<~!-shs{^TtOj?H z3|;Z`HzvWsiitagQf-_fQFqNX>Wm2l31a7^jLVlr{RVEKU_915DJBHl_U#HDPj~6* z>wl@t^21tLolZ_>-LiFS-A|R;t4C#UO^_=i3k#WFzmmHwvGX4upPufy!86%eET_S? z?FlB-z0B<5sp4XhVsiFCD!23pXetu_(~``!`vi6N+V0)EUqSA2@$jTkN{!B(Ia51V zQC~$G)9 zYeYmwrckuanlL?8u(o4U#qoQEP6w1;y}D)ie&`;d(?ut!bjv*l&7OQ7YeThN*2=zk zF=KHts7t|+D1+M(wcKMT8s+r`Ah^x8yOs<60_c?`zhDLm8KUmT?H?Qdx5)dH!?D_MFWZI#S$rq1v zB+wAf5s2Dv@Q!zXOEuAN&0x^rX?S5=J_%t|iN3u&ey6>3h?*0=V^7W~8OvepuYS zvHk<{P1I<&Q|vMhYh$B!B)(gK|5{m@Ze`yU$NDe^tnu^n1LmgXJ4J2#wb~hfxo<8z zJA2>w50|v&B#yC>B$0n!H2PB=3kroQb^j@GwmkvTY3y#FQ}dUJ=S&XqN==Q8$Nl=N z9^28KV?J*cH)DPl{V#bM3xnx-yaP3}NgPM4mWxYSY)bJ`M(cy1MRT<`7O_ zS&2B8pFj5K*SZ{Z1c=Sb&E4AIlqrGE!&jnn#BbWy?BtPi;`%AH>U+?v==j3B21pOa zB;M3b+DVT{dILn$>>~eRy6ei~_wNR=vB$oA`NG)Rzt$Jxdojmi*OV2Nl$a1Ul};_= z?PobfL^8X}%yo0bV>VW&u2)vJtu9TGzJ0Vs^!+N3k(S<$a8c%02z+;RZdn)^gotVo z1{PsuXUF#J(aM)~Je8T53HibT`LcEE))dMsv7wqkgPC?Jo;qch5&8iSAKyzjefpBwFgiTI=#4{#8O>d{c3I*NgCZ^R;=lN7vkDzJ4lIuE4zn=j{mtZ1sLs$wt;IpVe=%!g!U@8!+H#$KE(3~X|%7FAQ@$q{#L zN##by{X~*Agp7@i5eV4Hd~3^dNv*B=bB{e__HOSjw`YMB+|DC=`QE*~XAhd|!~FR8 z_+V}5F($YMJYDKqp64&E)$u*PG;18L#Q9MizAjh-arydnR*j20Z7LidKR(S;xIVZ6 z`9qfC6LR8|XW>^5JwXc_wE$g%13l{hqmSaUg!# zjYh}&`Q4OqD)UK$IdQm8ZeP>1$Ki0jow>QWBR~`Kg)d)rbbq~dL*S9w4vw^+7aF3! zkFHJ?GeCl|u~BJzRif_|-WkhKd)EjYCZWMRaFR-QW7#R#SmoLb`}iQQq6h2i?(Vw38r1=E|{@#%l6Kh&4Fnyf}Txn9EYy_yX2aTKPy=i-Trn`)RLyG(v zhK7c_{@|1P?E&_{z(9ao{Y#fFy`)T{W&z(%fKUONXTYj9kmY-06sQ9Jpy^lp^iU|^ z0LAml-n%J+>SBPj0Q#Kf$CkM?*S}f;8ZsRT``FlD?GE9vRAW_2tEzTwY-|9`ZT=c{ z%pwhLE@+L(sUPcZ!V|uOw&fy*U)$7l$KXAGX$WZ>8aE~-EzQZxdq{(M z_%cB3^@<9BqoM@rEVGZV@5szd3Zz&vWwaNvnZ+n4Xns%ys5%8Gx%A;fVU3HFHYaZJ z{rfiq)&V~_0LK%VcM2wh{7I&aSeqQ!!@PqZ0ZFKg)XGhCnc65)a zgoMOM$B_j+ZS9lOhYHStf~;_?cLO{ty^@tyjUDbExb4ZgYu5?F^Sl&FsU)adl#7cf z#BvbSMk7YzNlS}%W#3ri$<3u#t`Fur$E64#i*o5IMM3}LGPq5MqN9k1!n+e z_e)6pl}E#Gjx0Pl4U$XfHu0qn3Uy{0nToNtPQ0MxIZ8S5sgaJmq1U$Wj4SPRu^k}) z{qO}!``Lr_>jJN18T%_eU9Ydgu{vtm2Q*m;XfiP%BTeC$MeVN(??rt3D$caHaSF9d zKwei9U-EyQAL8LS_H|dz*|R7Eu`}+p98=Kmy95NbLynjfAvq76H451}^y<|KfM@rn zgl!DbaLv4!^7gGmSGA!8L(+0+{oGYjQsM=YrZt`K^kMsZ*T1!wr>3%rA3V4piR2X) z7UtE8J9^K5=)fO6>rovtWu~X6ciFsHbGo~XgZSe7NsuS3Q=PDH=dT%~(bfJ#swTyn zLf_v-%Q3U_o_PAy@G6y>LeZCM!$=GWX~hYC{`@&&@`C4wxw*7z_ck$QWv=aeWsdv! zNSPHOM_wNVP?x`8!YB|xWi#pyS;zY>5I+7kaR=~nUIjc z$j!yCUlSg?G$wQI-^I;+W_sF-Q5O}e1?m%t2ZBRFEFB!ub8>c{%grqT!P2;VWilVW zf=+8`X?gncB??-p2EI#=T$*%!c1|)mHMI#wk|&Moff5lF6-B@_C8wpGZuih3k*Yr| zuzK^Ma}yZk1x#G+*(odzxtenD(ut%b7Q31N&?2wyhx&q?YM!r!%8uyc zuo|8;&yf(ILG zbEkIiQGtmc`9lgxfZlG4A09InT-@kXem;+WIxneviCsif5Y`&X7x=9Gwef=l3dePQ zZCTdL{EZ;Is5+y(xN@b7j*~ViRNY}~Yg-$$st6kDG*HbIkl*o98z3MS7z00e@W29x zJM-d&38+x+9Pxbz4lu(jg>)U>x5kamb(pQOpGn*yP!RhN*rw)Plr&kxF-^9!t&JuA z$I$zr**7$zh`EW$_%~ynDr~z%z`fjeCT3=4Y1{7_!7$my#qr&pq-Y5n$oTG`J=U{6 zZ=Kq?@pSR}^z`(-{?yW-XbDd@T8>P>TVoc0ml$b($$(06wLB?xy%~FNG<2~9y^?ivgWfk=c}B{*6FA%m-FDSxA0+prtm z^D;;}bVoqtr!+v&f_txje5%j1ry<@t4R1%|n&awoi9}*5WxThx;XddaW|A~cGoW&? z1=Ev!tsI*p9zd09n#V;0eYcfkkJL8!fHpo;o9iP`V-pHWg|!Cry?GuNi>I@NL)jTX zeKL#_phZ?zR%7`&!5sMK_k~k$ zYjgQC^aH5k+XE^`tFeyh_L6mMH8u)(x-2x*8~rwGCxbgUYHe)XJm0g5rz--(;cu6p zu$PqNtg)GLr9B&OEk7rKplz$MiLAy7L8m(jLpP4%>0w@L?H%w}>d=jKJpJ(3q4IND zE$u=<(RYQ=%W^@|689-XzRzn-X$3EdP$akmBmy%x{#;#R6ua5`4Vql!Mdjsp9gF^^ z2Ws%u!`Nsj;l@7IFC@a&3#gx0Wmq4KyFdlthv-uTQ()163ZOn`f}&T)%xou+7wSD$ ztZ+b4q-How;ONn#LEneNo59@xtelE@d;BbQZT(KuMOI#>eqi_xITRU!GkQTtEHg~dIyyQo^1M~xbpWnHeGnJqeQ9*m?c>|JJs|260Rn4DW3Omd2LTs<>rFE= z3VJCkdMu_kPYQjvx*CX~ea*N11k+}D-(H!RpP$f>Muwe6qm^FCZVl3e(v24I?g1Y}sy)|R&dJZ83RVpkhfARl@^9Ewy1_-(ZQD+Y z8}S|qlhIuHuo-x!1u63E@(RXZgEz&jtoe4QW*Q(CUtGk&nc_tTi8AVxt5?N=7*E1@7dcvTXMu>j!0pg8FxbC; zzb;v@gd%(_6|^|{(_22M#<+x%xK1p6mZo+jxfw6d*Sv2nuX&dWf?;g7=LRtNvs`JL z#n))L5=I^NFs2Tu9x*kRDe147kni(vGlYX)|9_Yv!Au-sF>I$ZEbDY_>6sZ%u~&ArBk|wG!P{`p!p2V&BJGweO`jP?z&+k2NdN@ z=E~um(iJY9Y^GA9X5UDztgcGVY7-9QtKGK#TwnhTHB2f+XXl3)WYUePW&*V!E9(Rh zM`>+s|4iQm1soYtpJTY|SZfBT8X=@e$HcSMAR`)VU)~J;GA9;CHNrElKUz}tLrg72 zda`+jI#?6v9J4l4W>z1w)&K?oJFon4GP@5`N79^nv}Tbtop_s1NP~PlAfV!7zG?j7 zBS!?FE`X}0^vWw!$b{g@7$g<@lBo2cp~2GH`oP>oj=!u!EyCQ~{GqskE3DCno2yw3 zSRg-!d>op{9^15OlZCAu4ajB++Su5z$jQldDX7P_fSLuh;v5nU$7R4FWaZ%C5o$h6 z(mZEgv6@B2Izz=R<9Pqgi2QgAI#1>?6lHqg4i#}MXSr(%%J#(m_~yE@II{DMXkXOV zE`!fKHqI&FDN=`B<6Z?!;)(_jq=xYc{#Oz!Vrzt z4GIEprQpe`g;w-ba|OoK+}wanzVp&X|Jl;pkj|0Ck>*l&FSaS&BOfnt)HBLQQ3;8b zYfD**{sXtRa&mJ1_iiEj?jINCu8M%&y?==bKj{lmCfs zt#LEQhx&zwA>xJ4xp{c(7eq}#J}dYSDucg}>*=2i0xT(o|>K{kpItU_V5C|MX{qks>ED zsDof~;xw~jKaZk*{&@c@(X8zD#<`2?AqQsX<_d?s!K+|IfoKE|SRwL@2iPB1=yW!) zR%T{qs_-%qqbUa$flEq3k>!Ywd>puqII*@C^>a+*m&L@7TIc)ZZQxaxx?ks?I=#fy zkEa8^QO0+d-oMYEFXw!3qyE7IL7)j(5cqugNm*z>w3k-!Fbqu-7TqOUmNyjq|z zNO_NS?;>by79U8MmPx^Gr~-4OTrxk1vjtDydRRPY{K6EMscA0PjwuTSkqEzl$Y zJ-h;(7J$EfvxWra8@?e*1;MaFfKS_^7aEeFG>4UhLj#7-4pIT?)WiY5R!|E;FeCZz z%?wCZp@NLqYahGQ0ZkxMY3rNEq1FW}=HbSgFRU*>f=Ye2$pyu&fe%*?fMABIp?qp{ z+aN`v(R5N#qXKd5PhsHEh!sD_6FzTY0MP8JgL>j}^ITB>#Li~07R zRK(H2;^IzgZEdB03XL#@sy7jI$OyopzQ6yxNSq^NC1WmQolBr@-Rt-bTu>L)Lc;So zA8;yLmO8cMes8{wm0QE!ntoC}V5Ydfdk{&19UcXS%3`m5U<#$gr-)w@netuj+x;;pdLBjKx{+OdZa0uW*APf{{ za2?khGuHi;s2zGJ@RaVc@$($E#@vXe z=4OzFV~Z16OCG;{no~i4NUR*oblJWp;E<$bHiHAfpw!M3J_ao2Tf{Mu69OEGLo9yz zqT}dz(J$YCa)U}y z|MqaEnTt3GLA?x;KRLHhalLyc!p{h7GR0SSeQmlFraAspoDzB)_hX*XKuSsqJf(BDZYjPfQr{E)mc(LRZYQC!b6ex; zio0JunJ}i!|Hdq&O z5Dtc3m6?mcerHi4zGyTMiA`Xz7A4FIxVrzIzW~F60?g*w%*+l)KjN=nzt%I@zhg8e z`N|-sp$ps;#`%EfrAX$74<9n>2ylU_T^?_`dhOcilaxKOFRd&r5Mcal-M&{8tfR+| zA5XugZa-jh{siEysGM9UHIh<^>4V=Bg))8%@U(%X=>SF4nmwGI0JnmNqYDSaupM@Q zR%M(P^D1nDl8wPmU}YqkYp!m&aNz>O5h9Tkz+JZh1FxWfAJLb|<^*5CLIUNmAGilv zt&E>FXE?PF0KotMj!{=7h;wQ?rr`omD@a$t=x-mjF__(up9$XG*G6W_iuIu&TKhJ? zT}w-gJlDH}p}=8Fb8>MdfCX0yx(ZaV0LaQ$Am5=B9b=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiGroup for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} -{{- else -}} -{{- print "extensions" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiVersion" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy/v1beta1" -}} -{{- else -}} -{{- print "extensions/v1beta1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Redis(TM) image name -*/}} -{{- define "redis.image" -}} -{{- $registryName := .Values.image.registry -}} -{{- $repositoryName := .Values.image.repository -}} -{{- $tag := .Values.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Redis(TM) Sentinel image name -*/}} -{{- define "sentinel.image" -}} -{{- $registryName := .Values.sentinel.image.registry -}} -{{- $repositoryName := .Values.sentinel.image.repository -}} -{{- $tag := .Values.sentinel.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper image name (for the metrics image) -*/}} -{{- define "redis.metrics.image" -}} -{{- $registryName := .Values.metrics.image.registry -}} -{{- $repositoryName := .Values.metrics.image.repository -}} -{{- $tag := .Values.metrics.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper image name (for the sentinel metrics image) -*/}} -{{- define "sentinel.metrics.image" -}} -{{- $registryName := .Values.sentinel.metrics.image.registry -}} -{{- $repositoryName := .Values.sentinel.metrics.image.repository -}} -{{- $tag := .Values.sentinel.metrics.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - - -{{/* -Return the proper image name (for the init container volume-permissions image) -*/}} -{{- define "redis.volumePermissions.image" -}} -{{- $registryName := .Values.volumePermissions.image.registry -}} -{{- $repositoryName := .Values.volumePermissions.image.repository -}} -{{- $tag := .Values.volumePermissions.image.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the path to the cert file. -*/}} -{{- define "redis.tlsCert" -}} -{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/redis/certs/%s" -}} -{{- end -}} - -{{/* -Return the path to the cert key file. -*/}} -{{- define "redis.tlsCertKey" -}} -{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/redis/certs/%s" -}} -{{- end -}} - -{{/* -Return the path to the CA cert file. -*/}} -{{- define "redis.tlsCACert" -}} -{{- required "Certificate CA filename is required when TLS in enabled" .Values.tls.certCAFilename | printf "/opt/bitnami/redis/certs/%s" -}} -{{- end -}} - -{{/* -Return the path to the DH params file. -*/}} -{{- define "redis.tlsDHParams" -}} -{{- if .Values.tls.dhParamsFilename -}} -{{- printf "/opt/bitnami/redis/certs/%s" .Values.tls.dhParamsFilename -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "redis.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "redis.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Get the password secret. -*/}} -{{- define "redis.secretName" -}} -{{- if .Values.existingSecret -}} -{{- printf "%s" .Values.existingSecret -}} -{{- else -}} -{{- printf "%s" (include "redis.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the password key to be retrieved from Redis(TM) secret. -*/}} -{{- define "redis.secretPasswordKey" -}} -{{- if and .Values.existingSecret .Values.existingSecretPasswordKey -}} -{{- printf "%s" .Values.existingSecretPasswordKey -}} -{{- else -}} -{{- printf "redis-password" -}} -{{- end -}} -{{- end -}} - -{{/* -Return Redis(TM) password -*/}} -{{- define "redis.password" -}} -{{- if not (empty .Values.global.redis.password) }} - {{- .Values.global.redis.password -}} -{{- else if not (empty .Values.password) -}} - {{- .Values.password -}} -{{- else -}} - {{- randAlphaNum 10 -}} -{{- end -}} -{{- end -}} - -{{/* -Return sysctl image -*/}} -{{- define "redis.sysctl.image" -}} -{{- $registryName := default "docker.io" .Values.sysctlImage.registry -}} -{{- $repositoryName := .Values.sysctlImage.repository -}} -{{- $tag := default "buster" .Values.sysctlImage.tag | toString -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. -Also, we can't use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} - {{- if .Values.global.imageRegistry }} - {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} - {{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} - {{- end -}} -{{- else -}} - {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "redis.imagePullSecrets" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -Also, we can not use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.metrics.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.sysctlImage.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.metrics.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.sysctlImage.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.volumePermissions.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- end -}} - -{{/* Check if there are rolling tags in the images */}} -{{- define "redis.checkRollingTags" -}} -{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ -{{- end }} -{{- if and (contains "bitnami/" .Values.sentinel.image.repository) (not (.Values.sentinel.image.tag | toString | regexFind "-r\\d+$|sha256:")) }} -WARNING: Rolling tag detected ({{ .Values.sentinel.image.repository }}:{{ .Values.sentinel.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. -+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ -{{- end }} -{{- end -}} - -{{/* -Return the proper Storage Class for master -*/}} -{{- define "redis.master.storageClass" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -*/}} -{{- if .Values.global -}} - {{- if .Values.global.storageClass -}} - {{- if (eq "-" .Values.global.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.global.storageClass -}} - {{- end -}} - {{- else -}} - {{- if .Values.master.persistence.storageClass -}} - {{- if (eq "-" .Values.master.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- else -}} - {{- if .Values.master.persistence.storageClass -}} - {{- if (eq "-" .Values.master.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Return the proper Storage Class for slave -*/}} -{{- define "redis.slave.storageClass" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -*/}} -{{- if .Values.global -}} - {{- if .Values.global.storageClass -}} - {{- if (eq "-" .Values.global.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.global.storageClass -}} - {{- end -}} - {{- else -}} - {{- if .Values.slave.persistence.storageClass -}} - {{- if (eq "-" .Values.slave.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- else -}} - {{- if .Values.slave.persistence.storageClass -}} - {{- if (eq "-" .Values.slave.persistence.storageClass) -}} - {{- printf "storageClassName: \"\"" -}} - {{- else }} - {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Compile all warnings into a single message, and call fail. -*/}} -{{- define "redis.validateValues" -}} -{{- $messages := list -}} -{{- $messages := append $messages (include "redis.validateValues.spreadConstraints" .) -}} -{{- $messages := without $messages "" -}} -{{- $message := join "\n" $messages -}} - -{{- if $message -}} -{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} -{{- end -}} -{{- end -}} - -{{/* Validate values of Redis(TM) - spreadConstrainsts K8s version */}} -{{- define "redis.validateValues.spreadConstraints" -}} -{{- if and (semverCompare "<1.16-0" .Capabilities.KubeVersion.GitVersion) .Values.slave.spreadConstraints -}} -redis: spreadConstraints - Pod Topology Spread Constraints are only available on K8s >= 1.16 - Find more information at https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ -{{- end -}} -{{- end -}} - -{{/* -Renders a value that contains template. -Usage: -{{ include "redis.tplValue" (dict "value" .Values.path.to.the.Value "context" $) }} -*/}} -{{- define "redis.tplValue" -}} - {{- if typeIs "string" .value }} - {{- tpl .value .context }} - {{- else }} - {{- tpl (.value | toYaml) .context }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/redis/templates/configmap-scripts.yaml b/stable/ckan/charts/redis/templates/configmap-scripts.yaml deleted file mode 100644 index 6d740272..00000000 --- a/stable/ckan/charts/redis/templates/configmap-scripts.yaml +++ /dev/null @@ -1,430 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "redis.fullname" . }}-scripts - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: -{{- if and .Values.cluster.enabled .Values.sentinel.enabled }} - start-node.sh: | - #!/bin/bash - - . /opt/bitnami/scripts/libos.sh - . /opt/bitnami/scripts/liblog.sh - . /opt/bitnami/scripts/libvalidations.sh - - not_exists_dns_entry() { - myip=$(hostname -i) - - if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep "^${myip}" )" ]]; then - warn "$HEADLESS_SERVICE does not contain the IP of this pod: ${myip}" - return 1 - fi - info "$HEADLESS_SERVICE has my IP: ${myip}" - return 0 - } - - HEADLESS_SERVICE="{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - REDIS_SERVICE="{{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - - # Waits for DNS to add this ip to the service DNS entry - retry_while not_exists_dns_entry - - export REDIS_REPLICATION_MODE="slave" - if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep -v "^$(hostname -i) ")" ]]; then - export REDIS_REPLICATION_MODE="master" - fi - - {{- if and .Values.securityContext.runAsUser (eq (.Values.securityContext.runAsUser | int) 0) }} - useradd redis - chown -R redis {{ .Values.slave.persistence.path }} - {{- end }} - - if [[ -n $REDIS_PASSWORD_FILE ]]; then - password_aux=`cat ${REDIS_PASSWORD_FILE}` - export REDIS_PASSWORD=$password_aux - fi - - if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then - password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` - export REDIS_MASTER_PASSWORD=$password_aux - fi - - if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then - echo "I am master" - if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then - cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf - fi - else - if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then - cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf - fi - - if is_boolean_yes "$REDIS_TLS_ENABLED"; then - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - else - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - fi - REDIS_SENTINEL_INFO=($($sentinel_info_command)) - REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} - REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} - - - # Immediately attempt to connect to the reported master. If it doesn't exist the connection attempt will either hang - # or fail with "port unreachable" and give no data. The liveness check will then timeout waiting for the redis - # container to be ready and restart the it. By then the new master will likely have been elected - if is_boolean_yes "$REDIS_TLS_ENABLED"; then - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - else - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - fi - - if [[ ! ($($sentinel_info_command)) ]]; then - # master doesn't actually exist, this probably means the remaining pods haven't elected a new one yet - # and are reporting the old one still. Once this happens the container will get stuck and never see the new - # master. We stop here to allow the container to not pass the liveness check and be restarted. - exit 1 - fi - fi - - if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_TLS_PORT}") - ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") - ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") - ARGS+=("--tls-replication" "yes") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- else }} - ARGS=("--port" "${REDIS_PORT}") - {{- end }} - - if [[ "$REDIS_REPLICATION_MODE" == "slave" ]]; then - ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") - fi - - {{- if .Values.usePassword }} - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") - {{- else }} - ARGS+=("--protected-mode" "no") - {{- end }} - - if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then - ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") - else - ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") - fi - - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - {{- if .Values.slave.extraFlags }} - {{- range .Values.slave.extraFlags }} - ARGS+=({{ . | quote }}) - {{- end }} - {{- end }} - - {{- if .Values.slave.preExecCmds }} - {{ .Values.slave.preExecCmds | nindent 4}} - {{- end }} - - {{- if .Values.slave.command }} - exec {{ .Values.slave.command }} "${ARGS[@]}" - {{- else }} - exec redis-server "${ARGS[@]}" - {{- end }} - - start-sentinel.sh: | - #!/bin/bash - - . /opt/bitnami/scripts/libos.sh - . /opt/bitnami/scripts/libvalidations.sh - . /opt/bitnami/scripts/libfile.sh - - sentinel_conf_set() { - local -r key="${1:?missing key}" - local value="${2:-}" - - # Sanitize inputs - value="${value//\\/\\\\}" - value="${value//&/\\&}" - value="${value//\?/\\?}" - [[ "$value" = "" ]] && value="\"$value\"" - - replace_in_file "/opt/bitnami/redis-sentinel/etc/sentinel.conf" "^#*\s*${key} .*" "${key} ${value}" false - } - sentinel_conf_add() { - echo $'\n'"$@" >> "/opt/bitnami/redis-sentinel/etc/sentinel.conf" - } - host_id() { - echo "$1" | openssl sha1 | awk '{print $2}' - } - not_exists_dns_entry() { - myip=$(hostname -i) - - if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep "^${myip}" )" ]]; then - warn "$HEADLESS_SERVICE does not contain the IP of this pod: ${myip}" - return 1 - fi - info "$HEADLESS_SERVICE has my IP: ${myip}" - return 0 - } - - HEADLESS_SERVICE="{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - REDIS_SERVICE="{{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - - if [[ -n $REDIS_PASSWORD_FILE ]]; then - password_aux=`cat ${REDIS_PASSWORD_FILE}` - export REDIS_PASSWORD=$password_aux - fi - - if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]]; then - cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf - {{- if .Values.usePassword }} - printf "\nsentinel auth-pass %s %s" "{{ .Values.sentinel.masterSet }}" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - {{- if .Values.sentinel.usePassword }} - printf "\nrequirepass %s" "$REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - {{- end }} - {{- end }} - {{- if .Values.sentinel.staticID }} - printf "\nsentinel myid %s" "$(host_id "$HOSTNAME")" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf - {{- end }} - fi - - export REDIS_REPLICATION_MODE="slave" - - # Waits for DNS to add this ip to the service DNS entry - retry_while not_exists_dns_entry - - if [[ -z "$(getent ahosts "$HEADLESS_SERVICE" | grep -v "^$(hostname -i)")" ]]; then - export REDIS_REPLICATION_MODE="master" - fi - - # Clean sentineles from the current sentinel nodes - for node in $( getent ahosts "$HEADLESS_SERVICE" | grep -v "^$(hostname -i)" | cut -f 1 -d ' ' | uniq ); do - info "Cleaning sentinels in sentinel node: $node" - if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $node -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel reset "*" - else - redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $node -p {{ .Values.sentinel.port }} sentinel reset "*" - fi - sleep {{ .Values.sentinel.cleanDelaySeconds }} - done - info "Sentinels clean up done" - - if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then - REDIS_MASTER_HOST="$(hostname -i)" - REDIS_MASTER_PORT_NUMBER="{{ .Values.redisPort }}" - else - if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - else - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_SERVICE -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - fi - REDIS_SENTINEL_INFO=($($sentinel_info_command)) - REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} - REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} - - # Immediately attempt to connect to the reported master. If it doesn't exist the connection attempt will either hang - # or fail with "port unreachable" and give no data. The liveness check will then timeout waiting for the sentinel - # container to be ready and restart the it. By then the new master will likely have been elected - if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - else - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h $REDIS_MASTER_HOST -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - fi - - if [[ ! ($($sentinel_info_command)) ]]; then - # master doesn't actually exist, this probably means the remaining pods haven't elected a new one yet - # and are reporting the old one still. Once this happens the container will get stuck and never see the new - # master. We stop here to allow the container to not pass the liveness check and be restarted. - exit 1 - fi - fi - sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}" - - add_replica() { - if [[ "$1" != "$REDIS_MASTER_HOST" ]]; then - sentinel_conf_add "sentinel known-replica {{ .Values.sentinel.masterSet }} $1 {{ .Values.redisPort }}" - fi - } - - {{- if .Values.sentinel.staticID }} - # remove generated known sentinels and replicas - tmp="$(sed -e '/^sentinel known-/d' -e '/^$/d' /opt/bitnami/redis-sentinel/etc/sentinel.conf)" - echo "$tmp" > /opt/bitnami/redis-sentinel/etc/sentinel.conf - - for node in $(seq 0 {{ .Values.cluster.slaveCount }}); do - NAME="{{ template "redis.fullname" . }}-node-$node" - IP="$(getent hosts "$NAME.$HEADLESS_SERVICE" | awk ' {print $1 }')" - if [[ "$NAME" != "$HOSTNAME" && -n "$IP" ]]; then - sentinel_conf_add "sentinel known-sentinel {{ .Values.sentinel.masterSet }} $IP {{ .Values.sentinel.port }} $(host_id "$NAME")" - add_replica "$IP" - fi - done - add_replica "$(hostname -i)" - {{- end }} - - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_SENTINEL_TLS_PORT_NUMBER}") - ARGS+=("--tls-cert-file" "${REDIS_SENTINEL_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_SENTINEL_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_SENTINEL_TLS_CA_FILE}") - ARGS+=("--tls-replication" "yes") - ARGS+=("--tls-auth-clients" "${REDIS_SENTINEL_TLS_AUTH_CLIENTS}") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_SENTINEL_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- end }} - {{- if .Values.sentinel.preExecCmds }} - {{ .Values.sentinel.preExecCmds | nindent 4 }} - {{- end }} - exec redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel {{- if .Values.tls.enabled }} "${ARGS[@]}" {{- end }} - prestop-sentinel.sh: | - #!/bin/bash - - . /opt/bitnami/scripts/libvalidations.sh - - REDIS_SERVICE="{{ include "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" - - if [[ -n "$REDIS_PASSWORD_FILE" ]]; then - password_aux=$(cat "$REDIS_PASSWORD_FILE") - export REDIS_PASSWORD="$password_aux" - fi - - if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a ${REDIS_PASSWORD} {{- end }} -h ${REDIS_SERVICE} -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - else - sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a ${REDIS_PASSWORD} {{- end }} -h ${REDIS_SERVICE} -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" - fi - REDIS_SENTINEL_INFO=($($sentinel_info_command)) - REDIS_MASTER_HOST="${REDIS_SENTINEL_INFO[0]}" - - if [[ "$REDIS_MASTER_HOST" == "$(hostname -i)" ]]; then - if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then - redis-cli {{- if .Values.usePassword }} -a "$REDIS_PASSWORD" {{- end }} -h "$REDIS_SERVICE" -p {{ .Values.sentinel.port }} --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel failover mymaster - else - redis-cli {{- if .Values.usePassword }} -a "$REDIS_PASSWORD" {{- end }} -h "$REDIS_SERVICE" -p {{ .Values.sentinel.port }} sentinel failover mymaster - fi - fi -{{- else }} - start-master.sh: | - #!/bin/bash - {{- if and .Values.securityContext.runAsUser (eq (.Values.securityContext.runAsUser | int) 0) }} - useradd redis - chown -R redis {{ .Values.master.persistence.path }} - {{- end }} - if [[ -n $REDIS_PASSWORD_FILE ]]; then - password_aux=`cat ${REDIS_PASSWORD_FILE}` - export REDIS_PASSWORD=$password_aux - fi - if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then - cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf - fi - if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_TLS_PORT}") - ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") - ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- else }} - ARGS=("--port" "${REDIS_PORT}") - {{- end }} - {{- if .Values.usePassword }} - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_PASSWORD}") - {{- else }} - ARGS+=("--protected-mode" "no") - {{- end }} - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") - {{- if .Values.master.extraFlags }} - {{- range .Values.master.extraFlags }} - ARGS+=({{ . | quote }}) - {{- end }} - {{- end }} - {{- if .Values.master.preExecCmds }} - {{ .Values.master.preExecCmds | nindent 4}} - {{- end }} - {{- if .Values.master.command }} - exec {{ .Values.master.command }} "${ARGS[@]}" - {{- else }} - exec redis-server "${ARGS[@]}" - {{- end }} - {{- if .Values.cluster.enabled }} - start-slave.sh: | - #!/bin/bash - {{- if and .Values.securityContext.runAsUser (eq (.Values.securityContext.runAsUser | int) 0) }} - useradd redis - chown -R redis {{ .Values.slave.persistence.path }} - {{- end }} - if [[ -n $REDIS_PASSWORD_FILE ]]; then - password_aux=`cat ${REDIS_PASSWORD_FILE}` - export REDIS_PASSWORD=$password_aux - fi - if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then - password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` - export REDIS_MASTER_PASSWORD=$password_aux - fi - if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then - cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf - fi - if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - {{- if .Values.tls.enabled }} - ARGS=("--port" "0") - ARGS+=("--tls-port" "${REDIS_TLS_PORT}") - ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}") - ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}") - ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}") - ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}") - ARGS+=("--tls-replication" "yes") - {{- if .Values.tls.dhParamsFilename }} - ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}") - {{- end }} - {{- else }} - ARGS=("--port" "${REDIS_PORT}") - {{- end }} - ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}") - {{- if .Values.usePassword }} - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}") - {{- else }} - ARGS+=("--protected-mode" "no") - {{- end }} - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf") - {{- if .Values.slave.extraFlags }} - {{- range .Values.slave.extraFlags }} - ARGS+=({{ . | quote }}) - {{- end }} - {{- end }} - {{- if .Values.slave.preExecCmds }} - {{ .Values.slave.preExecCmds | nindent 4}} - {{- end }} - {{- if .Values.slave.command }} - exec {{ .Values.slave.command }} "${ARGS[@]}" - {{- else }} - exec redis-server "${ARGS[@]}" - {{- end }} - {{- end }} - -{{- end -}} diff --git a/stable/ckan/charts/redis/templates/configmap.yaml b/stable/ckan/charts/redis/templates/configmap.yaml deleted file mode 100644 index 77bdc81e..00000000 --- a/stable/ckan/charts/redis/templates/configmap.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - redis.conf: |- -{{- if .Values.configmap }} - # User-supplied configuration: -{{- tpl .Values.configmap . | nindent 4 }} -{{- end }} - master.conf: |- - dir {{ .Values.master.persistence.path }} -{{- if .Values.master.configmap }} - # User-supplied master configuration: -{{- tpl .Values.master.configmap . | nindent 4 }} -{{- end }} -{{- if .Values.master.disableCommands }} -{{- range .Values.master.disableCommands }} - rename-command {{ . }} "" -{{- end }} -{{- end }} - replica.conf: |- - dir {{ .Values.slave.persistence.path }} - slave-read-only yes -{{- if .Values.slave.configmap }} - # User-supplied slave configuration: -{{- tpl .Values.slave.configmap . | nindent 4 }} -{{- end }} -{{- if .Values.slave.disableCommands }} -{{- range .Values.slave.disableCommands }} - rename-command {{ . }} "" -{{- end }} -{{- end }} -{{- if .Values.sentinel.enabled }} - sentinel.conf: |- - dir "/tmp" - bind 0.0.0.0 - port {{ .Values.sentinel.port }} - sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "redis.fullname" . }}-node-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.redisPort }} {{ .Values.sentinel.quorum }} - sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }} - sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }} - sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }} -{{- if .Values.sentinel.configmap }} - # User-supplied sentinel configuration: -{{- tpl .Values.sentinel.configmap . | nindent 4 }} -{{- end }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/headless-svc.yaml b/stable/ckan/charts/redis/templates/headless-svc.yaml deleted file mode 100644 index d758c0d2..00000000 --- a/stable/ckan/charts/redis/templates/headless-svc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "redis.fullname" . }}-headless - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: ClusterIP - clusterIP: None - {{- if .Values.sentinel.enabled }} - publishNotReadyAddresses: true - {{- end }} - ports: - - name: tcp-redis - port: {{ .Values.redisPort }} - targetPort: redis - {{- if .Values.sentinel.enabled }} - - name: tcp-sentinel - port: {{ .Values.sentinel.port }} - targetPort: redis-sentinel - {{- end }} - selector: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} diff --git a/stable/ckan/charts/redis/templates/health-configmap.yaml b/stable/ckan/charts/redis/templates/health-configmap.yaml deleted file mode 100644 index 1bb8e74d..00000000 --- a/stable/ckan/charts/redis/templates/health-configmap.yaml +++ /dev/null @@ -1,176 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "redis.fullname" . }}-health - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - ping_readiness_local.sh: |- - #!/bin/bash -{{- if .Values.usePasswordFile }} - password_aux=`cat ${REDIS_PASSWORD_FILE}` - export REDIS_PASSWORD=$password_aux -{{- end }} - export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ -{{- if .Values.tls.enabled }} - -p $REDIS_TLS_PORT \ - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- else }} - -p $REDIS_PORT \ -{{- end }} - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_local.sh: |- - #!/bin/bash -{{- if .Values.usePasswordFile }} - password_aux=`cat ${REDIS_PASSWORD_FILE}` - export REDIS_PASSWORD=$password_aux -{{- end }} - export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ -{{- if .Values.tls.enabled }} - -p $REDIS_TLS_PORT \ - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- else }} - -p $REDIS_PORT \ -{{- end }} - ping - ) - if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then - echo "$response" - exit 1 - fi -{{- if .Values.sentinel.enabled }} - ping_sentinel.sh: |- - #!/bin/bash -{{- if .Values.usePasswordFile }} - password_aux=`cat ${REDIS_PASSWORD_FILE}` - export REDIS_PASSWORD=$password_aux -{{- end }} - export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h localhost \ -{{- if .Values.tls.enabled }} - -p $REDIS_SENTINEL_TLS_PORT_NUMBER \ - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- else }} - -p $REDIS_SENTINEL_PORT \ -{{- end }} - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - parse_sentinels.awk: |- - /ip/ {FOUND_IP=1} - /port/ {FOUND_PORT=1} - /runid/ {FOUND_RUNID=1} - !/ip|port|runid/ { - if (FOUND_IP==1) { - IP=$1; FOUND_IP=0; - } - else if (FOUND_PORT==1) { - PORT=$1; - FOUND_PORT=0; - } else if (FOUND_RUNID==1) { - printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0; - } - } -{{- end }} - ping_readiness_master.sh: |- - #!/bin/bash -{{- if .Values.usePasswordFile }} - password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` - export REDIS_MASTER_PASSWORD=$password_aux -{{- end }} - export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ -{{- if .Values.tls.enabled }} - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- end }} - ping - ) - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_master.sh: |- - #!/bin/bash -{{- if .Values.usePasswordFile }} - password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}` - export REDIS_MASTER_PASSWORD=$password_aux -{{- end }} - export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 3 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ -{{- if .Values.tls.enabled }} - --tls \ - --cacert {{ template "redis.tlsCACert" . }} \ - {{- if .Values.tls.authClients }} - --cert {{ template "redis.tlsCert" . }} \ - --key {{ template "redis.tlsCertKey" . }} \ - {{- end }} -{{- end }} - ping - ) - if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then - echo "$response" - exit 1 - fi - ping_readiness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? - "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? - exit $exit_status - ping_liveness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? - "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? - exit $exit_status diff --git a/stable/ckan/charts/redis/templates/metrics-prometheus.yaml b/stable/ckan/charts/redis/templates/metrics-prometheus.yaml deleted file mode 100644 index ed53dc6e..00000000 --- a/stable/ckan/charts/redis/templates/metrics-prometheus.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if and (.Values.metrics.enabled) (.Values.metrics.serviceMonitor.enabled) }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "redis.fullname" . }} - {{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- range $key, $value := .Values.metrics.serviceMonitor.selector }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - endpoints: - - port: metrics - {{- if .Values.metrics.serviceMonitor.interval }} - interval: {{ .Values.metrics.serviceMonitor.interval }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.relabelings }} - relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} - {{- end }} - {{- if .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} - {{- end }} - selector: - matchLabels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - app.kubernetes.io/component: "metrics" - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} -{{- end -}} diff --git a/stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml b/stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml deleted file mode 100644 index 43cc2aa3..00000000 --- a/stable/ckan/charts/redis/templates/metrics-sentinel-prometheus.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if and .Values.sentinel.enabled .Values.sentinel.metrics.enabled .Values.sentinel.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "redis.fullname" . }}-sentinel-metrics - {{- if .Values.sentinel.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.sentinel.metrics.serviceMonitor.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} - labels: - app: {{ include "redis.name" . }} - chart: {{ include "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- range $key, $value := .Values.sentinel.metrics.serviceMonitor.selector }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - endpoints: - - port: sentinelmetrics - {{- if .Values.sentinel.metrics.serviceMonitor.interval }} - interval: {{ .Values.sentinel.metrics.serviceMonitor.interval }} - {{- end }} - selector: - matchLabels: - app: {{ include "redis.name" . }} - release: {{ .Release.Name }} - app.kubernetes.io/component: "sentinel-metrics" - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} -{{- end -}} diff --git a/stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml b/stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml deleted file mode 100644 index 25f3770d..00000000 --- a/stable/ckan/charts/redis/templates/metrics-sentinel-svc.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if and .Values.sentinel.enabled .Values.sentinel.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "redis.fullname" . }}-sentinel-metrics - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ include "redis.name" . }} - chart: {{ include "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - app.kubernetes.io/component: "sentinel-metrics" - {{- if .Values.sentinel.metrics.service.labels -}} - {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.metrics.service.labels "context" $) | nindent 4 }} - {{- end -}} - {{- if .Values.sentinel.metrics.service.annotations }} - annotations: {{- toYaml .Values.sentinel.metrics.service.annotations | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.sentinel.metrics.service.type }} - {{- if eq .Values.sentinel.metrics.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.sentinel.metrics.service.externalTrafficPolicy }} - {{- end }} - {{- if and (eq .Values.sentinel.metrics.service.type "LoadBalancer") .Values.sentinel.metrics.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.sentinel.metrics.service.loadBalancerIP }} - {{- end }} - ports: - - port: {{ .Values.sentinel.metrics.service.port }} - targetPort: sentinelmetrics - protocol: TCP - name: sentinelmetrics - selector: - app: {{ include "redis.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/metrics-svc.yaml b/stable/ckan/charts/redis/templates/metrics-svc.yaml deleted file mode 100644 index 767a464e..00000000 --- a/stable/ckan/charts/redis/templates/metrics-svc.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "redis.fullname" . }}-metrics - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - app.kubernetes.io/component: "metrics" - {{- if .Values.metrics.service.labels -}} - {{- toYaml .Values.metrics.service.labels | nindent 4 }} - {{- end -}} - {{- if .Values.metrics.service.annotations }} - annotations: {{- toYaml .Values.metrics.service.annotations | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.metrics.service.type }} - {{ if eq .Values.metrics.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.metrics.service.externalTrafficPolicy }} - {{- end }} - {{ if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }} - {{- end }} - ports: - - name: metrics - port: 9121 - targetPort: metrics - selector: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/networkpolicy.yaml b/stable/ckan/charts/redis/templates/networkpolicy.yaml deleted file mode 100644 index 0249bc0e..00000000 --- a/stable/ckan/charts/redis/templates/networkpolicy.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{- if .Values.networkPolicy.enabled }} -kind: NetworkPolicy -apiVersion: {{ template "networkPolicy.apiVersion" . }} -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - podSelector: - matchLabels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - {{- if .Values.cluster.enabled }} - policyTypes: - - Ingress - - Egress - egress: - # Allow dns resolution - - ports: - - port: 53 - protocol: UDP - # Allow outbound connections to other cluster pods - - ports: - - port: {{ .Values.redisPort }} - {{- if .Values.sentinel.enabled }} - - port: {{ .Values.sentinel.port }} - {{- end }} - to: - - podSelector: - matchLabels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - {{- end }} - ingress: - # Allow inbound connections - - ports: - - port: {{ .Values.redisPort }} - {{- if .Values.sentinel.enabled }} - - port: {{ .Values.sentinel.port }} - {{- end }} - {{- if not .Values.networkPolicy.allowExternal }} - from: - - podSelector: - matchLabels: - {{ template "redis.fullname" . }}-client: "true" - - podSelector: - matchLabels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - {{- if .Values.networkPolicy.ingressNSMatchLabels }} - - namespaceSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} - podSelector: - matchLabels: - {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.metrics.enabled }} - # Allow prometheus scrapes for metrics - - ports: - - port: 9121 - {{- end }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/pdb.yaml b/stable/ckan/charts/redis/templates/pdb.yaml deleted file mode 100644 index b9dc54b3..00000000 --- a/stable/ckan/charts/redis/templates/pdb.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.podDisruptionBudget.enabled }} -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} -spec: - {{- if .Values.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/prometheusrule.yaml b/stable/ckan/charts/redis/templates/prometheusrule.yaml deleted file mode 100644 index 48ae017f..00000000 --- a/stable/ckan/charts/redis/templates/prometheusrule.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: PrometheusRule -metadata: - name: {{ template "redis.fullname" . }} - {{- if .Values.metrics.prometheusRule.namespace }} - namespace: {{ .Values.metrics.prometheusRule.namespace }} - {{- else }} - namespace: {{ .Release.Namespace | quote }} - {{- end }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -{{- with .Values.metrics.prometheusRule.additionalLabels }} -{{- toYaml . | nindent 4 }} -{{- end }} -spec: -{{- with .Values.metrics.prometheusRule.rules }} - groups: - - name: {{ template "redis.name" $ }} - rules: {{- tpl (toYaml .) $ | nindent 8 }} -{{- end }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/psp.yaml b/stable/ckan/charts/redis/templates/psp.yaml deleted file mode 100644 index eca04c13..00000000 --- a/stable/ckan/charts/redis/templates/psp.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.podSecurityPolicy.create }} -apiVersion: {{ template "podSecurityPolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - allowPrivilegeEscalation: false - fsGroup: - rule: 'MustRunAs' - ranges: - - min: {{ .Values.securityContext.fsGroup }} - max: {{ .Values.securityContext.fsGroup }} - hostIPC: false - hostNetwork: false - hostPID: false - privileged: false - readOnlyRootFilesystem: false - requiredDropCapabilities: - - ALL - runAsUser: - rule: 'MustRunAs' - ranges: - - min: {{ .Values.containerSecurityContext.runAsUser }} - max: {{ .Values.containerSecurityContext.runAsUser }} - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: {{ .Values.containerSecurityContext.runAsUser }} - max: {{ .Values.containerSecurityContext.runAsUser }} - volumes: - - 'configMap' - - 'secret' - - 'emptyDir' - - 'persistentVolumeClaim' -{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-master-statefulset.yaml b/stable/ckan/charts/redis/templates/redis-master-statefulset.yaml deleted file mode 100644 index 80dc112a..00000000 --- a/stable/ckan/charts/redis/templates/redis-master-statefulset.yaml +++ /dev/null @@ -1,394 +0,0 @@ -{{- if or (not .Values.cluster.enabled) (not .Values.sentinel.enabled) }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "redis.fullname" . }}-master - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- if .Values.master.statefulset.labels }} - {{- toYaml .Values.master.statefulset.labels | nindent 4 }} - {{- end }} -{{- if .Values.master.statefulset.annotations }} - annotations: - {{- toYaml .Values.master.statefulset.annotations | nindent 4 }} -{{- end }} -spec: - selector: - matchLabels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - role: master - serviceName: {{ template "redis.fullname" . }}-headless - template: - metadata: - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - role: master - {{- if .Values.master.podLabels }} - {{- toYaml .Values.master.podLabels | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- toYaml .Values.metrics.podLabels | nindent 8 }} - {{- end }} - annotations: - checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if .Values.master.podAnnotations }} - {{- toYaml .Values.master.podAnnotations | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- toYaml .Values.metrics.podAnnotations | nindent 8 }} - {{- end }} - spec: - {{- include "redis.imagePullSecrets" . | nindent 6 }} - {{- if .Values.master.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "redis.serviceAccountName" . }} - {{- if .Values.master.priorityClassName }} - priorityClassName: {{ .Values.master.priorityClassName | quote }} - {{- end }} - {{- with .Values.master.affinity }} - affinity: {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - {{- if .Values.master.nodeSelector }} - nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.master.tolerations }} - tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.master.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.master.shareProcessNamespace }} - {{- end }} - {{- if .Values.master.schedulerName }} - schedulerName: {{ .Values.master.schedulerName }} - {{- end }} - containers: - - name: {{ template "redis.name" . }} - image: {{ template "redis.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/bash - - -c - - /opt/bitnami/scripts/start-scripts/start-master.sh - env: - - name: REDIS_REPLICATION_MODE - value: master - {{- if .Values.usePassword }} - {{- if .Values.usePasswordFile }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "yes" - {{- end }} - - name: REDIS_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_TLS_PORT - value: {{ .Values.redisPort | quote }} - - name: REDIS_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_TLS_DH_PARAMS_FILE - value: {{ template "redis.tlsDHParams" . }} - {{- end }} - {{- else }} - - name: REDIS_PORT - value: {{ .Values.redisPort | quote }} - {{- end }} - {{- if .Values.master.extraEnvVars }} - {{- include "redis.tplValue" (dict "value" .Values.master.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.master.extraEnvVarsCM .Values.master.extraEnvVarsSecret }} - envFrom: - {{- if .Values.master.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.master.extraEnvVarsCM }} - {{- end }} - {{- if .Values.master.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.master.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: redis - containerPort: {{ .Values.redisPort }} - {{- if .Values.master.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }} - # One second longer than command timeout should prevent generation of zombie processes. - timeoutSeconds: {{ add1 .Values.master.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.master.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }} - {{- else if .Values.master.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.master.customLivenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.master.readinessProbe.enabled}} - readinessProbe: - initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }} - timeoutSeconds: {{ add1 .Values.master.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.master.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_readiness_local.sh {{ .Values.master.readinessProbe.timeoutSeconds }} - {{- else if .Values.master.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.master.customReadinessProbe | nindent 12 }} - {{- end }} - resources: {{- toYaml .Values.master.resources | nindent 12 }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.usePasswordFile }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: {{ .Values.master.persistence.path }} - subPath: {{ .Values.master.persistence.subPath }} - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc/ - - name: tmp - mountPath: /tmp - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.master.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "redis.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/bash - - -c - - | - if [[ -f '/secrets/redis-password' ]]; then - export REDIS_PASSWORD=$(cat /secrets/redis-password) - fi - redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} - env: - - name: REDIS_ALIAS - value: {{ template "redis.fullname" . }} - {{- if .Values.usePassword }} - - name: REDIS_USER - value: default - {{- if (not .Values.usePasswordFile) }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: REDIS_ADDR - value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.redisPort }} - {{- if .Values.tls.authClients }} - - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE - value: {{ template "redis.tlsCert" . }} - {{- end }} - - name: REDIS_EXPORTER_TLS_CA_CERT_FILE - value: {{ template "redis.tlsCACert" . }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: redis-password - mountPath: /secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - ports: - - name: metrics - containerPort: 9121 - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.master.persistence.enabled .Values.securityContext.enabled .Values.containerSecurityContext.enabled }} - {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} - initContainers: - {{- if $needsVolumePermissions }} - - name: volume-permissions - image: "{{ template "redis.volumePermissions.image" . }}" - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - - -ec - - | - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.master.persistence.path }} - {{- else }} - chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.master.persistence.path }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto "}} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 10 }} - volumeMounts: - - name: redis-data - mountPath: {{ .Values.master.persistence.path }} - subPath: {{ .Values.master.persistence.subPath }} - {{- end }} - {{- if .Values.sysctlImage.enabled }} - - name: init-sysctl - image: {{ template "redis.sysctl.image" . }} - imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} - resources: {{- toYaml .Values.sysctlImage.resources | nindent 10 }} - {{- if .Values.sysctlImage.mountHostSys }} - volumeMounts: - - name: host-sys - mountPath: /host-sys - {{- end }} - command: {{- toYaml .Values.sysctlImage.command | nindent 10 }} - securityContext: - privileged: true - runAsUser: 0 - {{- end }} - {{- end }} - volumes: - - name: start-scripts - configMap: - name: {{ include "redis.fullname" . }}-scripts - defaultMode: 0755 - - name: health - configMap: - name: {{ template "redis.fullname" . }}-health - defaultMode: 0755 - {{- if .Values.usePasswordFile }} - - name: redis-password - secret: - secretName: {{ template "redis.secretName" . }} - items: - - key: {{ template "redis.secretPasswordKey" . }} - path: redis-password - {{- end }} - - name: config - configMap: - name: {{ template "redis.fullname" . }} - {{- if not .Values.master.persistence.enabled }} - - name: "redis-data" - emptyDir: {} - {{- else }} - {{- if .Values.persistence.existingClaim }} - - name: "redis-data" - persistentVolumeClaim: - claimName: {{ include "redis.tplValue" (dict "value" .Values.persistence.existingClaim "context" $) }} - {{- end }} - {{- if .Values.master.persistence.volumes }} - {{- toYaml .Values.master.persistence.volumes | nindent 8 }} - {{- end }} - {{- end }} - {{- if .Values.sysctlImage.mountHostSys }} - - name: host-sys - hostPath: - path: /sys - {{- end }} - - name: redis-tmp-conf - emptyDir: {} - - name: tmp - emptyDir: {} - {{- if .Values.master.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.master.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - secret: - secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }} - defaultMode: 256 - {{- end }} - {{- if and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) (not .Values.master.persistence.volumes) }} - volumeClaimTemplates: - - metadata: - name: redis-data - labels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: master - {{- if .Values.master.statefulset.volumeClaimTemplates.labels }} - {{- toYaml .Values.master.statefulset.volumeClaimTemplates.labels | nindent 10 }} - {{- end }} - {{- if .Values.master.statefulset.volumeClaimTemplates.annotations }} - annotations: - {{- toYaml .Values.master.statefulset.volumeClaimTemplates.annotations | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.master.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.master.persistence.size | quote }} - {{ include "redis.master.storageClass" . }} - selector: - {{- if .Values.master.persistence.matchLabels }} - matchLabels: {{- toYaml .Values.master.persistence.matchLabels | nindent 12 }} - {{- end -}} - {{- if .Values.master.persistence.matchExpressions }} - matchExpressions: {{- toYaml .Values.master.persistence.matchExpressions | nindent 12 }} - {{- end -}} - {{- end }} - updateStrategy: - type: {{ .Values.master.statefulset.updateStrategy }} - {{- if .Values.master.statefulset.rollingUpdatePartition }} - {{- if (eq "Recreate" .Values.master.statefulset.updateStrategy) }} - rollingUpdate: null - {{- else }} - rollingUpdate: - partition: {{ .Values.master.statefulset.rollingUpdatePartition }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-master-svc.yaml b/stable/ckan/charts/redis/templates/redis-master-svc.yaml deleted file mode 100644 index 8bd2f8c1..00000000 --- a/stable/ckan/charts/redis/templates/redis-master-svc.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if not .Values.sentinel.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "redis.fullname" . }}-master - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- if .Values.master.service.labels -}} - {{- toYaml .Values.master.service.labels | nindent 4 }} - {{- end -}} -{{- if .Values.master.service.annotations }} - annotations: {{- toYaml .Values.master.service.annotations | nindent 4 }} -{{- end }} -spec: - type: {{ .Values.master.service.type }} - {{ if eq .Values.master.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.master.service.externalTrafficPolicy }} - {{- end }} - {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.master.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- with .Values.master.service.loadBalancerSourceRanges }} -{{- toYaml . | nindent 4 }} -{{- end }} - {{- end }} - ports: - - name: tcp-redis - port: {{ .Values.master.service.port }} - targetPort: redis - {{- if .Values.master.service.nodePort }} - nodePort: {{ .Values.master.service.nodePort }} - {{- end }} - selector: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - role: master -{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-node-statefulset.yaml b/stable/ckan/charts/redis/templates/redis-node-statefulset.yaml deleted file mode 100644 index 9ede6417..00000000 --- a/stable/ckan/charts/redis/templates/redis-node-statefulset.yaml +++ /dev/null @@ -1,556 +0,0 @@ -{{- if and .Values.cluster.enabled .Values.sentinel.enabled }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "redis.fullname" . }}-node - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- if .Values.slave.statefulset.labels }} - {{- toYaml .Values.slave.statefulset.labels | nindent 4 }} - {{- end }} -{{- if .Values.slave.statefulset.annotations }} - annotations: - {{- toYaml .Values.slave.statefulset.annotations | nindent 4 }} -{{- end }} -spec: -{{- if .Values.slave.updateStrategy }} - strategy: {{- toYaml .Values.slave.updateStrategy | nindent 4 }} -{{- end }} - replicas: {{ .Values.cluster.slaveCount }} - serviceName: {{ template "redis.fullname" . }}-headless - selector: - matchLabels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - role: node - template: - metadata: - labels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - chart: {{ template "redis.chart" . }} - role: node - {{- if .Values.slave.podLabels }} - {{- toYaml .Values.slave.podLabels | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- toYaml .Values.metrics.podLabels | nindent 8 }} - {{- end }} - annotations: - checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if .Values.slave.podAnnotations }} - {{- toYaml .Values.slave.podAnnotations | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- toYaml .Values.metrics.podAnnotations | nindent 8 }} - {{- end }} - spec: - {{- include "redis.imagePullSecrets" . | nindent 6 }} - {{- if .Values.slave.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.slave.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "redis.serviceAccountName" . }} - {{- if .Values.slave.priorityClassName }} - priorityClassName: "{{ .Values.slave.priorityClassName }}" - {{- end }} - {{- if .Values.slave.nodeSelector }} - nodeSelector: {{- toYaml .Values.slave.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.slave.tolerations }} - tolerations: {{- toYaml .Values.slave.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.slave.schedulerName }} - schedulerName: {{ .Values.slave.schedulerName }} - {{- end }} - {{- if .Values.master.spreadConstraints }} - topologySpreadConstraints: {{- toYaml .Values.master.spreadConstraints | nindent 8 }} - {{- end }} - {{- with .Values.slave.affinity }} - affinity: {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - containers: - - name: {{ template "redis.name" . }} - image: {{ template "redis.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/bash - - -c - - /opt/bitnami/scripts/start-scripts/start-node.sh - env: - - name: REDIS_MASTER_PORT_NUMBER - value: {{ .Values.redisPort | quote }} - {{- if .Values.usePassword }} - {{- if .Values.usePasswordFile }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - - name: REDIS_MASTER_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - - name: REDIS_MASTER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "yes" - {{- end }} - - name: REDIS_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_TLS_PORT - value: {{ .Values.redisPort | quote }} - - name: REDIS_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_TLS_DH_PARAMS_FILE - value: {{ template "redis.tlsDHParams" . }} - {{- end }} - {{- else }} - - name: REDIS_PORT - value: {{ .Values.redisPort | quote }} - {{- end }} - - name: REDIS_DATA_DIR - value: {{ .Values.slave.persistence.path }} - {{- if .Values.sentinel.extraEnvVars }} - {{- include "redis.tplValue" (dict "value" .Values.sentinel.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.sentinel.extraEnvVarsCM .Values.sentinel.extraEnvVarsSecret }} - envFrom: - {{- if .Values.sentinel.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.sentinel.extraEnvVarsCM }} - {{- end }} - {{- if .Values.sentinel.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.sentinel.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: redis - containerPort: {{ .Values.redisPort }} - {{- if .Values.slave.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.slave.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.slave.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}} - exec: - command: - - sh - - -c - {{- if .Values.sentinel.enabled }} - - /health/ping_liveness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} - {{- else }} - - /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} - {{- end }} - {{- else if .Values.slave.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.slave.customLivenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.slave.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.slave.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.slave.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - {{- if .Values.sentinel.enabled }} - - /health/ping_readiness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} - {{- else }} - - /health/ping_readiness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} - {{- end }} - {{- else if .Values.slave.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.slave.customReadinessProbe | nindent 12 }} - {{- end }} - resources: {{- toYaml .Values.slave.resources | nindent 12 }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.usePasswordFile }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: {{ .Values.slave.persistence.path }} - subPath: {{ .Values.slave.persistence.subPath }} - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc - - name: tmp - mountPath: /tmp - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if and .Values.cluster.enabled .Values.sentinel.enabled }} - - name: sentinel - image: {{ template "sentinel.image" . }} - imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/bash - - -c - - /opt/bitnami/scripts/start-scripts/start-sentinel.sh - env: - {{- if .Values.usePassword }} - {{- if .Values.usePasswordFile }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "yes" - {{- end }} - - name: REDIS_SENTINEL_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_SENTINEL_TLS_PORT_NUMBER - value: {{ .Values.sentinel.port | quote }} - - name: REDIS_SENTINEL_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_SENTINEL_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_SENTINEL_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_SENTINEL_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_SENTINEL_TLS_DH_PARAMS_FILE - value: {{ template "redis.dhParams" . }} - {{- end }} - {{- else }} - - name: REDIS_SENTINEL_PORT - value: {{ .Values.sentinel.port | quote }} - {{- end }} - ports: - - name: redis-sentinel - containerPort: {{ .Values.sentinel.port }} - {{- if .Values.sentinel.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} - {{- else if .Values.sentinel.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.sentinel.customLivenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.sentinel.readinessProbe.enabled}} - readinessProbe: - initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} - {{- else if .Values.sentinel.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.sentinel.customReadinessProbe | nindent 12 }} - {{- end }} - lifecycle: - preStop: - exec: - command: - - /bin/bash - - -c - - /opt/bitnami/scripts/start-scripts/prestop-sentinel.sh - resources: {{- toYaml .Values.sentinel.resources | nindent 12 }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.usePasswordFile }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: {{ .Values.slave.persistence.path }} - subPath: {{ .Values.slave.persistence.subPath }} - - name: config - mountPath: /opt/bitnami/redis-sentinel/mounted-etc - - name: sentinel-tmp-conf - mountPath: /opt/bitnami/redis-sentinel/etc - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.sentinel.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "redis.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/bash - - -c - - | - if [[ -f '/secrets/redis-password' ]]; then - export REDIS_PASSWORD=$(cat /secrets/redis-password) - fi - redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} - env: - - name: REDIS_ALIAS - value: {{ template "redis.fullname" . }} - {{- if .Values.usePassword }} - - name: REDIS_USER - value: default - {{- if (not .Values.usePasswordFile) }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: REDIS_ADDR - value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.redisPort }} - {{- if .Values.tls.authClients }} - - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE - value: {{ template "redis.tlsCert" . }} - {{- end }} - - name: REDIS_EXPORTER_TLS_CA_CERT_FILE - value: {{ template "redis.tlsCACert" . }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: redis-password - mountPath: /secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - ports: - - name: metrics - containerPort: 9121 - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - {{- if .Values.sentinel.metrics.enabled }} - - name: sentinel-metrics - image: {{ include "sentinel.metrics.image" . }} - imagePullPolicy: {{ .Values.sentinel.metrics.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - redis_sentinel_exporter{{- range $key, $value := .Values.sentinel.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} - env: - {{- if and .Values.sentinel.usePassword (and .Values.usePassword (not .Values.usePasswordFile)) }} - - name: SENTINEL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "redis.secretName" . }} - key: {{ include "redis.secretPasswordKey" . }} - {{- end }} - {{- if and .Values.sentinel.usePassword .Values.usePassword .Values.usePasswordFile }} - - name: SENTINEL_PASSWORD_FILE - value: /secrets/redis-password - {{- end }} - volumeMounts: - {{- if and .Values.sentinel.usePassword .Values.usePassword .Values.usePasswordFile }} - - name: redis-password - mountPath: /secrets/ - {{- end }} - ports: - - name: sentinelmetrics - containerPort: 9355 - resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.slave.persistence.enabled .Values.securityContext.enabled .Values.containerSecurityContext.enabled }} - {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} - initContainers: - {{- if $needsVolumePermissions }} - - name: volume-permissions - image: {{ template "redis.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - - -ec - - | - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.slave.persistence.path }} - {{- else }} - chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.slave.persistence.path }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto "}} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - volumeMounts: - - name: redis-data - mountPath: {{ .Values.slave.persistence.path }} - subPath: {{ .Values.slave.persistence.subPath }} - {{- end }} - {{- if .Values.sysctlImage.enabled }} - - name: init-sysctl - image: {{ template "redis.sysctl.image" . }} - imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} - resources: {{- toYaml .Values.sysctlImage.resources | nindent 12 }} - {{- if .Values.sysctlImage.mountHostSys }} - volumeMounts: - - name: host-sys - mountPath: /host-sys - {{- end }} - command: {{- toYaml .Values.sysctlImage.command | nindent 12 }} - securityContext: - privileged: true - runAsUser: 0 - {{- end }} - {{- end }} - volumes: - - name: start-scripts - configMap: - name: {{ include "redis.fullname" . }}-scripts - defaultMode: 0755 - - name: health - configMap: - name: {{ template "redis.fullname" . }}-health - defaultMode: 0755 - {{- if .Values.usePasswordFile }} - - name: redis-password - secret: - secretName: {{ template "redis.secretName" . }} - items: - - key: {{ template "redis.secretPasswordKey" . }} - path: redis-password - {{- end }} - - name: config - configMap: - name: {{ template "redis.fullname" . }} - {{- if .Values.sysctlImage.mountHostSys }} - - name: host-sys - hostPath: - path: /sys - {{- end }} - - name: sentinel-tmp-conf - emptyDir: {} - - name: redis-tmp-conf - emptyDir: {} - - name: tmp - emptyDir: {} - {{- if .Values.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.sentinel.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - secret: - secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }} - defaultMode: 256 - {{- end }} - {{- if not .Values.slave.persistence.enabled }} - - name: redis-data - emptyDir: {} - {{- else }} - volumeClaimTemplates: - - metadata: - name: redis-data - labels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: slave - {{- if .Values.slave.statefulset.volumeClaimTemplates }} - {{- if .Values.slave.statefulset.volumeClaimTemplates.labels }} - {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.labels | nindent 10 }} - {{- end }} - {{- if .Values.slave.statefulset.volumeClaimTemplates.annotations }} - annotations: - {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.annotations | nindent 10 }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.slave.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.slave.persistence.size | quote }} - {{ include "redis.slave.storageClass" . }} - selector: - {{- if .Values.slave.persistence.matchLabels }} - matchLabels: {{- toYaml .Values.slave.persistence.matchLabels | nindent 12 }} - {{- end -}} - {{- if .Values.slave.persistence.matchExpressions }} - matchExpressions: {{- toYaml .Values.slave.persistence.matchExpressions | nindent 12 }} - {{- end -}} - {{- end }} - updateStrategy: - type: {{ .Values.slave.statefulset.updateStrategy }} - {{- if .Values.slave.statefulset.rollingUpdatePartition }} - {{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }} - rollingUpdate: null - {{- else }} - rollingUpdate: - partition: {{ .Values.slave.statefulset.rollingUpdatePartition }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-role.yaml b/stable/ckan/charts/redis/templates/redis-role.yaml deleted file mode 100644 index 080a7f96..00000000 --- a/stable/ckan/charts/redis/templates/redis-role.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: Role -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -{{- if .Values.podSecurityPolicy.create }} - - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: [{{ template "redis.fullname" . }}] -{{- end -}} -{{- if .Values.rbac.role.rules }} -{{- toYaml .Values.rbac.role.rules | nindent 2 }} -{{- end -}} -{{- end -}} diff --git a/stable/ckan/charts/redis/templates/redis-rolebinding.yaml b/stable/ckan/charts/redis/templates/redis-rolebinding.yaml deleted file mode 100644 index 835aa036..00000000 --- a/stable/ckan/charts/redis/templates/redis-rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} -kind: RoleBinding -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "redis.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "redis.serviceAccountName" . }} -{{- end -}} diff --git a/stable/ckan/charts/redis/templates/redis-serviceaccount.yaml b/stable/ckan/charts/redis/templates/redis-serviceaccount.yaml deleted file mode 100644 index 081691de..00000000 --- a/stable/ckan/charts/redis/templates/redis-serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "redis.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- if .Values.serviceAccount.annotations }} - annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml b/stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml deleted file mode 100644 index 778cac5c..00000000 --- a/stable/ckan/charts/redis/templates/redis-slave-statefulset.yaml +++ /dev/null @@ -1,398 +0,0 @@ -{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "redis.fullname" . }}-slave - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- if .Values.slave.statefulset.labels }} - {{- toYaml .Values.slave.statefulset.labels | nindent 4 }} - {{- end }} -{{- if .Values.slave.statefulset.annotations }} - annotations: - {{- toYaml .Values.slave.statefulset.annotations | nindent 4 }} -{{- end }} -spec: -{{- if .Values.slave.updateStrategy }} - strategy: {{- toYaml .Values.slave.updateStrategy | nindent 4 }} -{{- end }} - replicas: {{ .Values.cluster.slaveCount }} - serviceName: {{ template "redis.fullname" . }}-headless - selector: - matchLabels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - role: slave - template: - metadata: - labels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - chart: {{ template "redis.chart" . }} - role: slave - {{- if .Values.slave.podLabels }} - {{- toYaml .Values.slave.podLabels | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podLabels }} - {{- toYaml .Values.metrics.podLabels | nindent 8 }} - {{- end }} - annotations: - checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }} - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- if .Values.slave.podAnnotations }} - {{- toYaml .Values.slave.podAnnotations | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} - {{- toYaml .Values.metrics.podAnnotations | nindent 8 }} - {{- end }} - spec: - {{- include "redis.imagePullSecrets" . | nindent 6 }} - {{- if .Values.slave.hostAliases }} - hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.slave.hostAliases "context" $) | nindent 8 }} - {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "redis.serviceAccountName" . }} - {{- if .Values.slave.priorityClassName }} - priorityClassName: {{ .Values.slave.priorityClassName | quote }} - {{- end }} - {{- if .Values.slave.nodeSelector }} - nodeSelector: {{- toYaml .Values.slave.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.slave.tolerations }} - tolerations: {{- toYaml .Values.slave.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.slave.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.slave.shareProcessNamespace }} - {{- end }} - {{- if .Values.slave.schedulerName }} - schedulerName: {{ .Values.slave.schedulerName }} - {{- end }} - {{- if .Values.master.spreadConstraints }} - topologySpreadConstraints: {{- toYaml .Values.master.spreadConstraints | nindent 8 }} - {{- end }} - {{- with .Values.slave.affinity }} - affinity: {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} - containers: - - name: {{ template "redis.name" . }} - image: {{ template "redis.image" . }} - imagePullPolicy: {{ .Values.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/bash - - -c - - /opt/bitnami/scripts/start-scripts/start-slave.sh - env: - - name: REDIS_REPLICATION_MODE - value: slave - - name: REDIS_MASTER_HOST - value: {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} - - name: REDIS_MASTER_PORT_NUMBER - value: {{ .Values.redisPort | quote }} - {{- if .Values.usePassword }} - {{- if .Values.usePasswordFile }} - - name: REDIS_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - - name: REDIS_MASTER_PASSWORD_FILE - value: "/opt/bitnami/redis/secrets/redis-password" - {{- else }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - - name: REDIS_MASTER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- else }} - - name: ALLOW_EMPTY_PASSWORD - value: "yes" - {{- end }} - - name: REDIS_TLS_ENABLED - value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} - {{- if .Values.tls.enabled }} - - name: REDIS_TLS_PORT - value: {{ .Values.redisPort | quote }} - - name: REDIS_TLS_AUTH_CLIENTS - value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} - - name: REDIS_TLS_CERT_FILE - value: {{ template "redis.tlsCert" . }} - - name: REDIS_TLS_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_TLS_CA_FILE - value: {{ template "redis.tlsCACert" . }} - {{- if .Values.tls.dhParamsFilename }} - - name: REDIS_TLS_DH_PARAMS_FILE - value: {{ template "redis.tlsDHParams" . }} - {{- end }} - {{- else }} - - name: REDIS_PORT - value: {{ .Values.redisPort | quote }} - {{- end }} - {{- if .Values.slave.extraEnvVars }} - {{- include "redis.tplValue" (dict "value" .Values.slave.extraEnvVars "context" $) | nindent 12 }} - {{- end }} - {{- if or .Values.slave.extraEnvVarsCM .Values.slave.extraEnvVarsSecret }} - envFrom: - {{- if .Values.slave.extraEnvVarsCM }} - - configMapRef: - name: {{ .Values.slave.extraEnvVarsCM }} - {{- end }} - {{- if .Values.slave.extraEnvVarsSecret }} - - secretRef: - name: {{ .Values.slave.extraEnvVarsSecret }} - {{- end }} - {{- end }} - ports: - - name: redis - containerPort: {{ .Values.redisPort }} - {{- if .Values.slave.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }} - timeoutSeconds: {{ add1 .Values.slave.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.slave.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}} - exec: - command: - - sh - - -c - - /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }} - {{- else if .Values.slave.customLivenessProbe }} - livenessProbe: {{- toYaml .Values.slave.customLivenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.slave.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }} - timeoutSeconds: {{ add1 .Values.slave.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.slave.readinessProbe.successThreshold }} - failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }} - exec: - command: - - sh - - -c - - /health/ping_readiness_local_and_master.sh {{ .Values.slave.readinessProbe.timeoutSeconds }} - {{- else if .Values.slave.customReadinessProbe }} - readinessProbe: {{- toYaml .Values.slave.customReadinessProbe | nindent 12 }} - {{- end }} - resources: {{- toYaml .Values.slave.resources | nindent 12 }} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - {{- if .Values.usePasswordFile }} - - name: redis-password - mountPath: /opt/bitnami/redis/secrets/ - {{- end }} - - name: redis-data - mountPath: /data - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - {{- if .Values.slave.extraVolumeMounts }} - {{- include "common.tplvalues.render" ( dict "value" .Values.slave.extraVolumeMounts "context" $ ) | nindent 12 }} - {{- end }} - {{- if .Values.metrics.enabled }} - - name: metrics - image: {{ template "redis.metrics.image" . }} - imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} - {{- end }} - command: - - /bin/bash - - -c - - | - if [[ -f '/secrets/redis-password' ]]; then - export REDIS_PASSWORD=$(cat /secrets/redis-password) - fi - redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }} - env: - - name: REDIS_ALIAS - value: {{ template "redis.fullname" . }} - {{- if .Values.usePassword }} - - name: REDIS_USER - value: default - {{- if (not .Values.usePasswordFile) }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "redis.secretName" . }} - key: {{ template "redis.secretPasswordKey" . }} - {{- end }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: REDIS_ADDR - value: rediss://{{ .Values.metrics.redisTargetHost }}:{{ .Values.redisPort }} - {{- if .Values.tls.authClients }} - - name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE - value: {{ template "redis.tlsCertKey" . }} - - name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE - value: {{ template "redis.tlsCert" . }} - {{- end }} - - name: REDIS_EXPORTER_TLS_CA_CERT_FILE - value: {{ template "redis.tlsCACert" . }} - {{- end }} - volumeMounts: - {{- if .Values.usePasswordFile }} - - name: redis-password - mountPath: /secrets/ - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - mountPath: /opt/bitnami/redis/certs - readOnly: true - {{- end }} - ports: - - name: metrics - containerPort: 9121 - resources: {{- toYaml .Values.metrics.resources | nindent 12 }} - {{- end }} - {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.slave.persistence.enabled .Values.securityContext.enabled .Values.containerSecurityContext.enabled }} - {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }} - initContainers: - {{- if $needsVolumePermissions }} - - name: volume-permissions - image: {{ template "redis.volumePermissions.image" . }} - imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} - command: - - /bin/bash - - -ec - - | - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} - chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.slave.persistence.path }} - {{- else }} - chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} {{ .Values.slave.persistence.path }} - {{- end }} - {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto "}} - securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} - {{- else }} - securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} - {{- end }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - volumeMounts: - - name: redis-data - mountPath: {{ .Values.slave.persistence.path }} - subPath: {{ .Values.slave.persistence.subPath }} - {{- end }} - {{- if .Values.sysctlImage.enabled }} - - name: init-sysctl - image: {{ template "redis.sysctl.image" . }} - imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }} - resources: {{- toYaml .Values.sysctlImage.resources | nindent 12 }} - {{- if .Values.sysctlImage.mountHostSys }} - volumeMounts: - - name: host-sys - mountPath: /host-sys - {{- end }} - command: {{- toYaml .Values.sysctlImage.command | nindent 12 }} - securityContext: - privileged: true - runAsUser: 0 - {{- end }} - {{- end }} - volumes: - - name: start-scripts - configMap: - name: {{ include "redis.fullname" . }}-scripts - defaultMode: 0755 - - name: health - configMap: - name: {{ template "redis.fullname" . }}-health - defaultMode: 0755 - {{- if .Values.usePasswordFile }} - - name: redis-password - secret: - secretName: {{ template "redis.secretName" . }} - items: - - key: {{ template "redis.secretPasswordKey" . }} - path: redis-password - {{- end }} - - name: config - configMap: - name: {{ template "redis.fullname" . }} - {{- if .Values.sysctlImage.mountHostSys }} - - name: host-sys - hostPath: - path: /sys - {{- end }} - - name: redis-tmp-conf - emptyDir: {} - {{- if .Values.slave.extraVolumes }} - {{- include "common.tplvalues.render" ( dict "value" .Values.slave.extraVolumes "context" $ ) | nindent 8 }} - {{- end }} - {{- if .Values.tls.enabled }} - - name: redis-certificates - secret: - secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }} - defaultMode: 256 - {{- end }} - {{- if not .Values.slave.persistence.enabled }} - - name: redis-data - emptyDir: {} - {{- else }} - volumeClaimTemplates: - - metadata: - name: redis-data - labels: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: slave - {{- if .Values.slave.statefulset.volumeClaimTemplates }} - {{- if .Values.slave.statefulset.volumeClaimTemplates.labels }} - {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.labels | nindent 10 }} - {{- end }} - {{- if .Values.slave.statefulset.volumeClaimTemplates.annotations }} - annotations: - {{- toYaml .Values.slave.statefulset.volumeClaimTemplates.annotations | nindent 10 }} - {{- end }} - {{- end }} - spec: - accessModes: - {{- range .Values.slave.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.slave.persistence.size | quote }} - {{ include "redis.slave.storageClass" . }} - selector: - {{- if .Values.slave.persistence.matchLabels }} - matchLabels: {{- toYaml .Values.slave.persistence.matchLabels | nindent 12 }} - {{- end -}} - {{- if .Values.slave.persistence.matchExpressions }} - matchExpressions: {{- toYaml .Values.slave.persistence.matchExpressions | nindent 12 }} - {{- end -}} - {{- end }} - updateStrategy: - type: {{ .Values.slave.statefulset.updateStrategy }} - {{- if .Values.slave.statefulset.rollingUpdatePartition }} - {{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }} - rollingUpdate: null - {{- else }} - rollingUpdate: - partition: {{ .Values.slave.statefulset.rollingUpdatePartition }} - {{- end }} - {{- end }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-slave-svc.yaml b/stable/ckan/charts/redis/templates/redis-slave-svc.yaml deleted file mode 100644 index a67ebb05..00000000 --- a/stable/ckan/charts/redis/templates/redis-slave-svc.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "redis.fullname" . }}-slave - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- if .Values.slave.service.labels -}} - {{- toYaml .Values.slave.service.labels | nindent 4 }} - {{- end -}} -{{- if .Values.slave.service.annotations }} - annotations: {{- toYaml .Values.slave.service.annotations | nindent 4 }} -{{- end }} -spec: - type: {{ .Values.slave.service.type }} - {{ if eq .Values.slave.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.slave.service.externalTrafficPolicy }} - {{- end }} - {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.slave.service.loadBalancerIP }} - {{- end }} - {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- with .Values.slave.service.loadBalancerSourceRanges }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- end }} - ports: - - name: tcp-redis - port: {{ .Values.slave.service.port }} - targetPort: redis - {{- if .Values.slave.service.nodePort }} - nodePort: {{ .Values.slave.service.nodePort }} - {{- end }} - selector: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} - role: slave -{{- end }} diff --git a/stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml b/stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml deleted file mode 100644 index e1c9073a..00000000 --- a/stable/ckan/charts/redis/templates/redis-with-sentinel-svc.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{- if .Values.sentinel.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- if .Values.sentinel.service.labels }} - {{- toYaml .Values.sentinel.service.labels | nindent 4 }} - {{- end }} -{{- if .Values.sentinel.service.annotations }} - annotations: {{- toYaml .Values.sentinel.service.annotations | nindent 4 }} -{{- end }} -spec: - type: {{ .Values.sentinel.service.type }} - {{ if eq .Values.sentinel.service.type "LoadBalancer" }} - externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy }} - {{- end }} - {{ if eq .Values.sentinel.service.type "LoadBalancer" -}} {{ if .Values.sentinel.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }} - {{ end -}} - {{- end -}} - ports: - - name: tcp-redis - port: {{ .Values.sentinel.service.redisPort }} - targetPort: redis - {{- if .Values.sentinel.service.redisNodePort }} - nodePort: {{ .Values.sentinel.service.redisNodePort }} - {{- end }} - - name: tcp-sentinel - port: {{ .Values.sentinel.service.sentinelPort }} - targetPort: redis-sentinel - {{- if .Values.sentinel.service.sentinelNodePort }} - nodePort: {{ .Values.sentinel.service.sentinelNodePort }} - {{- end }} - selector: - app: {{ template "redis.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/stable/ckan/charts/redis/templates/secret.yaml b/stable/ckan/charts/redis/templates/secret.yaml deleted file mode 100644 index 197aa189..00000000 --- a/stable/ckan/charts/redis/templates/secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.usePassword (not .Values.existingSecret) -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "redis.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - app: {{ template "redis.name" . }} - chart: {{ template "redis.chart" . }} - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -type: Opaque -data: - redis-password: {{ include "redis.password" . | b64enc | quote }} -{{- end -}} diff --git a/stable/ckan/charts/redis/values.schema.json b/stable/ckan/charts/redis/values.schema.json deleted file mode 100644 index 3188d0c9..00000000 --- a/stable/ckan/charts/redis/values.schema.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "properties": { - "usePassword": { - "type": "boolean", - "title": "Use password authentication", - "form": true - }, - "password": { - "type": "string", - "title": "Password", - "form": true, - "description": "Defaults to a random 10-character alphanumeric string if not set", - "hidden": { - "value": false, - "path": "usePassword" - } - }, - "cluster": { - "type": "object", - "title": "Cluster Settings", - "form": true, - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable master-slave", - "description": "Enable master-slave architecture" - }, - "slaveCount": { - "type": "integer", - "title": "Slave Replicas", - "form": true, - "hidden": { - "value": false, - "path": "cluster/enabled" - } - } - } - }, - "master": { - "type": "object", - "title": "Master replicas settings", - "form": true, - "properties": { - "persistence": { - "type": "object", - "title": "Persistence for master replicas", - "form": true, - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable persistence", - "description": "Enable persistence using Persistent Volume Claims" - }, - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi", - "hidden": { - "value": false, - "path": "master/persistence/enabled" - } - }, - "matchLabels": { - "type": "object", - "title": "Persistent Match Labels Selector" - }, - "matchExpressions": { - "type": "object", - "title": "Persistent Match Expressions Selector" - } - } - } - } - }, - "slave": { - "type": "object", - "title": "Slave replicas settings", - "form": true, - "hidden": { - "value": false, - "path": "cluster/enabled" - }, - "properties": { - "persistence": { - "type": "object", - "title": "Persistence for slave replicas", - "form": true, - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable persistence", - "description": "Enable persistence using Persistent Volume Claims" - }, - "size": { - "type": "string", - "title": "Persistent Volume Size", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderUnit": "Gi", - "hidden": { - "value": false, - "path": "slave/persistence/enabled" - } - }, - "matchLabels": { - "type": "object", - "title": "Persistent Match Labels Selector" - }, - "matchExpressions": { - "type": "object", - "title": "Persistent Match Expressions Selector" - } - } - } - } - }, - "volumePermissions": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "form": true, - "title": "Enable Init Containers", - "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" - } - } - }, - "metrics": { - "type": "object", - "form": true, - "title": "Prometheus metrics details", - "properties": { - "enabled": { - "type": "boolean", - "title": "Create Prometheus metrics exporter", - "description": "Create a side-car container to expose Prometheus metrics", - "form": true - }, - "serviceMonitor": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "title": "Create Prometheus Operator ServiceMonitor", - "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", - "form": true, - "hidden": { - "value": false, - "path": "metrics/enabled" - } - } - } - } - } - } - } -} diff --git a/stable/ckan/charts/redis/values.yaml b/stable/ckan/charts/redis/values.yaml deleted file mode 100644 index 64e90821..00000000 --- a/stable/ckan/charts/redis/values.yaml +++ /dev/null @@ -1,1008 +0,0 @@ -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry and imagePullSecrets -## -global: - # imageRegistry: myRegistryName - # imagePullSecrets: - # - myRegistryKeySecretName - # storageClass: myStorageClass - redis: {} - -## Bitnami Redis(TM) image version -## ref: https://hub.docker.com/r/bitnami/redis/tags/ -## -image: - registry: docker.io - repository: bitnami/redis - ## Bitnami Redis(TM) image tag - ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links - ## - tag: 6.0.12-debian-10-r33 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - -## String to partially override redis.fullname template (will maintain the release name) -## -# nameOverride: - -## String to fully override redis.fullname template -## -# fullnameOverride: - -## Cluster settings -## -cluster: - enabled: true - slaveCount: 2 - -## Use redis sentinel in the redis pod. This will disable the master and slave services and -## create one redis service with ports to the sentinel and the redis instances -## -sentinel: - enabled: false - ## Require password authentication on the sentinel itself - ## ref: https://redis.io/topics/sentinel - ## - usePassword: true - ## Bitnami Redis(TM) Sentintel image version - ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ - ## - image: - registry: docker.io - repository: bitnami/redis-sentinel - ## Bitnami Redis(TM) image tag - ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links - ## - tag: 6.0.12-debian-10-r24 - ## Specify a imagePullPolicy - ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - masterSet: mymaster - initialCheckTimeout: 5 - quorum: 2 - downAfterMilliseconds: 20000 - failoverTimeout: 18000 - parallelSyncs: 1 - port: 26379 - - ## Delay seconds when cleaning nodes IPs - ## When starting it will clean the sentinels IP (RESET "*") in all the nodes - ## This is the delay time before sending the command to the next node - ## - cleanDelaySeconds: 5 - - ## Additional Redis(TM) configuration for the sentinel nodes - ## ref: https://redis.io/topics/config - ## - configmap: - ## Enable or disable static sentinel IDs for each replicas - ## If disabled each sentinel will generate a random id at startup - ## If enabled, each replicas will have a constant ID on each start-up - ## - staticID: false - ## Configure extra options for Redis(TM) Sentinel liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - customLivenessProbe: {} - customReadinessProbe: {} - ## Redis(TM) Sentinel resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - ## Redis(TM) Sentinel Service properties - ## - service: - ## Redis(TM) Sentinel Service type - ## - type: ClusterIP - sentinelPort: 26379 - redisPort: 6379 - - ## External traffic policy (when service type is LoadBalancer) - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # sentinelNodePort: - # redisNodePort: - - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - labels: {} - loadBalancerIP: - - ## Additional commands to run prior to starting Redis(TM) node with sentinel - ## - preExecCmds: "" - - ## An array to add extra env var to the sentinel node configurations - ## For example: - ## extraEnvVars: - ## - name: name - ## value: value - ## - name: other_name - ## valueFrom: - ## fieldRef: - ## fieldPath: fieldPath - ## - extraEnvVars: [] - - ## ConfigMap with extra env vars: - ## - extraEnvVarsCM: [] - - ## Secret with extra env vars: - ## - extraEnvVarsSecret: [] - - ## Prometheus Exporter / Metrics for Redis Sentinel Exporter - ## - metrics: - enabled: false - - ## Bitnami Redis Sentinel Exporter image - ## ref: https://hub.docker.com/r/bitnami/redis-sentinel-exporter/tags/ - ## - image: - registry: docker.io - repository: bitnami/redis-sentinel-exporter - tag: 1.7.1-debian-10-r105 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - ## Sentinel metrics exporter resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - resources: - ## We usually recommend not to specify default resources and to leave this as a conscious - ## choice for the user. This also increases chances charts run on environments with little - ## resources, such as Minikube. If you do want to specify resources, uncomment the following - ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## e.g: - ## limits: - ## cpu: 500m - ## memory: 1Gi - ## - limits: {} - requests: {} - - ## Extra arguments for Sentinel metrics exporter, for example: - ## extraArgs: - ## check-keys: myKey,myOtherKey - # extraArgs: {} - - ## Enable this if you're using https://github.com/coreos/prometheus-operator - ## - serviceMonitor: - enabled: false - ## Specify a namespace if needed - # namespace: monitoring - # fallback to the prometheus default unless specified - # interval: 10s - ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) - ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) - ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) - ## - selector: - prometheus: kube-prometheus - - service: - type: ClusterIP - - ## Metrics port - ## - port: 9355 - ## External traffic policy (when service type is LoadBalancer) - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - - ## Use serviceLoadBalancerIP to request a specific static IP, otherwise leave blank - ## - # loadBalancerIP: - annotations: {} - labels: {} - -## Specifies the Kubernetes Cluster's Domain Name. -## -clusterDomain: cluster.local - -networkPolicy: - ## Specifies whether a NetworkPolicy should be created - ## - enabled: false - - ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port Redis(TM) is listening - ## on. When true, Redis(TM) will accept connections from any source - ## (with the correct destination port). - ## - # allowExternal: true - - ## Allow connections from other namespaces. Just set label for namespace and set label for pods (optional). - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} - -serviceAccount: - ## Specifies whether a ServiceAccount should be created - ## - create: false - ## The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the fullname template - ## - name: - ## Add annotations to service account - # annotations: - # iam.gke.io/gcp-service-account: "sa@project.iam.gserviceaccount.com" - -rbac: - ## Specifies whether RBAC resources should be created - ## - create: false - - role: - ## Rules to create. It follows the role specification - # rules: - # - apiGroups: - # - extensions - # resources: - # - podsecuritypolicies - # verbs: - # - use - # resourceNames: - # - gce.unprivileged - rules: [] - -## Redis(TM) pod Security Context -## -securityContext: - enabled: true - fsGroup: 1001 - ## sysctl settings for master and slave pods - ## - ## Uncomment the setting below to increase the net.core.somaxconn value - ## - # sysctls: - # - name: net.core.somaxconn - # value: "10000" - -## Container Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -## -containerSecurityContext: - enabled: true - runAsUser: 1001 - -## Use password authentication -## -usePassword: true -## Redis(TM) password (both master and slave) -## Defaults to a random 10-character alphanumeric string if not set and usePassword is true -## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run -## -password: "" -## Use existing secret (ignores previous password) -# existingSecret: -## Password key to be retrieved from Redis(TM) secret -## -# existingSecretPasswordKey: - -## Mount secrets as files instead of environment variables -## -usePasswordFile: false - -## Persist data to a persistent volume (Redis(TM) Master) -## -persistence: - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - ## - existingClaim: - -# Redis(TM) port -redisPort: 6379 - -## -## TLS configuration -## -tls: - # Enable TLS traffic - enabled: false - # - # Whether to require clients to authenticate or not. - authClients: true - # - # Name of the Secret that contains the certificates - certificatesSecret: - # - # Certificate filename - certFilename: - # - # Certificate Key filename - certKeyFilename: - # - # CA Certificate filename - certCAFilename: - # - # File containing DH params (in order to support DH based ciphers) - # dhParamsFilename: - -## -## Redis(TM) Master parameters -## -master: - ## Redis(TM) command arguments - ## - ## Can be used to specify command line arguments, for example: - ## Note `exec` is prepended to command - ## - command: "/run.sh" - ## Additional commands to run prior to starting Redis(TM) - ## - preExecCmds: "" - ## Additional Redis(TM) configuration for the master nodes - ## ref: https://redis.io/topics/config - ## - configmap: - ## Deployment pod host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## Redis(TM) additional command line flags - ## - ## Can be used to specify command line flags, for example: - ## extraFlags: - ## - "--maxmemory-policy volatile-ttl" - ## - "--repl-backlog-size 1024mb" - ## - extraFlags: [] - ## Comma-separated list of Redis(TM) commands to disable - ## - ## Can be used to disable Redis(TM) commands for security reasons. - ## Commands will be completely disabled by renaming each to an empty string. - ## ref: https://redis.io/topics/security#disabling-of-specific-commands - ## - disableCommands: - - FLUSHDB - - FLUSHALL - - ## Redis(TM) Master additional pod labels and annotations - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - podAnnotations: {} - - ## Redis(TM) Master resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - ## Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - # schedulerName: - - # Enable shared process namespace in a pod. - # If set to false (default), each container will run in separate namespace, redis will have PID=1. - # If set to true, the /pause will run as init process and will reap any zombie PIDs, - # for example, generated by a custom exec probe running longer than a probe timeoutSeconds. - # Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. - # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ - shareProcessNamespace: false - ## Configure extra options for Redis(TM) Master liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## - livenessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 5 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 5 - - ## Configure custom probes for images other images like - ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 - ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false - ## - # customLivenessProbe: - # tcpSocket: - # port: 6379 - # initialDelaySeconds: 10 - # periodSeconds: 5 - # customReadinessProbe: - # initialDelaySeconds: 30 - # periodSeconds: 10 - # timeoutSeconds: 5 - # exec: - # command: - # - "container-entrypoint" - # - "bash" - # - "-c" - # - "redis-cli set liveness-probe \"`date`\" | grep OK" - customLivenessProbe: {} - customReadinessProbe: {} - - ## Redis(TM) Master Node selectors and tolerations for pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature - ## - # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} - # tolerations: [] - ## Redis(TM) Master pod/node affinity/anti-affinity - ## - affinity: {} - - ## Redis(TM) Master Service properties - ## - service: - ## Redis(TM) Master Service type - ## - type: ClusterIP - port: 6379 - - ## External traffic policy (when service type is LoadBalancer) - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - labels: {} - loadBalancerIP: - # loadBalancerSourceRanges: ["10.0.0.0/8"] - - ## Enable persistence using Persistent Volume Claims - ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - enabled: true - ## The path the volume will be mounted at, useful when using different - ## Redis(TM) images. - ## - path: /data - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: "" - ## redis data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - ## Persistent Volume selectors - ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector - ## - matchLabels: {} - matchExpressions: {} - volumes: - # - name: volume_name - # emptyDir: {} - - ## Update strategy, can be set to RollingUpdate or onDelete by default. - ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets - ## - statefulset: - labels: {} - annotations: {} - updateStrategy: RollingUpdate - ## Partition update strategy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions - # rollingUpdatePartition: - volumeClaimTemplates: - labels: {} - annotations: {} - - ## Redis(TM) Master pod priorityClassName - ## - priorityClassName: null - - ## An array to add extra env vars - ## For example: - ## extraEnvVars: - ## - name: name - ## value: value - ## - name: other_name - ## valueFrom: - ## fieldRef: - ## fieldPath: fieldPath - ## - extraEnvVars: [] - - ## ConfigMap with extra env vars: - ## - extraEnvVarsCM: [] - - ## Secret with extra env vars: - ## - extraEnvVarsSecret: [] - -## -## Redis(TM) Slave properties -## Note: service.type is a mandatory parameter -## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis(TM) Master -## -slave: - ## Slave Service properties - ## - service: - ## Redis(TM) Slave Service type - ## - type: ClusterIP - ## Redis(TM) port - ## - port: 6379 - - ## External traffic policy (when service type is LoadBalancer) - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - - ## Specify the nodePort value for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - # nodePort: - - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - labels: {} - loadBalancerIP: - # loadBalancerSourceRanges: ["10.0.0.0/8"] - - ## Redis(TM) slave port - ## - port: 6379 - ## Deployment pod host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## Can be used to specify command line arguments, for example: - ## Note `exec` is prepended to command - ## - command: "/run.sh" - ## Additional commands to run prior to starting Redis(TM) - ## - preExecCmds: "" - ## Additional Redis(TM) configuration for the slave nodes - ## ref: https://redis.io/topics/config - ## - configmap: - ## Redis(TM) extra flags - ## - extraFlags: [] - ## List of Redis(TM) commands to disable - ## - disableCommands: - - FLUSHDB - - FLUSHALL - - ## Redis(TM) Slave pod/node affinity/anti-affinity - ## - affinity: {} - - ## Kubernetes Spread Constraints for pod assignment - ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## - # - maxSkew: 1 - # topologyKey: node - # whenUnsatisfiable: DoNotSchedule - spreadConstraints: {} - - # Enable shared process namespace in a pod. - # If set to false (default), each container will run in separate namespace, redis will have PID=1. - # If set to true, the /pause will run as init process and will reap any zombie PIDs, - # for example, generated by a custom exec probe running longer than a probe timeoutSeconds. - # Enable this only if customLivenessProbe or customReadinessProbe is used and zombie PIDs are accumulating. - # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ - shareProcessNamespace: false - ## Configure extra options for Redis(TM) Slave liveness and readiness probes - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) - ## - livenessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: - enabled: true - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - - ## Configure custom probes for images other images like - ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7 - ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false - ## - # customLivenessProbe: - # tcpSocket: - # port: 6379 - # initialDelaySeconds: 10 - # periodSeconds: 5 - # customReadinessProbe: - # initialDelaySeconds: 30 - # periodSeconds: 10 - # timeoutSeconds: 5 - # exec: - # command: - # - "container-entrypoint" - # - "bash" - # - "-c" - # - "redis-cli set liveness-probe \"`date`\" | grep OK" - customLivenessProbe: {} - customReadinessProbe: {} - - ## Redis(TM) slave Resource - # resources: - # requests: - # memory: 256Mi - # cpu: 100m - - ## Redis(TM) slave selectors and tolerations for pod assignment - # nodeSelector: {"beta.kubernetes.io/arch": "amd64"} - # tolerations: [] - - ## Use an alternate scheduler, e.g. "stork". - ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ - ## - # schedulerName: - - ## Redis(TM) slave pod Annotation and Labels - ## - podLabels: {} - podAnnotations: {} - - ## Redis(TM) slave pod priorityClassName - priorityClassName: null - - ## Enable persistence using Persistent Volume Claims - ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - persistence: - enabled: true - ## The path the volume will be mounted at, useful when using different - ## Redis(TM) images. - ## - path: /data - ## The subdirectory of the volume to mount to, useful in dev environments - ## and one PV for multiple services. - ## - subPath: "" - ## redis data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessModes: - - ReadWriteOnce - size: 8Gi - ## Persistent Volume selectors - ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector - ## - matchLabels: {} - matchExpressions: {} - - ## Update strategy, can be set to RollingUpdate or onDelete by default. - ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets - ## - statefulset: - labels: {} - annotations: {} - updateStrategy: RollingUpdate - ## Partition update strategy - ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions - # rollingUpdatePartition: - volumeClaimTemplates: - labels: {} - annotations: {} - - ## An array to add extra env vars - ## For example: - ## extraEnvVars: - ## - name: name - ## value: value - ## - name: other_name - ## valueFrom: - ## fieldRef: - ## fieldPath: fieldPath - ## - extraEnvVars: [] - - ## ConfigMap with extra env vars: - ## - extraEnvVarsCM: [] - - ## Secret with extra env vars: - ## - extraEnvVarsSecret: [] - -## Prometheus Exporter / Metrics -## -metrics: - enabled: false - - image: - registry: docker.io - repository: bitnami/redis-exporter - tag: 1.20.0-debian-10-r12 - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - - # A way to specify an alternative redis hostname, if you set a local endpoint in hostAliases for example - # Useful for certificate CN/SAN matching - redisTargetHost: "localhost" - - ## Metrics exporter resource requests and limits - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ - ## - # resources: {} - - ## Extra arguments for Metrics exporter, for example: - ## extraArgs: - ## check-keys: myKey,myOtherKey - # extraArgs: {} - - ## Metrics exporter pod Annotation and Labels - ## - podAnnotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9121" - # podLabels: {} - - # Enable this if you're using https://github.com/coreos/prometheus-operator - serviceMonitor: - enabled: false - ## Specify a namespace if needed - # namespace: monitoring - # fallback to the prometheus default unless specified - # interval: 10s - ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr) - ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1) - ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters) - ## - selector: - prometheus: kube-prometheus - - ## RelabelConfigs to apply to samples before scraping - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## Value is evalued as a template - ## - relabelings: [] - - ## MetricRelabelConfigs to apply to samples before ingestion - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig - ## Value is evalued as a template - ## - metricRelabelings: [] - # - sourceLabels: - # - "__name__" - # targetLabel: "__name__" - # action: replace - # regex: '(.*)' - # replacement: 'example_prefix_$1' - - ## Custom PrometheusRule to be defined - ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart - ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions - ## - prometheusRule: - enabled: false - additionalLabels: {} - namespace: "" - ## Redis(TM) prometheus rules - ## These are just examples rules, please adapt them to your needs. - ## Make sure to constraint the rules to the current redis service. - # rules: - # - alert: RedisDown - # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0 - # for: 2m - # labels: - # severity: error - # annotations: - # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} down - # description: Redis(TM) instance {{ "{{ $labels.instance }}" }} is down - # - alert: RedisMemoryHigh - # expr: > - # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100 - # / - # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"} - # > 90 - # for: 2m - # labels: - # severity: error - # annotations: - # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} is using too much memory - # description: | - # Redis(TM) instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. - # - alert: RedisKeyEviction - # expr: | - # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0 - # for: 1s - # labels: - # severity: error - # annotations: - # summary: Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted keys - # description: | - # Redis(TM) instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. - rules: [] - - ## Metrics exporter pod priorityClassName - priorityClassName: null - service: - type: ClusterIP - - ## External traffic policy (when service type is LoadBalancer) - ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - - ## Use serviceLoadBalancerIP to request a specific static IP, - ## otherwise leave blank - # loadBalancerIP: - annotations: {} - labels: {} - -## -## Init containers parameters: -## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup -## -volumePermissions: - enabled: false - image: - registry: docker.io - repository: bitnami/bitnami-shell - tag: "10" - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - resources: {} - # resources: - # requests: - # memory: 128Mi - # cpu: 100m - - ## Init container Security Context - ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser - ## and not the below volumePermissions.securityContext.runAsUser - ## When runAsUser is set to special value "auto", init container will try to chwon the - ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` - ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). - ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with - ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false - ## - securityContext: - runAsUser: 0 - -## Redis(TM) config file -## ref: https://redis.io/topics/config -## -configmap: |- - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly yes - # Disable RDB persistence, AOF persistence already enabled. - save "" - -## Sysctl InitContainer -## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) -## -sysctlImage: - enabled: false - command: [] - registry: docker.io - repository: bitnami/bitnami-shell - tag: "10" - pullPolicy: Always - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistryKeySecretName - mountHostSys: false - resources: {} - # resources: - # requests: - # memory: 128Mi - # cpu: 100m - -## PodSecurityPolicy configuration -## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## -podSecurityPolicy: - ## Specifies whether a PodSecurityPolicy should be created - ## - create: false - -## Define a disruption budget -## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ -## -podDisruptionBudget: - enabled: false - minAvailable: 1 - # maxUnavailable: 1 diff --git a/stable/ckan/charts/solr/Chart.lock b/stable/ckan/charts/solr/Chart.lock deleted file mode 100644 index 9e56d841..00000000 --- a/stable/ckan/charts/solr/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: zookeeper - repository: https://charts.helm.sh/incubator - version: 2.1.3 -digest: sha256:498b0ec127bdf20a5317703b58257b7d979ac212b0bfdf4f055a32695895d768 -generated: "2021-06-08T10:17:32.289525-04:00" diff --git a/stable/ckan/charts/solr/Chart.yaml b/stable/ckan/charts/solr/Chart.yaml deleted file mode 100644 index a87911b1..00000000 --- a/stable/ckan/charts/solr/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v2 -appVersion: 8.11.1 -dependencies: -- name: zookeeper - repository: https://charts.helm.sh/incubator - version: 2.1.3 -description: A helm chart to install Apache Solr -home: http://lucene.apache.org/solr/ -keywords: -- solr -name: solr -sources: -- https://gitbox.apache.org/repos/asf?p=lucene-solr.git -version: 1.5.8 diff --git a/stable/ckan/charts/solr/README.md b/stable/ckan/charts/solr/README.md deleted file mode 100644 index 388641ef..00000000 --- a/stable/ckan/charts/solr/README.md +++ /dev/null @@ -1,72 +0,0 @@ -# Solr Helm Chart - -> NOTE: This chart was extended from hhttps://github.com/helm/charts/tree/master/incubator/solr. - -This helm chart installs a Solr cluster and its required Zookeeper cluster into a running kubernetes cluster. - -The chart installs the Solr docker image from: https://hub.docker.com/_/solr/ - -## Dependencies - -- The zookeeper incubator helm chart -- Tested on kubernetes 1.10+ - -## Configuration Options - -The following table shows the configuration options for the Solr helm chart: - -| Parameter | Description | Default Value | -|-----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `port` | The port that Solr will listen on | `8983` | -| `replicaCount` | The number of replicas in the Solr statefulset | `3` | -| `javaMem` | JVM memory settings to pass to Solr | `-Xms2g -Xmx3g` | -| `resources` | Resource limits and requests to set on the solr pods | `{}` | -| `extraEnvVars` | Additional environment variables to set on the solr pods (in yaml syntax) | `[]` | -| `initScript` | The file name of the custom script to be run before starting Solr | `""` | -| `terminationGracePeriodSeconds` | The termination grace period of the Solr pods | `180` | -| `image.repository` | The repository to pull the docker image from | `solr` | -| `image.tag` | The tag on the repository to pull | `7.7.2` | -| `image.pullPolicy` | Solr pod pullPolicy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `livenessProbe.initialDelaySeconds` | Initial Delay for Solr pod liveness probe | `20` | -| `livenessProbe.periodSeconds` | Poll rate for liveness probe | `10` | -| `readinessProbe.initialDelaySeconds` | Initial Delay for Solr pod readiness probe | `15` | -| `readinessProbe.periodSeconds` | Poll rate for readiness probe | `5` | -| `podAnnotations` | Annotations to be applied to the solr pods | `{}` | -| `affinity` | Affinity policy to be applied to the Solr pods | `{}` | -| `tolerations` | Tolerations to be applied to the Solr pods | `[]` | -| `updateStrategy` | The update strategy of the solr pods | `{}` | -| `logLevel` | The log level of the solr pods | `INFO` | -| `podDisruptionBudget` | The pod disruption budget for the Solr statefulset | `{"maxUnavailable": 1}` | -| `schedulerName` | The name of the k8s scheduler (other than default) | ` nil` | -| `volumeClaimTemplates.storageClassName` | The name of the storage class for the Solr PVC | `` | -| `volumeClaimTemplates.storageSize` | The size of the PVC | `20Gi` | -| `volumeClaimTemplates.accessModes` | The access mode of the PVC | `[ "ReadWriteOnce" ]` | -| `tls.enabled` | Whether to enable TLS, requires `tls.certSecret.name` to be set to a secret containing cert details, see README for details | `false` | -| `tls.wantClientAuth` | Whether Solr wants client authentication | `false` | -| `tls.needClientAuth` | Whether Solr requires client authentication | `false` | -| `tls.keystorePassword` | Password for the tls java keystore | `changeit` | -| `tls.importKubernetesCA` | Whether to import the kubernetes CA into the Solr truststore | `false` | -| `tls.checkPeerName` | Whether Solr checks the name in the TLS certs | `false` | -| `tls.caSecret.name` | The name of the Kubernetes secret containing the ca bunble to import into the truststore | `` | -| `tls.caSecret.bundlePath` | The key in the Kubernetes secret that contains the CA bundle | `` | -| `tls.certSecret.name` | The name of the Kubernetes secret that contains the TLS certificate and private key | `` | -| `tls.certSecret.keyPath` | The key in the Kubernetes secret that contains the private key | `tls.key` | -| `tls.certSecret.certPath` | The key in the Kubernetes secret that contains the TLS certificate | `tls.crt` | -| `service.type` | The type of service for the solr client service | `ClusterIP` | -| `service.annotations` | Annotations to apply to the solr client service | `{}` | -| `exporter.enabled` | Whether to enable the Solr Prometheus exporter | `false` | -| `exporter.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `exporter.configFile` | The path in the docker image that the exporter loads the config from | `/opt/solr/contrib/prometheus-exporter/conf/solr-exporter-config.xml` | -| `exporter.updateStrategy` | Update strategy for the exporter deployment | `{}` | -| `exporter.podAnnotations` | Annotations to set on the exporter pods | `{}` -| `exporter.resources` | Resource limits to set on the exporter pods | `{}` | -| `exporter.port` | The port that the exporter runs on | `9983` | -| `exporter.threads` | The number of query threads that the exporter runs | `7` | -| `exporter.livenessProbe.initialDelaySeconds` | Initial Delay for the exporter pod liveness| `20` | -| `exporter.livenessProbe.periodSeconds` | Poll rate for liveness probe | `10` | -| `exporter.readinessProbe.initialDelaySeconds` | Initial Delay for the exporter pod readiness | `15` | -| `exporter.readinessProbe.periodSeconds` | Poll rate for readiness probe | `5` | -| `exporter.service.type` | The type of the exporter service | `ClusterIP` | -| `exporter.service.annotations` | Annotations to apply to the exporter service | `{}` | diff --git a/stable/ckan/charts/solr/charts/zookeeper/.helmignore b/stable/ckan/charts/solr/charts/zookeeper/.helmignore deleted file mode 100644 index f0c13194..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/stable/ckan/charts/solr/charts/zookeeper/Chart.yaml b/stable/ckan/charts/solr/charts/zookeeper/Chart.yaml deleted file mode 100644 index e82642a5..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/Chart.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -appVersion: 3.5.5 -description: Centralized service for maintaining configuration information, naming, - providing distributed synchronization, and providing group services. -home: https://zookeeper.apache.org/ -icon: https://zookeeper.apache.org/images/zookeeper_small.gif -kubeVersion: ^1.10.0-0 -maintainers: -- email: lachlan.evenson@microsoft.com - name: lachie83 -- email: owensk@google.com - name: kow3ns -name: zookeeper -sources: -- https://github.com/apache/zookeeper -- https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper -version: 2.1.3 diff --git a/stable/ckan/charts/solr/charts/zookeeper/OWNERS b/stable/ckan/charts/solr/charts/zookeeper/OWNERS deleted file mode 100644 index dd9facde..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -approvers: -- lachie83 -- kow3ns -reviewers: -- lachie83 -- kow3ns diff --git a/stable/ckan/charts/solr/charts/zookeeper/README.md b/stable/ckan/charts/solr/charts/zookeeper/README.md deleted file mode 100644 index c0f060ef..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/README.md +++ /dev/null @@ -1,145 +0,0 @@ -# incubator/zookeeper - -This helm chart provides an implementation of the ZooKeeper [StatefulSet](http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/) found in Kubernetes Contrib [Zookeeper StatefulSet](https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper). - -## Prerequisites -* Kubernetes 1.10+ -* PersistentVolume support on the underlying infrastructure -* A dynamic provisioner for the PersistentVolumes -* A familiarity with [Apache ZooKeeper 3.5.x](https://zookeeper.apache.org/doc/r3.5.5/) - -## Chart Components -This chart will do the following: - -* Create a fixed size ZooKeeper ensemble using a [StatefulSet](http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/). -* Create a [PodDisruptionBudget](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-disruption-budget/) so kubectl drain will respect the Quorum size of the ensemble. -* Create a [Headless Service](https://kubernetes.io/docs/concepts/services-networking/service/) to control the domain of the ZooKeeper ensemble. -* Create a Service configured to connect to the available ZooKeeper instance on the configured client port. -* Optionally apply a [Pod Anti-Affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity-beta-feature) to spread the ZooKeeper ensemble across nodes. -* Optionally start JMX Exporter and Zookeeper Exporter containers inside Zookeeper pods. -* Optionally create a job which creates Zookeeper chroots (e.g. `/kafka1`). -* Optionally create a Prometheus ServiceMonitor for each enabled exporter container - -## Installing the Chart -You can install the chart with the release name `zookeeper` as below. - -```console -$ helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator -$ helm install --name zookeeper incubator/zookeeper -``` - -If you do not specify a name, helm will select a name for you. - -### Installed Components -You can use `kubectl get` to view all of the installed components. - -```console{%raw} -$ kubectl get all -l app=zookeeper -NAME: zookeeper -LAST DEPLOYED: Wed Apr 11 17:09:48 2018 -NAMESPACE: default -STATUS: DEPLOYED - -RESOURCES: -==> v1beta1/PodDisruptionBudget -NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGE -zookeeper N/A 1 1 2m - -==> v1/Service -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -zookeeper-headless ClusterIP None 2181/TCP,3888/TCP,2888/TCP 2m -zookeeper ClusterIP 10.98.179.165 2181/TCP 2m - -==> v1beta1/StatefulSet -NAME DESIRED CURRENT AGE -zookeeper 3 3 2m - -==> monitoring.coreos.com/v1/ServiceMonitor -NAME AGE -zookeeper 2m -zookeeper-exporter 2m -``` - -1. `statefulsets/zookeeper` is the StatefulSet created by the chart. -1. `po/zookeeper-<0|1|2>` are the Pods created by the StatefulSet. Each Pod has a single container running a ZooKeeper server. -1. `svc/zookeeper-headless` is the Headless Service used to control the network domain of the ZooKeeper ensemble. -1. `svc/zookeeper` is a Service that can be used by clients to connect to an available ZooKeeper server. -1. `servicemonitor/zookeeper` is a Prometheus ServiceMonitor which scrapes the jmx-exporter metrics endpoint -1. `servicemonitor/zookeeper-exporter` is a Prometheus ServiceMonitor which scrapes the zookeeper-exporter metrics endpoint - -## Configuration -You can specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install --name my-release -f values.yaml incubator/zookeeper -``` - -## Default Values - -- You can find all user-configurable settings, their defaults and commentary about them in [values.yaml](values.yaml). - -## Deep Dive - -## Image Details -The image used for this chart is based on Alpine 3.9.0. - -## JVM Details -The Java Virtual Machine used for this chart is the OpenJDK JVM 8u192 JRE (headless). - -## ZooKeeper Details -The chart defaults to ZooKeeper 3.5 (latest released version). - -## Failover -You can test failover by killing the leader. Insert a key: -```console -$ kubectl exec zookeeper-0 -- bin/zkCli.sh create /foo bar; -$ kubectl exec zookeeper-2 -- bin/zkCli.sh get /foo; -``` - -Watch existing members: -```console -$ kubectl run --attach bbox --image=busybox --restart=Never -- sh -c 'while true; do for i in 0 1 2; do echo zk-${i} $(echo stats | nc -${i}.:2181 | grep Mode); sleep 1; done; done'; - -zk-2 Mode: follower -zk-0 Mode: follower -zk-1 Mode: leader -zk-2 Mode: follower -``` - -Delete Pods and wait for the StatefulSet controller to bring them back up: -```console -$ kubectl delete po -l app=zookeeper -$ kubectl get po --watch-only -NAME READY STATUS RESTARTS AGE -zookeeper-0 0/1 Running 0 35s -zookeeper-0 1/1 Running 0 50s -zookeeper-1 0/1 Pending 0 0s -zookeeper-1 0/1 Pending 0 0s -zookeeper-1 0/1 ContainerCreating 0 0s -zookeeper-1 0/1 Running 0 19s -zookeeper-1 1/1 Running 0 40s -zookeeper-2 0/1 Pending 0 0s -zookeeper-2 0/1 Pending 0 0s -zookeeper-2 0/1 ContainerCreating 0 0s -zookeeper-2 0/1 Running 0 19s -zookeeper-2 1/1 Running 0 41s -``` - -Check the previously inserted key: -```console -$ kubectl exec zookeeper-1 -- bin/zkCli.sh get /foo -ionid = 0x354887858e80035, negotiated timeout = 30000 - -WATCHER:: - -WatchedEvent state:SyncConnected type:None path:null -bar -``` - -## Scaling -ZooKeeper can not be safely scaled in versions prior to 3.5.x - -## Limitations -* Only supports storage options that have backends for persistent volume claims. diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt b/stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt deleted file mode 100644 index 6c5da856..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/NOTES.txt +++ /dev/null @@ -1,7 +0,0 @@ -Thank you for installing ZooKeeper on your Kubernetes cluster. More information -about ZooKeeper can be found at https://zookeeper.apache.org/doc/current/ - -Your connection string should look like: - {{ template "zookeeper.fullname" . }}-0.{{ template "zookeeper.fullname" . }}-headless:{{ .Values.service.ports.client.port }},{{ template "zookeeper.fullname" . }}-1.{{ template "zookeeper.fullname" . }}-headless:{{ .Values.service.ports.client.port }},... - -You can also use the client service {{ template "zookeeper.fullname" . }}:{{ .Values.service.ports.client.port }} to connect to an available ZooKeeper server. diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl b/stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl deleted file mode 100644 index 0e151072..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/_helpers.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "zookeeper.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "zookeeper.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "zookeeper.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -The name of the zookeeper headless service. -*/}} -{{- define "zookeeper.headless" -}} -{{- printf "%s-headless" (include "zookeeper.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -The name of the zookeeper chroots job. -*/}} -{{- define "zookeeper.chroots" -}} -{{- printf "%s-chroots" (include "zookeeper.fullname" .) | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml deleted file mode 100644 index 79905e57..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/config-jmx-exporter.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.exporters.jmx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Release.Name }}-jmx-exporter - labels: - app: {{ template "zookeeper.name" . }} - chart: {{ template "zookeeper.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - config.yml: |- - hostPort: 127.0.0.1:{{ .Values.env.JMXPORT }} - lowercaseOutputName: {{ .Values.exporters.jmx.config.lowercaseOutputName }} - rules: -{{ .Values.exporters.jmx.config.rules | toYaml | indent 6 }} - ssl: false - startDelaySeconds: {{ .Values.exporters.jmx.config.startDelaySeconds }} -{{- end }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml deleted file mode 100644 index 2b4b44dd..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/config-script.yaml +++ /dev/null @@ -1,110 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "zookeeper.fullname" . }} - labels: - app: {{ template "zookeeper.name" . }} - chart: {{ template "zookeeper.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: server -data: - ok: | - #!/bin/sh - zkServer.sh status - - ready: | - #!/bin/sh - echo ruok | nc 127.0.0.1 ${1:-2181} - - run: | - #!/bin/bash - - set -a - ROOT=$(echo /apache-zookeeper-*) - - ZK_USER=${ZK_USER:-"zookeeper"} - ZK_LOG_LEVEL=${ZK_LOG_LEVEL:-"INFO"} - ZK_DATA_DIR=${ZK_DATA_DIR:-"/data"} - ZK_DATA_LOG_DIR=${ZK_DATA_LOG_DIR:-"/data/log"} - ZK_CONF_DIR=${ZK_CONF_DIR:-"/conf"} - ZK_CLIENT_PORT=${ZK_CLIENT_PORT:-2181} - ZK_SERVER_PORT=${ZK_SERVER_PORT:-2888} - ZK_ELECTION_PORT=${ZK_ELECTION_PORT:-3888} - ZK_TICK_TIME=${ZK_TICK_TIME:-2000} - ZK_INIT_LIMIT=${ZK_INIT_LIMIT:-10} - ZK_SYNC_LIMIT=${ZK_SYNC_LIMIT:-5} - ZK_HEAP_SIZE=${ZK_HEAP_SIZE:-2G} - ZK_MAX_CLIENT_CNXNS=${ZK_MAX_CLIENT_CNXNS:-60} - ZK_MIN_SESSION_TIMEOUT=${ZK_MIN_SESSION_TIMEOUT:- $((ZK_TICK_TIME*2))} - ZK_MAX_SESSION_TIMEOUT=${ZK_MAX_SESSION_TIMEOUT:- $((ZK_TICK_TIME*20))} - ZK_SNAP_RETAIN_COUNT=${ZK_SNAP_RETAIN_COUNT:-3} - ZK_PURGE_INTERVAL=${ZK_PURGE_INTERVAL:-0} - ID_FILE="$ZK_DATA_DIR/myid" - ZK_CONFIG_FILE="$ZK_CONF_DIR/zoo.cfg" - LOG4J_PROPERTIES="$ZK_CONF_DIR/log4j.properties" - HOST=$(hostname) - DOMAIN=`hostname -d` - JVMFLAGS="-Xmx$ZK_HEAP_SIZE -Xms$ZK_HEAP_SIZE" - - APPJAR=$(echo $ROOT/*jar) - CLASSPATH="${ROOT}/lib/*:${APPJAR}:${ZK_CONF_DIR}:" - - if [[ $HOST =~ (.*)-([0-9]+)$ ]]; then - NAME=${BASH_REMATCH[1]} - ORD=${BASH_REMATCH[2]} - MY_ID=$((ORD+1)) - else - echo "Failed to extract ordinal from hostname $HOST" - exit 1 - fi - - mkdir -p $ZK_DATA_DIR - mkdir -p $ZK_DATA_LOG_DIR - echo $MY_ID >> $ID_FILE - - echo "clientPort=$ZK_CLIENT_PORT" >> $ZK_CONFIG_FILE - echo "dataDir=$ZK_DATA_DIR" >> $ZK_CONFIG_FILE - echo "dataLogDir=$ZK_DATA_LOG_DIR" >> $ZK_CONFIG_FILE - echo "tickTime=$ZK_TICK_TIME" >> $ZK_CONFIG_FILE - echo "initLimit=$ZK_INIT_LIMIT" >> $ZK_CONFIG_FILE - echo "syncLimit=$ZK_SYNC_LIMIT" >> $ZK_CONFIG_FILE - echo "maxClientCnxns=$ZK_MAX_CLIENT_CNXNS" >> $ZK_CONFIG_FILE - echo "minSessionTimeout=$ZK_MIN_SESSION_TIMEOUT" >> $ZK_CONFIG_FILE - echo "maxSessionTimeout=$ZK_MAX_SESSION_TIMEOUT" >> $ZK_CONFIG_FILE - echo "autopurge.snapRetainCount=$ZK_SNAP_RETAIN_COUNT" >> $ZK_CONFIG_FILE - echo "autopurge.purgeInterval=$ZK_PURGE_INTERVAL" >> $ZK_CONFIG_FILE - echo "4lw.commands.whitelist=*" >> $ZK_CONFIG_FILE - - for (( i=1; i<=$ZK_REPLICAS; i++ )) - do - echo "server.$i=$NAME-$((i-1)).$DOMAIN:$ZK_SERVER_PORT:$ZK_ELECTION_PORT" >> $ZK_CONFIG_FILE - done - - rm -f $LOG4J_PROPERTIES - - echo "zookeeper.root.logger=$ZK_LOG_LEVEL, CONSOLE" >> $LOG4J_PROPERTIES - echo "zookeeper.console.threshold=$ZK_LOG_LEVEL" >> $LOG4J_PROPERTIES - echo "zookeeper.log.threshold=$ZK_LOG_LEVEL" >> $LOG4J_PROPERTIES - echo "zookeeper.log.dir=$ZK_DATA_LOG_DIR" >> $LOG4J_PROPERTIES - echo "zookeeper.log.file=zookeeper.log" >> $LOG4J_PROPERTIES - echo "zookeeper.log.maxfilesize=256MB" >> $LOG4J_PROPERTIES - echo "zookeeper.log.maxbackupindex=10" >> $LOG4J_PROPERTIES - echo "zookeeper.tracelog.dir=$ZK_DATA_LOG_DIR" >> $LOG4J_PROPERTIES - echo "zookeeper.tracelog.file=zookeeper_trace.log" >> $LOG4J_PROPERTIES - echo "log4j.rootLogger=\${zookeeper.root.logger}" >> $LOG4J_PROPERTIES - echo "log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender" >> $LOG4J_PROPERTIES - echo "log4j.appender.CONSOLE.Threshold=\${zookeeper.console.threshold}" >> $LOG4J_PROPERTIES - echo "log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout" >> $LOG4J_PROPERTIES - echo "log4j.appender.CONSOLE.layout.ConversionPattern=%d{ISO8601} [myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n" >> $LOG4J_PROPERTIES - - if [ -n "$JMXDISABLE" ] - then - MAIN=org.apache.zookeeper.server.quorum.QuorumPeerMain - else - MAIN="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMXPORT -Dcom.sun.management.jmxremote.authenticate=$JMXAUTH -Dcom.sun.management.jmxremote.ssl=$JMXSSL -Dzookeeper.jmx.log4j.disable=$JMXLOG4J org.apache.zookeeper.server.quorum.QuorumPeerMain" - fi - - set -x - exec java -cp "$CLASSPATH" $JVMFLAGS $MAIN $ZK_CONFIG_FILE diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml deleted file mode 100644 index 3aa08c90..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/job-chroots.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if .Values.jobs.chroots.enabled }} -{{- $root := . }} -{{- $job := .Values.jobs.chroots }} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "zookeeper.chroots" . }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded - labels: - app: {{ template "zookeeper.name" . }} - chart: {{ template "zookeeper.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: jobs - job: chroots -spec: - activeDeadlineSeconds: {{ $job.activeDeadlineSeconds }} - backoffLimit: {{ $job.backoffLimit }} - completions: {{ $job.completions }} - parallelism: {{ $job.parallelism }} - template: - metadata: - labels: - app: {{ template "zookeeper.name" . }} - release: {{ .Release.Name }} - component: jobs - job: chroots - spec: - restartPolicy: {{ $job.restartPolicy }} -{{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" -{{- end }} - containers: - - name: main - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /bin/bash - - -o - - pipefail - - -euc - {{- $port := .Values.service.ports.client.port }} - - > - sleep 15; - export SERVER={{ template "zookeeper.fullname" $root }}:{{ $port }}; - {{- range $job.config.create }} - echo '==> {{ . }}'; - echo '====> Create chroot if does not exist.'; - zkCli.sh -server {{ template "zookeeper.fullname" $root }}:{{ $port }} get {{ . }} 2>&1 >/dev/null | grep 'cZxid' - || zkCli.sh -server {{ template "zookeeper.fullname" $root }}:{{ $port }} create {{ . }} ""; - echo '====> Confirm chroot exists.'; - zkCli.sh -server {{ template "zookeeper.fullname" $root }}:{{ $port }} get {{ . }} 2>&1 >/dev/null | grep 'cZxid'; - echo '====> Chroot exists.'; - {{- end }} - env: - {{- range $key, $value := $job.env }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - resources: -{{ toYaml $job.resources | indent 12 }} -{{- end -}} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml deleted file mode 100644 index 15ee0080..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: {{ template "zookeeper.fullname" . }} - labels: - app: {{ template "zookeeper.name" . }} - chart: {{ template "zookeeper.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: server -spec: - selector: - matchLabels: - app: {{ template "zookeeper.name" . }} - release: {{ .Release.Name }} - component: server -{{ toYaml .Values.podDisruptionBudget | indent 2 }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml deleted file mode 100644 index 1c0ea3fb..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/service-headless.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "zookeeper.headless" . }} - labels: - app: {{ template "zookeeper.name" . }} - chart: {{ template "zookeeper.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.headless.annotations }} - annotations: -{{ .Values.headless.annotations | toYaml | trimSuffix "\n" | indent 4 }} -{{- end }} -spec: - clusterIP: None - ports: -{{- range $key, $port := .Values.ports }} - - name: {{ $key }} - port: {{ $port.containerPort }} - targetPort: {{ $key }} - protocol: {{ $port.protocol }} -{{- end }} - selector: - app: {{ template "zookeeper.name" . }} - release: {{ .Release.Name }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml deleted file mode 100644 index 09fc1dcf..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "zookeeper.fullname" . }} - labels: - app: {{ template "zookeeper.name" . }} - chart: {{ template "zookeeper.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.annotations }} - annotations: -{{- with .Values.service.annotations }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - {{- range $key, $value := .Values.service.ports }} - - name: {{ $key }} -{{ toYaml $value | indent 6 }} - {{- end }} -{{- if .Values.exporters.jmx.enabled }} - {{- range $key, $port := .Values.exporters.jmx.ports }} - - name: {{ $key }} - port: {{ $port.containerPort }} - targetPort: {{ $key }} - protocol: {{ $port.protocol }} - {{- end }} -{{- end}} -{{- if .Values.exporters.zookeeper.enabled }} - {{- range $key, $port := .Values.exporters.zookeeper.ports }} - - name: {{ $key }} - port: {{ $port.containerPort }} - targetPort: {{ $key }} - protocol: {{ $port.protocol }} - {{- end }} -{{- end}} - selector: - app: {{ template "zookeeper.name" . }} - release: {{ .Release.Name }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml deleted file mode 100644 index 0a230a23..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/servicemonitors.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if and .Values.exporters.jmx.enabled .Values.prometheus.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "zookeeper.fullname" . }} - {{- if .Values.prometheus.serviceMonitor.namespace }} - namespace: {{ .Values.prometheus.serviceMonitor.namespace }} - {{- end }} - labels: -{{ toYaml .Values.prometheus.serviceMonitor.selector | indent 4 }} -spec: - endpoints: - {{- range $key, $port := .Values.exporters.jmx.ports }} - - port: {{ $key }} - path: {{ $.Values.exporters.jmx.path }} - interval: {{ $.Values.exporters.jmx.serviceMonitor.interval }} - scrapeTimeout: {{ $.Values.exporters.jmx.serviceMonitor.scrapeTimeout }} - scheme: {{ $.Values.exporters.jmx.serviceMonitor.scheme }} - {{- end }} - selector: - matchLabels: - app: {{ include "zookeeper.name" . }} - release: {{ .Release.Name }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} -{{- end }} ---- - -{{- if and .Values.exporters.zookeeper.enabled .Values.prometheus.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "zookeeper.fullname" . }}-exporter - {{- if .Values.prometheus.serviceMonitor.namespace }} - namespace: {{ .Values.prometheus.serviceMonitor.namespace }} - {{- end }} - labels: -{{ toYaml .Values.prometheus.serviceMonitor.selector | indent 4 }} -spec: - endpoints: - {{- range $key, $port := .Values.exporters.zookeeper.ports }} - - port: {{ $key }} - path: {{ $.Values.exporters.zookeeper.path }} - interval: {{ $.Values.exporters.zookeeper.serviceMonitor.interval }} - scrapeTimeout: {{ $.Values.exporters.zookeeper.serviceMonitor.scrapeTimeout }} - scheme: {{ $.Values.exporters.zookeeper.serviceMonitor.scheme }} - {{- end }} - selector: - matchLabels: - app: {{ include "zookeeper.name" . }} - release: {{ .Release.Name }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} -{{- end }} \ No newline at end of file diff --git a/stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml b/stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml deleted file mode 100644 index 6d508a69..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/templates/statefulset.yaml +++ /dev/null @@ -1,226 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "zookeeper.fullname" . }} - labels: - app: {{ template "zookeeper.name" . }} - chart: {{ template "zookeeper.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: server -spec: - serviceName: {{ template "zookeeper.headless" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "zookeeper.name" . }} - release: {{ .Release.Name }} - component: server - updateStrategy: -{{ toYaml .Values.updateStrategy | indent 4 }} - template: - metadata: - labels: - app: {{ template "zookeeper.name" . }} - release: {{ .Release.Name }} - component: server - {{- if .Values.podLabels }} - ## Custom pod labels - {{- range $key, $value := .Values.podLabels }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -{{- if .Values.podAnnotations }} - annotations: - ## Custom pod annotations - {{- range $key, $value := .Values.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - spec: - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} -{{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" -{{- end }} - securityContext: -{{ toYaml .Values.securityContext | indent 8 }} -{{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" -{{- end }} - containers: - - - name: zookeeper - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.command }} - command: {{ range . }} - - {{ . | quote }} - {{- end }} - {{- end }} - ports: -{{- range $key, $port := .Values.ports }} - - name: {{ $key }} -{{ toYaml $port | indent 14 }} -{{- end }} - livenessProbe: - exec: - command: - - sh - - /config-scripts/ok - initialDelaySeconds: 20 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - successThreshold: 1 - readinessProbe: - exec: - command: - - sh - - /config-scripts/ready - initialDelaySeconds: 20 - periodSeconds: 30 - timeoutSeconds: 5 - failureThreshold: 2 - successThreshold: 1 - env: - - name: ZK_REPLICAS - value: {{ .Values.replicaCount | quote }} - {{- range $key, $value := .Values.env }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - {{- range $secret := .Values.secrets }} - {{- range $key := $secret.keys }} - - name: {{ (print $secret.name "_" $key) | upper }} - valueFrom: - secretKeyRef: - name: {{ $secret.name }} - key: {{ $key }} - {{- end }} - {{- end }} - resources: -{{ toYaml .Values.resources | indent 12 }} - volumeMounts: - - name: data - mountPath: /data - {{- range $secret := .Values.secrets }} - {{- if $secret.mountPath }} - {{- range $key := $secret.keys }} - - name: {{ $.Release.Name }}-{{ $secret.name }} - mountPath: {{ $secret.mountPath }}/{{ $key }} - subPath: {{ $key }} - readOnly: true - {{- end }} - {{- end }} - {{- end }} - - name: config - mountPath: /config-scripts - - -{{- if .Values.exporters.jmx.enabled }} - - name: jmx-exporter - image: "{{ .Values.exporters.jmx.image.repository }}:{{ .Values.exporters.jmx.image.tag }}" - imagePullPolicy: {{ .Values.exporters.jmx.image.pullPolicy }} - ports: - {{- range $key, $port := .Values.exporters.jmx.ports }} - - name: {{ $key }} -{{ toYaml $port | indent 14 }} - {{- end }} - livenessProbe: -{{ toYaml .Values.exporters.jmx.livenessProbe | indent 12 }} - readinessProbe: -{{ toYaml .Values.exporters.jmx.readinessProbe | indent 12 }} - env: - - name: SERVICE_PORT - value: {{ .Values.exporters.jmx.ports.jmxxp.containerPort | quote }} - {{- with .Values.exporters.jmx.env }} - {{- range $key, $value := . }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - resources: -{{ toYaml .Values.exporters.jmx.resources | indent 12 }} - volumeMounts: - - name: config-jmx-exporter - mountPath: /opt/jmx_exporter/config.yml - subPath: config.yml -{{- end }} - -{{- if .Values.exporters.zookeeper.enabled }} - - name: zookeeper-exporter - image: "{{ .Values.exporters.zookeeper.image.repository }}:{{ .Values.exporters.zookeeper.image.tag }}" - imagePullPolicy: {{ .Values.exporters.zookeeper.image.pullPolicy }} - args: - - -bind-addr=:{{ .Values.exporters.zookeeper.ports.zookeeperxp.containerPort }} - - -metrics-path={{ .Values.exporters.zookeeper.path }} - - -zookeeper=localhost:{{ .Values.ports.client.containerPort }} - - -log-level={{ .Values.exporters.zookeeper.config.logLevel }} - - -reset-on-scrape={{ .Values.exporters.zookeeper.config.resetOnScrape }} - ports: - {{- range $key, $port := .Values.exporters.zookeeper.ports }} - - name: {{ $key }} -{{ toYaml $port | indent 14 }} - {{- end }} - livenessProbe: -{{ toYaml .Values.exporters.zookeeper.livenessProbe | indent 12 }} - readinessProbe: -{{ toYaml .Values.exporters.zookeeper.readinessProbe | indent 12 }} - env: - {{- range $key, $value := .Values.exporters.zookeeper.env }} - - name: {{ $key | upper | replace "." "_" }} - value: {{ $value | quote }} - {{- end }} - resources: -{{ toYaml .Values.exporters.zookeeper.resources | indent 12 }} -{{- end }} - - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - - name: config - configMap: - name: {{ template "zookeeper.fullname" . }} - defaultMode: 0555 - {{- range .Values.secrets }} - - name: {{ $.Release.Name }}-{{ .name }} - secret: - secretName: {{ .name }} - {{- end }} - {{- if .Values.exporters.jmx.enabled }} - - name: config-jmx-exporter - configMap: - name: {{ .Release.Name }}-jmx-exporter - {{- end }} - {{- if not .Values.persistence.enabled }} - - name: data - emptyDir: {} - {{- end }} - {{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- end }} diff --git a/stable/ckan/charts/solr/charts/zookeeper/values.yaml b/stable/ckan/charts/solr/charts/zookeeper/values.yaml deleted file mode 100644 index 2fa6286e..00000000 --- a/stable/ckan/charts/solr/charts/zookeeper/values.yaml +++ /dev/null @@ -1,295 +0,0 @@ -## As weighted quorums are not supported, it is imperative that an odd number of replicas -## be chosen. Moreover, the number of replicas should be either 1, 3, 5, or 7. -## -## ref: https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper#stateful-set -replicaCount: 3 # Desired quantity of ZooKeeper pods. This should always be (1,3,5, or 7) - -podDisruptionBudget: - maxUnavailable: 1 # Limits how many Zokeeper pods may be unavailable due to voluntary disruptions. - -terminationGracePeriodSeconds: 1800 # Duration in seconds a Zokeeper pod needs to terminate gracefully. - -updateStrategy: - type: RollingUpdate - -## refs: -## - https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper -## - https://github.com/kubernetes/contrib/blob/master/statefulsets/zookeeper/Makefile#L1 -image: - repository: zookeeper # Container image repository for zookeeper container. - tag: 3.5.5 # Container image tag for zookeeper container. - pullPolicy: IfNotPresent # Image pull criteria for zookeeper container. - -service: - type: ClusterIP # Exposes zookeeper on a cluster-internal IP. - annotations: {} # Arbitrary non-identifying metadata for zookeeper service. - ## AWS example for use with LoadBalancer service type. - # external-dns.alpha.kubernetes.io/hostname: zookeeper.cluster.local - # service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - # service.beta.kubernetes.io/aws-load-balancer-internal: "true" - ports: - client: - port: 2181 # Service port number for client port. - targetPort: client # Service target port for client port. - protocol: TCP # Service port protocol for client port. - -## Headless service. -## -headless: - annotations: {} - -ports: - client: - containerPort: 2181 # Port number for zookeeper container client port. - protocol: TCP # Protocol for zookeeper container client port. - election: - containerPort: 3888 # Port number for zookeeper container election port. - protocol: TCP # Protocol for zookeeper container election port. - server: - containerPort: 2888 # Port number for zookeeper container server port. - protocol: TCP # Protocol for zookeeper container server port. - -resources: {} # Optionally specify how much CPU and memory (RAM) each zookeeper container needs. - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -priorityClassName: "" - -nodeSelector: {} # Node label-values required to run zookeeper pods. - -tolerations: [] # Node taint overrides for zookeeper pods. - -affinity: {} # Criteria by which pod label-values influence scheduling for zookeeper pods. - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - topologyKey: "kubernetes.io/hostname" - # labelSelector: - # matchLabels: - # release: zookeeper - -podAnnotations: {} # Arbitrary non-identifying metadata for zookeeper pods. - # prometheus.io/scrape: "true" - # prometheus.io/path: "/metrics" - # prometheus.io/port: "9141" - -podLabels: {} # Key/value pairs that are attached to zookeeper pods. - # team: "developers" - # service: "zookeeper" - -securityContext: - fsGroup: 1000 - runAsUser: 1000 - -## Useful, if you want to use an alternate image. -command: - - /bin/bash - - -xec - - /config-scripts/run - -## Useful if using any custom authorizer. -## Pass any secrets to the kafka pods. Each secret will be passed as an -## environment variable by default. The secret can also be mounted to a -## specific path (in addition to environment variable) if required. Environment -## variable names are generated as: `_` (All upper case) -# secrets: -# - name: myKafkaSecret -# keys: -# - username -# - password -# # mountPath: /opt/kafka/secret -# - name: myZkSecret -# keys: -# - user -# - pass -# mountPath: /opt/zookeeper/secret - -persistence: - enabled: true - ## zookeeper data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 5Gi - -## Exporters query apps for metrics and make those metrics available for -## Prometheus to scrape. -exporters: - - jmx: - enabled: false - image: - repository: sscaling/jmx-prometheus-exporter - tag: 0.3.0 - pullPolicy: IfNotPresent - config: - lowercaseOutputName: false - ## ref: https://github.com/prometheus/jmx_exporter/blob/master/example_configs/zookeeper.yaml - rules: - - pattern: "org.apache.ZooKeeperService<>(\\w+)" - name: "zookeeper_$2" - - pattern: "org.apache.ZooKeeperService<>(\\w+)" - name: "zookeeper_$3" - labels: - replicaId: "$2" - - pattern: "org.apache.ZooKeeperService<>(\\w+)" - name: "zookeeper_$4" - labels: - replicaId: "$2" - memberType: "$3" - - pattern: "org.apache.ZooKeeperService<>(\\w+)" - name: "zookeeper_$4_$5" - labels: - replicaId: "$2" - memberType: "$3" - startDelaySeconds: 30 - env: {} - resources: {} - path: /metrics - ports: - jmxxp: - containerPort: 9404 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: jmxxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - readinessProbe: - httpGet: - path: /metrics - port: jmxxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - serviceMonitor: - interval: 30s - scrapeTimeout: 30s - scheme: http - - zookeeper: - ## refs: - ## - https://github.com/carlpett/zookeeper_exporter - ## - https://hub.docker.com/r/josdotso/zookeeper-exporter/ - ## - https://www.datadoghq.com/blog/monitoring-kafka-performance-metrics/#zookeeper-metrics - enabled: false - image: - repository: josdotso/zookeeper-exporter - tag: v1.1.2 - pullPolicy: IfNotPresent - config: - logLevel: info - resetOnScrape: "true" - env: {} - resources: {} - path: /metrics - ports: - zookeeperxp: - containerPort: 9141 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: zookeeperxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - readinessProbe: - httpGet: - path: /metrics - port: zookeeperxp - initialDelaySeconds: 30 - periodSeconds: 15 - timeoutSeconds: 60 - failureThreshold: 8 - successThreshold: 1 - serviceMonitor: - interval: 30s - scrapeTimeout: 30s - scheme: http - -## ServiceMonitor configuration in case you are using Prometheus Operator -prometheus: - serviceMonitor: - ## If true a ServiceMonitor for each enabled exporter will be installed - enabled: false - ## The namespace where the ServiceMonitor(s) will be installed - # namespace: monitoring - ## The selector the Prometheus instance is searching for - ## [Default Prometheus Operator selector] (https://github.com/helm/charts/blob/f5a751f174263971fafd21eee4e35416d6612a3d/stable/prometheus-operator/templates/prometheus/prometheus.yaml#L74) - selector: {} - -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - -## ref: https://github.com/kubernetes/contrib/tree/master/statefulsets/zookeeper -env: - - ## Options related to JMX exporter. - ## ref: https://github.com/apache/zookeeper/blob/master/bin/zkServer.sh#L36 - JMXAUTH: "false" - JMXDISABLE: "false" - JMXPORT: 1099 - JMXSSL: "false" - - ## The port on which the server will accept client requests. - ZOO_PORT: 2181 - - ## The number of Ticks that an ensemble member is allowed to perform leader - ## election. - ZOO_INIT_LIMIT: 5 - - ZOO_TICK_TIME: 2000 - - ## The maximum number of concurrent client connections that - ## a server in the ensemble will accept. - ZOO_MAX_CLIENT_CNXNS: 60 - - ## The number of Tick by which a follower may lag behind the ensembles leader. - ZK_SYNC_LIMIT: 10 - - ## The number of wall clock ms that corresponds to a Tick for the ensembles - ## internal time. - ZK_TICK_TIME: 2000 - - ZOO_AUTOPURGE_PURGEINTERVAL: 0 - ZOO_AUTOPURGE_SNAPRETAINCOUNT: 3 - ZOO_STANDALONE_ENABLED: false - -jobs: - ## ref: http://zookeeper.apache.org/doc/r3.4.10/zookeeperProgrammers.html#ch_zkSessions - chroots: - enabled: false - activeDeadlineSeconds: 300 - backoffLimit: 5 - completions: 1 - config: - create: [] - # - /kafka - # - /ureplicator - env: [] - parallelism: 1 - resources: {} - restartPolicy: Never diff --git a/stable/ckan/charts/solr/templates/NOTES.txt b/stable/ckan/charts/solr/templates/NOTES.txt deleted file mode 100644 index c152a37c..00000000 --- a/stable/ckan/charts/solr/templates/NOTES.txt +++ /dev/null @@ -1,11 +0,0 @@ -Your Solr cluster has now been installed, and can be accessed in the following ways: - - * Internally, within the kubernetes cluster on: - -{{ template "solr.service-name" . }}.{{ .Release.Namespace }}:{{ .Values.port }} - - * External to the kubernetes cluster: - -export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "solr.name" . }},component=server,release={{ .Release.Name }}" -o jsonpath="{ .items[0].metadata.name }") -echo "Visit http://127.0.0.1:{{ .Values.port }} to access Solr" -kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME {{ .Values.port }}:{{ .Values.port }} diff --git a/stable/ckan/charts/solr/templates/_helpers.tpl b/stable/ckan/charts/solr/templates/_helpers.tpl deleted file mode 100644 index d6f80d6b..00000000 --- a/stable/ckan/charts/solr/templates/_helpers.tpl +++ /dev/null @@ -1,133 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "solr.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "solr.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Define the name of the headless service for solr -*/}} -{{- define "solr.headless-service-name" -}} -{{- printf "%s-%s" (include "solr.fullname" .) "headless" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Define the name of the client service for solr -*/}} -{{- define "solr.service-name" -}} -{{- printf "%s-%s" (include "solr.fullname" .) "svc" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Define the name of the solr exporter -*/}} -{{- define "solr.exporter-name" -}} -{{- printf "%s-%s" (include "solr.fullname" .) "exporter" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -The name of the zookeeper service -*/}} -{{- define "solr.zookeeper-name" -}} -{{- printf "%s-%s" .Release.Name "zookeeper" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -The name of the zookeeper headless service -*/}} -{{- define "solr.zookeeper-service-name" -}} -{{ printf "%s-%s" (include "solr.zookeeper-name" .) "headless" | trunc 63 | trimSuffix "-" }} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "solr.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - Define the name of the solr PVC -*/}} -{{- define "solr.pvc-name" -}} -{{ printf "%s-%s" (include "solr.fullname" .) "pvc" | trunc 63 | trimSuffix "-" }} -{{- end -}} - -{{/* - Define the name of the solr.xml configmap -*/}} -{{- define "solr.configmap-name" -}} -{{- printf "%s-%s" (include "solr.fullname" .) "config-map" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - Define the name of the custom script configmap -*/}} -{{- define "solr.custom-script.configmap-name" -}} -{{- printf "%s-%s" (include "solr.fullname" .) "custom-script-config-map" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* - Define the labels that should be applied to all resources in the chart -*/}} -{{- define "solr.common.labels" -}} -app.kubernetes.io/name: {{ include "solr.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -helm.sh/chart: {{ include "solr.chart" . }} -{{- end -}} - -{{/* -Return the proper Docker Image Registry Secret Names -*/}} -{{- define "solr.imagePullSecrets" -}} -{{/* -Helm 2.11 supports the assignment of a value to a variable defined in a different scope, -but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. -Also, we can not use a single if because lazy evaluation is not an option -*/}} -{{- if .Values.global }} -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- else if or .Values.image.pullSecrets .Values.exporter.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.exporter.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- else if or .Values.image.pullSecrets .Values.exporter.image.pullSecrets }} -imagePullSecrets: -{{- range .Values.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- range .Values.exporter.image.pullSecrets }} - - name: {{ . }} -{{- end }} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/stable/ckan/charts/solr/templates/exporter-deployment.yaml b/stable/ckan/charts/solr/templates/exporter-deployment.yaml deleted file mode 100644 index d4508a9f..00000000 --- a/stable/ckan/charts/solr/templates/exporter-deployment.yaml +++ /dev/null @@ -1,104 +0,0 @@ -{{- if .Values.exporter.enabled }} ---- - -apiVersion: "v1" -kind: "Service" -metadata: - name: "{{ include "solr.exporter-name" . }}" - labels: -{{ include "solr.common.labels" . | indent 4 }} - app.kubernetes.io/component: "exporter" - annotations: -{{ toYaml .Values.exporter.service.annotations | indent 4}} -spec: - type: "{{ .Values.exporter.service.type }}" - ports: - - port: {{ .Values.exporter.port }} - name: "solr-client" - selector: - app.kubernetes.io/name: "{{ include "solr.name" . }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/component: "exporter" - - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "solr.exporter-name" . }} - labels: -{{ include "solr.common.labels" . | indent 4 }} - app.kubernetes.io/component: "exporter" -spec: - selector: - matchLabels: - app.kubernetes.io/name: "{{ include "solr.name" . }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/component: "exporter" - replicas: 1 - strategy: - {{ toYaml .Values.exporter.updateStrategy | indent 4}} - template: - metadata: - labels: -{{ include "solr.common.labels" . | indent 8 }} - app.kubernetes.io/component: "exporter" - annotations: -{{ toYaml .Values.exporter.podAnnotations | indent 8 }} - spec: -{{- include "solr.imagePullSecrets" . | indent 6 }} - affinity: -{{ tpl (toYaml .Values.affinity) . | indent 8 }} - containers: - - name: exporter - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - resources: -{{ toYaml .Values.exporter.resources | indent 12 }} - ports: - - containerPort: {{ .Values.port }} - name: solr-client - command: - - "/opt/solr/contrib/prometheus-exporter/bin/solr-exporter" - - "-p" - - "{{ .Values.exporter.port }}" - - "-z" - - "{{ include "solr.zookeeper-service-name" . }}:2181" - - "-n" - - "{{ .Values.exporter.threads }}" - - "-f" - - "{{ .Values.exporter.configFile }}" - livenessProbe: - initialDelaySeconds: {{ .Values.exporter.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.exporter.livenessProbe.periodSeconds }} - httpGet: - path: "/metrics" - port: {{ .Values.exporter.port }} - readinessProbe: - initialDelaySeconds: {{ .Values.exporter.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.exporter.readinessProbe.periodSeconds }} - httpGet: - path: "/metrics" - port: {{ .Values.exporter.port }} - initContainers: - - name: solr-init - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - 'sh' - - '-c' - - | - {{- if .Values.tls.enabled }} - PROTOCOL="https://" - {{ else }} - PROTOCOL="http://" - {{- end }} - COUNTER=0; - while [ $COUNTER -lt 30 ]; do - curl -k -s --connect-timeout 10 "${PROTOCOL}{{ include "solr.service-name" . }}:{{ .Values.port }}/solr/admin/info/system" && exit 0 - sleep 2 - done; - echo "Did NOT see a Running Solr instance after 60 secs!"; - exit 1; -{{ end }} diff --git a/stable/ckan/charts/solr/templates/poddisruptionbudget.yaml b/stable/ckan/charts/solr/templates/poddisruptionbudget.yaml deleted file mode 100644 index 677ded3e..00000000 --- a/stable/ckan/charts/solr/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: "policy/v1beta1" -kind: "PodDisruptionBudget" -metadata: - name: "{{ include "solr.fullname" . }}" - labels: -{{ include "solr.common.labels" . | indent 4 }} -spec: - selector: - matchLabels: - app.kubernetes.io/name: "{{ include "solr.name" . }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/component: "server" -{{ toYaml .Values.podDisruptionBudget | indent 2 }} diff --git a/stable/ckan/charts/solr/templates/service-headless.yaml b/stable/ckan/charts/solr/templates/service-headless.yaml deleted file mode 100644 index 9ff2aa23..00000000 --- a/stable/ckan/charts/solr/templates/service-headless.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -apiVersion: "v1" -kind: "Service" -metadata: - name: "{{ include "solr.headless-service-name" . }}" - labels: -{{ include "solr.common.labels" . | indent 4 }} -spec: - clusterIP: "None" - ports: - - port: {{ .Values.port }} - name: "solr-headless" - selector: - app.kubernetes.io/name: "{{ include "solr.name" . }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/component: "server" diff --git a/stable/ckan/charts/solr/templates/service.yaml b/stable/ckan/charts/solr/templates/service.yaml deleted file mode 100644 index d922bb4a..00000000 --- a/stable/ckan/charts/solr/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -apiVersion: "v1" -kind: "Service" -metadata: - name: "{{ include "solr.service-name" . }}" - labels: -{{ include "solr.common.labels" . | indent 4 }} - annotations: -{{ toYaml .Values.service.annotations | indent 4}} -spec: - type: "{{ .Values.service.type }}" - ports: - - port: {{ .Values.port }} - name: "solr-client" - selector: - app.kubernetes.io/name: "{{ include "solr.name" . }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/component: "server" diff --git a/stable/ckan/charts/solr/templates/solr-custom-script.yaml b/stable/ckan/charts/solr/templates/solr-custom-script.yaml deleted file mode 100644 index 41c0e13e..00000000 --- a/stable/ckan/charts/solr/templates/solr-custom-script.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{ if not ( eq .Values.initScript "" ) }} ---- - -apiVersion: "v1" -kind: "ConfigMap" -metadata: - name: "{{ include "solr.custom-script.configmap-name" . }}" - labels: -{{ include "solr.common.labels" . | indent 4}} -data: - solr-init.sh: | -{{ .Files.Get .Values.initScript | indent 4}} -{{ end }} diff --git a/stable/ckan/charts/solr/templates/solr-xml-configmap.yaml b/stable/ckan/charts/solr/templates/solr-xml-configmap.yaml deleted file mode 100644 index 43cdb236..00000000 --- a/stable/ckan/charts/solr/templates/solr-xml-configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -apiVersion: "v1" -kind: "ConfigMap" -metadata: - name: "{{ include "solr.configmap-name" . }}" - labels: -{{ include "solr.common.labels" . | indent 4}} -data: - solr.xml: | - - - - ${host:} - ${jetty.port:8983} - ${hostContext:solr} - ${genericCoreNodeNames:true} - ${zkClientTimeout:30000} - ${distribUpdateSoTimeout:600000} - ${distribUpdateConnTimeout:60000} - ${zkCredentialsProvider:org.apache.solr.common.cloud.DefaultZkCredentialsProvider} - ${zkACLProvider:org.apache.solr.common.cloud.DefaultZkACLProvider} - - - ${socketTimeout:600000} - ${connTimeout:60000} - - diff --git a/stable/ckan/charts/solr/templates/statefulset.yaml b/stable/ckan/charts/solr/templates/statefulset.yaml deleted file mode 100644 index 07c0dbef..00000000 --- a/stable/ckan/charts/solr/templates/statefulset.yaml +++ /dev/null @@ -1,234 +0,0 @@ ---- - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "solr.fullname" . }} - labels: -{{ include "solr.common.labels" . | indent 4 }} - app.kubernetes.io/component: server -spec: - selector: - matchLabels: - app.kubernetes.io/name: "{{ include "solr.name" . }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/component: "server" - serviceName: {{ include "solr.headless-service-name" . }} - replicas: {{ .Values.replicaCount }} - updateStrategy: - {{ toYaml .Values.updateStrategy | indent 4}} - template: - metadata: - labels: - app.kubernetes.io/name: "{{ include "solr.name" . }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/component: "server" - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} - spec: -{{- include "solr.imagePullSecrets" . | indent 6 }} - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} - securityContext: - fsGroup: 8983 - runAsUser: 8983 - affinity: -{{ tpl (toYaml .Values.affinity) . | indent 8 }} - tolerations: -{{ tpl (toYaml .Values.tolerations) . | indent 8 }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: -{{- if .Values.tls.enabled }} - - name: keystore-volume - emptyDir: {} - - name: "tls-secret" - secret: - secretName: {{ .Values.tls.certSecret.name }} -{{- if not (eq .Values.tls.caSecret.name "") }} - - name: "tls-ca" - secret: - secretName: {{ .Values.tls.caSecret.name }} -{{- end }} -{{- end }} - - name: solr-xml - configMap: - name: {{ include "solr.configmap-name" . }} - items: - - key: solr.xml - path: solr.xml -{{- if not ( eq .Values.initScript "" ) }} - - name: solr-init-script - configMap: - name: {{ include "solr.custom-script.configmap-name" . }} - items: - - key: solr-init.sh - path: solr-init.sh -{{- end }} - initContainers: - - name: check-zk - image: busybox:latest - command: - - 'sh' - - '-c' - - | - COUNTER=0; - while [ $COUNTER -lt 120 ]; do - addr=$(nslookup -type=a {{ include "solr.zookeeper-service-name" . }} | grep "Address:" | awk 'NR>1 {print $2}') - if [ ! -z "$addr" ]; then - while read -r line; do - echo $line; - exit 0; - done < Date: Wed, 20 Nov 2024 13:52:38 -0500 Subject: [PATCH 3/8] deleted chart.lock for ckan --- stable/ckan/Chart.lock | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 stable/ckan/Chart.lock diff --git a/stable/ckan/Chart.lock b/stable/ckan/Chart.lock deleted file mode 100644 index 4d7f58e5..00000000 --- a/stable/ckan/Chart.lock +++ /dev/null @@ -1,15 +0,0 @@ -dependencies: -- name: redis - repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami - version: 12.10.1 -- name: postgresql - repository: https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami - version: 10.2.0 -- name: solr - repository: https://statcan.github.io/charts - version: 1.5.10 -- name: datapusher - repository: https://statcan.github.io/charts - version: 1.0.0 -digest: sha256:8e8bd24b9018ec981cef8147b7f01354a98b481e5be4110362c43fb7ec40d6f2 -generated: "2024-10-29T10:38:13.919340399-04:00" From 1b8dc69ff1efaeacba523cb180030a7b6c73bb9f Mon Sep 17 00:00:00 2001 From: Qian Date: Wed, 20 Nov 2024 14:00:40 -0500 Subject: [PATCH 4/8] removed the spaces --- stable/ckan/values.yaml | 2 +- stable/fdi-dotstatsuite/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/ckan/values.yaml b/stable/ckan/values.yaml index 912e245e..6e720d48 100644 --- a/stable/ckan/values.yaml +++ b/stable/ckan/values.yaml @@ -56,7 +56,7 @@ ckan: organization_schemas: group_schemas: dataset_schemas: - presets: + presets: dataset_fallback: false resource_proxy_timeouts: 5 storagePath: "/var/lib/ckan/default" diff --git a/stable/fdi-dotstatsuite/values.yaml b/stable/fdi-dotstatsuite/values.yaml index d0fd7ea6..6ada0991 100644 --- a/stable/fdi-dotstatsuite/values.yaml +++ b/stable/fdi-dotstatsuite/values.yaml @@ -50,7 +50,7 @@ autoscaling: &autoscaling minReplicas: 1 maxReplicas: 10 targetCPUUtilizationPercentage: 80 - appversion: "autoscaling/v2" #prod uses autoscaling/v2beta1 + appversion: "autoscaling/v2" # Authz # https://gitlab.com/sis-cc/.stat-suite/dotstatsuite-kube-core-rp/-/blob/master/staging/authz.yaml @@ -593,7 +593,7 @@ transfer: log4net_root_level: INFO data_loading_on_server: enabled: false - path: + path: sdmx_logs: enabled: false logShareName: "sdmx-logs" From 3ffcd1c2993b94e02dffdd6d9eed8dd9f16dc242 Mon Sep 17 00:00:00 2001 From: Qian Date: Wed, 20 Nov 2024 14:05:49 -0500 Subject: [PATCH 5/8] removed the empty lines --- stable/fdi-dotstatsuite-sfs-solr/values.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/stable/fdi-dotstatsuite-sfs-solr/values.yaml b/stable/fdi-dotstatsuite-sfs-solr/values.yaml index 97369658..41e3446c 100644 --- a/stable/fdi-dotstatsuite-sfs-solr/values.yaml +++ b/stable/fdi-dotstatsuite-sfs-solr/values.yaml @@ -6,8 +6,6 @@ nameOverride: "fdi-dotstatsuite-sfs-solr" fullnameOverride: "fdi-dotstatsuite-sfs-solr" - - # sfs # https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose sfs: @@ -246,7 +244,6 @@ mongo: podAnnotations: { sidecar.istio.io/inject: 'false' } - podSecurityContext: {} # fsGroup: 2000 @@ -310,9 +307,6 @@ mongo: tolerations: [] affinity: {} - - - # Destination Rule # https://gitlab.k8s.cloud.statcan.ca/analytics-platform/discovery/dotstatsuite-docker-compose destinationRule: From 68a42e3d5b9e770f85e914e297ddcfacfd6dd2be Mon Sep 17 00:00:00 2001 From: Qian Date: Wed, 20 Nov 2024 14:10:02 -0500 Subject: [PATCH 6/8] removed the spaces-1 --- stable/fdi-fmr-chart/values.yaml | 4 ++-- stable/fdi-hfed-scrapping-loading-portal/values.yaml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/stable/fdi-fmr-chart/values.yaml b/stable/fdi-fmr-chart/values.yaml index 6ad8ef89..27394366 100644 --- a/stable/fdi-fmr-chart/values.yaml +++ b/stable/fdi-fmr-chart/values.yaml @@ -8,7 +8,7 @@ fullnameOverride: "" managed: tomcat: tomcat_password: "" - tomcat_username: "admin" + tomcat_username: "admin" registry: mssql_host: "172.23.224.96" mssql_port: 1433 @@ -128,7 +128,7 @@ fusionapps: fwb: - id: - name: + name: api: query: delete: diff --git a/stable/fdi-hfed-scrapping-loading-portal/values.yaml b/stable/fdi-hfed-scrapping-loading-portal/values.yaml index ab8f9ce9..a04b9884 100644 --- a/stable/fdi-hfed-scrapping-loading-portal/values.yaml +++ b/stable/fdi-hfed-scrapping-loading-portal/values.yaml @@ -39,7 +39,6 @@ hfed: mailTo: 'jianlong.qian@statcan.gc.ca' tls: "enabled" starttls: "true" - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little From f11649b569ffacb6f6265b8a7866cf257384cf70 Mon Sep 17 00:00:00 2001 From: Qian Date: Wed, 20 Nov 2024 14:15:32 -0500 Subject: [PATCH 7/8] added the value for fmr security --- stable/fdi-fmr-chart/values.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/stable/fdi-fmr-chart/values.yaml b/stable/fdi-fmr-chart/values.yaml index 27394366..18655050 100644 --- a/stable/fdi-fmr-chart/values.yaml +++ b/stable/fdi-fmr-chart/values.yaml @@ -23,16 +23,16 @@ managed: encrypt_salt: "" security_password: "" security_username: "" - # security: - # mssql_host: "172.23.224.96" - # mssql_port: 1433 - # db_dialect: org.hibernate.dialect.SQLServerDialect - # db_driver: com.microsoft.sqlserver.jdbc.SQLServerDriver - # db_jdbc_type: "sqlserver" - # db_username: "sa" - # #"fusion_securitor" - # db_password: "" - # db_name: "fusion_security" + security: + mssql_host: "172.23.224.96" + mssql_port: 1433 + db_dialect: org.hibernate.dialect.SQLServerDialect + db_driver: com.microsoft.sqlserver.jdbc.SQLServerDriver + db_jdbc_type: "sqlserver" + db_username: "sa" + #"fusion_securitor" + db_password: "" + db_name: "fusion_security" host: "" port: 8080 smtp: From b6a0718b0100685ec232e1c88140baddb8596bbb Mon Sep 17 00:00:00 2001 From: Qian Date: Wed, 20 Nov 2024 14:25:44 -0500 Subject: [PATCH 8/8] fixed the intentation --- stable/fdi-dotstatsuite-sfs-solr/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/fdi-dotstatsuite-sfs-solr/values.yaml b/stable/fdi-dotstatsuite-sfs-solr/values.yaml index 41e3446c..2490b343 100644 --- a/stable/fdi-dotstatsuite-sfs-solr/values.yaml +++ b/stable/fdi-dotstatsuite-sfs-solr/values.yaml @@ -242,7 +242,7 @@ mongo: name: "" podAnnotations: { - sidecar.istio.io/inject: 'false' + sidecar.istio.io/inject: 'false' } podSecurityContext: {} # fsGroup: 2000