diff --git a/.gitignore b/.gitignore index 7b99c26..4dd211f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ opencloud/Chart.lock -deployed_config.sh +deployed_config kind-logs \ No newline at end of file diff --git a/deployed_config b/deployed_config new file mode 100644 index 0000000..38ab762 --- /dev/null +++ b/deployed_config @@ -0,0 +1,19 @@ +apiVersion: v1 +clusters: +- cluster: + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJSzVaV2xBVVpyYnN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TmpBeE1EVXhOak14TlRoYUZ3MHpOakF4TURNeE5qTTJOVGhhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUMyV0piMTVvMUorQk81RGVTbmpvVVpTSkRqdkxFaUc5VjZyQ3pFZG1KYjkxU3Q4RjRKSUhZUmdTNSsKdkljQ1A2UHI3WThUSGl0VlB6UWdlMjh5VjdHK245NDhpaHc5SkVBTDBQK2poYW9SYXJnOHRvLzV3LzZjbm5OUwpzTGZTTUYvdS8yVkE1YWFwb1RMbXFMbjgwbmI3MThaM0VQRUtydlhqSnpLOStCUm5lMUpVeFF0MmdJUTVubXBHCmtmK2E2bXhiRUI3OXFGaUJCWFEwN2JkSFppZFRxWEFydGY0RGkrWit1VE9BM0dCU1hsR3FMNGREU1hKSkM3MkUKajJWZk02K1d4SE9SSUE5TUx1cVd6OWxlem4wd1J3YURuME9iWG5EWUhXVWlxbmZoY2NsS3k0bnhjRWxqYTZhNwpuQ1VYc3ZpcCtsZUZHenQvWE9jOWhDWlU4SUpmQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSVUVkYVhJMHJ4TXl6REgrTk9MRWF1S1UvV3dUQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQW5yenJmRHNHcApZMTkvdyt3TFJmalgvREFkcmFsNWRtdGZuZFF0T213VmZETW5XRUNLV09RTXZYcWZlZUUyTDFjalBPVDQrVUNqCmltM0RrcksvSEpSa0NGWGdwVVl1R0JKaVYzbTBsUzJHUkNDckZ5QTdKQS9CYnVUaVBsWmFGOURPNzc5WVd4UkYKaDc0dFowQ09mY0l0dDJlbit1TGh5N29JVUx0ZzJjN3RLSzNKYmRvZFU1SGlSSjBjOG9DNVp6S2sreUdZZVFqTgozYm1rQW1nS1Z5L25yQSt1SXJXRC81T28rdTVhZXEvU1VjcGJFV3A1OWUxcDNQWEFtS1pRczlXZ0ZzVVEvWk1EClVEcjhkMlc0Tmw0MXBIVWpvTEhObldVUmdoNTcwbW9xcFNldGxTemFZL29BYVErV2Z4cjZlaUpIVER0NmhoZFoKMU9qVEJCQUJYMCsvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + server: https://127.0.0.1:40481 + name: kind-opencloud +contexts: +- context: + cluster: kind-opencloud + user: kind-opencloud + name: kind-opencloud +current-context: kind-opencloud +kind: Config +users: +- name: kind-opencloud + user: + client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLVENDQWhHZ0F3SUJBZ0lJTCtxbzhTOXAzckV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TmpBeE1EVXhOak14TlRoYUZ3MHlOekF4TURVeE5qTTJOVGhhTUR3eApIekFkQmdOVkJBb1RGbXQxWW1WaFpHMDZZMngxYzNSbGNpMWhaRzFwYm5NeEdUQVhCZ05WQkFNVEVHdDFZbVZ5CmJtVjBaWE10WVdSdGFXNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFET2tLbUIKcGxBOE4wYktYaFF3YmRGd3ptMC9BT1NvUFg4R0hSSTZDRktXYU1LZjJKNjZDWk9LV0hEMjFiVFFCZ2VXOU5qdwpZNjBqbXlCcE5wS3MrYW1Say9ZWWdnVFg5Qm4ydEFSSDdQNEF6MlVRTktlZ0tNYkVyZFgyYzVVRzg1MldJbk8rCmxyb0sxWUY1OG8zb0IyUmxTZ3NaZ2RyZWh5WlFBekVHUjUxZFdER2hwS3kwNExHNXhUSGNsV0lONUpkRC9qemYKbUIzSkozNUFTRFlLU25ia3g5Rjk4bjYvMm9MVDgvNnF5bmhSTm9tNUVHZUNpSVUyY0ZHQVNESk1Scm1TQ3pNcwpwQm0wWk5sdi91ZDNmU2lzelQwc1JGVG1OUVdSL29sOTlGVVFNQzZWTkFsMGgrY0J4M0poZEExUHc3R0l5WTBDCk05NHN4MzU4YmJqWmt3RW5BZ01CQUFHalZqQlVNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUsKQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RUFqQUFNQjhHQTFVZEl3UVlNQmFBRkZRUjFwY2pTdkV6TE1NZgo0MDRzUnE0cFQ5YkJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJHazlZLytQbGl2VXk4ajRxWnJKMFpaVUZqCk1XWHNQeEtveUh4SHdnMXpYczBIY29oSWFhNVYyblVUb1dqRFNZYWppak5ZbTg4U3czdms1YVlDUEphaVRZWFoKZVZPY05qY09FRVVZZE5zRU0zNFNSWTArVHlpNXk2OS9Bc20zckJyRTZRZlc3YThzTHZOS2ZNZmdsT1BRWmxhcwpIQmpNVGFjS0tmWmo0RnlFMm41dzRQblM0WU9PdmkzTmcxYmFRcVNneHJNOGpKSG1BRFluU0xwMnhyU0NBWEdZCkZBMSsrNlA1STVLVEpGWHUzRWE3RTBZYkxyQXJoQkNrbWVLTWtmcEJVTXhoUVBPcTV4RzlwajMvL0NoRXk0aGUKekdyMVAvQml1a1FEZHRSMXRKb0dVLzQ1WXlSczZtclJZWU42eWtkaEV6dUlVUzhBY05SY2dhd3ZhcDArCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBenBDcGdhWlFQRGRHeWw0VU1HM1JjTTV0UHdEa3FEMS9CaDBTT2doU2xtakNuOWllCnVnbVRpbGh3OXRXMDBBWUhsdlRZOEdPdEk1c2dhVGFTclBtcGtaUDJHSUlFMS9RWjlyUUVSK3orQU05bEVEU24Kb0NqR3hLM1Y5bk9WQnZPZGxpSnp2cGE2Q3RXQmVmS042QWRrWlVvTEdZSGEzb2NtVUFNeEJrZWRYVmd4b2FTcwp0T0N4dWNVeDNKVmlEZVNYUS80ODM1Z2R5U2QrUUVnMkNrcDI1TWZSZmZKK3Y5cUMwL1ArcXNwNFVUYUp1UkJuCmdvaUZObkJSZ0VneVRFYTVrZ3N6TEtRWnRHVFpiLzduZDMwb3JNMDlMRVJVNWpVRmtmNkpmZlJWRURBdWxUUUoKZElmbkFjZHlZWFFOVDhPeGlNbU5BalBlTE1kK2ZHMjQyWk1CSndJREFRQUJBb0lCQUFnaUtSSjZUbmw0Z2JpUgpLTUZaYWFCRCtJZzlERVBWbkExTkVyMG5PNzFCWmJ4dWhwMXpxQlFQOUc2N3JuRnNjMXNOekFiM0hjZWpvWXlUCkFnWitsQjh2ME1aWlJFQ09rNEVqeUhGZWt3Zk1Jc0lYR0t5VlBuSmJGK3dxMCtqZ3FjbFNGUFdoc0xTaGdJWWgKTjFZMkNFMTJzMll2TjBPQTFkRGJ0MC8wZk8xQ2JDSGd0a0IrQkRCQlBVbUkva201dUVTOTRKTmpJWE1pbW5KdwpZWU01OHhXSWF2RGs5eUVyQ0JUcHhmTW5wNzZnN3duT0dxb3lXU2ZlZFdsbXRUNlliTlBid1MwbzRBSmhhT3NQCnNvdm44ekhOa0VacmEvVTZuSVREdTJlTEUzUDdsME8rTGFMRXhhY2VlalM0aW12eG53T0l1Q1l0NW10cDVONlYKeXduVXk3a0NnWUVBNWV2NEhyTlZnaE9aRTJ4cG9HUmlNdDJKRS9xOTVYQXlGM3QwZVFDbi8vK3lZeFgvVXZsOAo1TGd0VklKb3l1OEIwejlIUWdNQnlOMnZhK0xSd1c3NlY3UkFPMVgrMnpHa1RCbWRERkdRRXFSSE12Zk50UkltCmc5K0tJT1dzbWRSYVRLaXNEQS91RkpjdFdFMEJpRnk3cTNTVk16NHhuR0NsUklWdlFSVW40RzhDZ1lFQTVmNkIKb3F1T01hZnFaQnBVakNzcmxvQzdrSEEzUGRPNFljRTVJWjhYY2xWSStKNDVnV0JFWlFWcmFMMGhRTk1WaTdIRgo3TjhjRGdWY0lEVzdPYm5FRk5yTys0Ui9oNEF1U3g3ZGdVNm1mY2I1QXVvODhzeUNtaW5mbFZ2ZHJsVElCTStyCkJYdkdSaG5WOExFRTFWdGtNSjlxbVJHaDNuWWtGVTk0SVpoSjFza0NnWUVBMVFsVG1YNnBHQ0Y0a0pxL05ESlAKR3JwU0xRVUR0dmZDTWlmZHY5QnYyYS9lWmhrWHZwWVV0d2hBV0RHTlQ1c3RvY0xjRDdvaGlUQi9QZ09vUHdiSgpSMEpvMFpIWTF0aWtWeTdVYVhtWmVPeG1YRDluaHdNT1ZOcG5iaHZoVlplQkk4NlZ1NGQzSGZVRnV1OS9JQTVzCmhXMDhZWUtiRFQ0dlk5SVBSOHFHYkZrQ2dZRUFtZVdVUHhKR2dxbVdhTWRKbmNWaFZFTHR2dmVucjBKVmxXdmkKMjhHRndlYVpmbXI1bGIyaDVtc2E5U25nNzJ5UGRUdE9jbkxVWmZsbUxOTm5aWGdOWWRzTU56YncwdTJOakl5cApzVlc4aUZzMDBxT0Vodjhid1NhVnltNS9ScURLZXBXdkhXczJRRUFYYlFnMmNNSEhwOVYwVWRwL2tzbEEyZFdrClQrNkVNaWtDZ1lCMkI3UmV2WEtZZjY2V09mQ3B1cFY0emhHUTJncDU1Qk1scTFTcVZMZktwMkJCS0V5TW9Pa1QKVnoyMWllRHowbXhjY1QwbFA4YzNVbG9uUkhuZWhNTFhnR0dXRlhad2hjZkl3Y2h3RjRwU3VoVldVL01kdEs1Vgo2cmNlVU1tUFFaSkVNeVJ1MkQ0M1IwV1ZRRnpYSHVXc29EbXREa3NjUUtQMlBXT25vdy9vWkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + diff --git a/import_datas.sh b/import_datas.sh deleted file mode 100755 index efcabf4..0000000 --- a/import_datas.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -FILES=$(ls $1 | grep .json) -BRANCH=${2:-dev} - -export KUBECONFIG=$(realpath ./deployed_config) - -POD_NAME=$(kubectl get pods --all-namespaces -o=name | grep $BRANCH-mongodb-*) -for file in "${FILES[@]}"; do - echo "ADD file $file in collection ${file/.json/} : ${POD_NAME/pod\//}" - kubectl cp $file ${POD_NAME/pod\//}:/tmp/$file - kubectl exec ${POD_NAME/pod\//}: -- mongoimport --db DC_myDC --collection ${file/.json/} --file /tmp/$file --jsonArray -done diff --git a/oc-k8s.sh b/oc-k8s.sh index 21b0522..cfce1f3 100755 --- a/oc-k8s.sh +++ b/oc-k8s.sh @@ -12,6 +12,70 @@ REPOS=( "oc-workflow" "oc-workspace" ) + + +main_replace_db() { + FILES=$(ls $1 | grep .json) + RELEASE=${2:-dev} + DB_NAME=${3:-opencloud} + + POD_NAME=$(kubectl get pods --all-namespaces -o=name | grep $RELEASE-mongodb-*) + main_delete_db + main_install_db +} + +main_delete_db() { + FILES=$(ls $1 | grep .json) + RELEASE=${2:-dev} + DB_NAME=${3:-opencloud} + + + POD_NAME=$(kubectl get pods --all-namespaces -o=name | grep $RELEASE-mongodb-*) + kubectl exec ${POD_NAME/pod\//}: -- mongosh --eval "db.getSiblingDB('$DB_NAME').dropDatabase()" +} + +main_install_db() { + FILES=$(ls $1 | grep .json) + RELEASE=${2:-dev} + DB_NAME=${3:-opencloud} + + + POD_NAME=$(kubectl get pods --all-namespaces -o=name | grep $RELEASE-mongodb-*) + + for file in "${FILES[@]}"; do + echo "ADD file $file in collection ${file/.json/} : ${POD_NAME/pod\//}" + kubectl cp $file ${POD_NAME/pod\//}:/tmp/$file + kubectl exec ${POD_NAME/pod\//}: -- mongoimport --db $DB_NAME --collection ${file/.json/} --file /tmp/$file --jsonArray + done +} + + +main_install() { + main_install_k3s + main_install_kind ${@:1} + main_install_helm +} + +main_install_k3s() { + sudo /usr/local/bin/k3s-uninstall.sh | true + sudo rm -rf /etc/rancher /var/lib/rancher ~/.kube | true + curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644 + sudo systemctl status k3s +} + +main_install_helm() { + curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash # install helm + helm version +} + +main_install_kind() { + ARCH=${1:-linux-amd64} # linux-amd64 linux-arm64 darwin-amd64 darwin-arm64 windows-amd64.exe + VERSION=${2:-v0.30.0} + if [[ "$ARCH" =~ *windows* ]]; then + ARCH=${ARCH}.exe + fi + curl -Lo kind-linux-amd64 https://kind.sigs.k8s.io/dl/${VERSION}/kind-${ARCH} +} # values template main_create_values() { set -euo pipefail @@ -32,7 +96,7 @@ main_create_values() { source "$ENV_FILE" set +a fi - + export RELEASE=$1 # Process the template awk ' { @@ -55,11 +119,20 @@ main_create_values() { # HELM SERVICE main_create_helm() { - main_delete_helm "${1:-dev}" | true RELEASE_NAME=${1:-dev} RELEASE_NAMESPACE=${1:-dev} + main_delete_helm "${1:-dev}" | true + helm dependency update + helm dependency build + kubectl delete sc longhorn-nor1 - helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/${RELEASE_NAME}-values.yaml + #kubectl apply -f ./opencloud/templates/sc-longhorn-nor1.yaml + #kubectl label storageclass longhorn-nor1 app.kubernetes.io/managed-by=Helm + #kubectl annotate storageclass longhorn-nor1 \ + # meta.helm.sh/release-name=${RELEASE_NAMESPACE} \ + # meta.helm.sh/release-namespace=${RELEASE_NAMESPACE} + ulimit -n 1000000 + helm install ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f ./opencloud/values/${RELEASE_NAME}-values.yaml --debug kind get kubeconfig --name opencloud > ./deployed_config @@ -70,7 +143,7 @@ main_upgrade_helm() { RELEASE_NAME=${1:-dev} RELEASE_NAMESPACE=${1:-dev} - helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/${RELEASE_NAME}-values.yaml + helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f ./opencloud/values/${RELEASE_NAME}-values.yaml } main_delete_helm() { @@ -78,6 +151,7 @@ main_delete_helm() { RELEASE_NAMESPACE=${1:-dev} helm uninstall ${RELEASE_NAME} -n ${RELEASE_NAMESPACE} + kubectl delete namespace ${RELEASE_NAMESPACE} & export KUBECONFIG=$(realpath ~/.kube/config) } @@ -89,6 +163,14 @@ build_service() { local target=${3:-all} local repo_name=$(basename "$repo_url" .git) + server=$(grep 'server:' ~/.kube/config | awk '{print $2}') + + host=$(ip -4 addr show $(ip route | awk '/default/ {print $5}') | awk '/inet / {print $2}' | cut -d/ -f1) + port=6443 + ca=$(kubectl config view --raw --minify -o jsonpath='{.clusters[0].cluster.certificate-authority-data}') + cert=$(kubectl config view --raw --minify -o jsonpath='{.users[0].user.client-certificate-data}') + key=$(kubectl config view --raw --minify -o jsonpath='{.users[0].user.client-key-data}') + echo "Processing repository: $repo_name" if [ ! -d "$1" ]; then @@ -103,7 +185,8 @@ build_service() { cd "$repo_name" && git checkout $branch && git pull echo "Running 'make $target' in $repo_name" - export HOST="${2:-http://beta.opencloud.com/}" && make "$target" + export HOST="${2:-http://beta.opencloud.com/}" && export KUBERNETES_SERVICE_HOST=$host && export KUBERNETES_SERVICE_PORT=$port \ + && export KUBE_CA=$ca && export KUBE_CERT=$cert && export KUBE_DATA=$key && make "$target" if [ $? -ne 0 ]; then echo "Error: make $target failed in $dir" exit 1 @@ -114,12 +197,12 @@ build_service() { main_build_services() { branch=${1:-main} target=${2:-all} + # docker system prune -af cd .. # Iterate through each repository in the list for repo in "${REPOS[@]}"; do build_service "$repo" "$branch" "$target" done - echo "All repositories processed successfully." } @@ -131,6 +214,7 @@ main_delete_cluster() { main_create_cluster() { main_delete_cluster | true + kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.9.0/deploy/longhorn.yaml cat < /tmp/kind-opencloud.kubeconfig - KUBECONFIG=~/.kube/config:/tmp/kind-opencloud.kubeconfig kubectl config view --flatten > ~/.kube/config # fusionnate clusters config. + # Merge the temporary kubeconfig with your existing one safely + KUBECONFIG=~/.kube/config:/tmp/kind-opencloud.kubeconfig kubectl config view --flatten --merge --minify > /tmp/merged-kubeconfig.yaml + + # Replace the original kubeconfig safely + mv /tmp/merged-kubeconfig.yaml ~/.kube/config + chmod 600 ~/.kube/config + + # Verify the contexts kubectl config get-contexts + # Switch to the new kind cluster context kubectl config use-context kind-opencloud } +main_help_k3s() { + echo " +Cluster commands: oc-k8s k3s + install - Install k3s + help - Show this help message + +Usage: + oc-k8s install k3s + oc-k8s help values +" +} + +main_help_kind() { + echo " +Cluster commands: oc-k8s kind + install - Install kind + help - Show this help message + +Usage: + oc-k8s install kind [arch] [version] + arch - Arch of OS (required) + kind_version - version of kind (required) + oc-k8s help values +" +} + main_help_values() { echo " Cluster commands: oc-k8s values @@ -184,6 +303,31 @@ Usage: " } +main_help_db() { + echo " +Cluster commands: oc-k8s cluster + create - Add datas in db + replace - Replace datas in db + delete - Delete datas in db + help - Show this help message + +Usage: + oc-k8s create db [file_path] [release] [db_name] + file_path - Datas folder files path (required) + release - Release values name (default: dev) + db_name - db name (default: opencloud) + oc-k8s replace db [file_path] [release] [db_name] + file_path - Datas folder files path (required) + release - Release values name (default: dev) + db_name - db name (default: opencloud) + oc-k8s delete db [file_path] [release] [db_name] + file_path - Datas folder files path (required) + release - Release values name (default: dev) + db_name - db name (default: opencloud) + oc-k8s help db +" +} + main_help_cluster() { echo " Cluster commands: oc-k8s cluster @@ -215,17 +359,19 @@ Usage: main_help_helm() { echo " Helm commands: oc-k8s helm + install - Install Helm create - Install a helm release for the given environment (default: dev) delete - Uninstall a helm release for the given environment (default: dev) help - Show this help message Usage: + oc-k8s install helm oc-k8s create helm [env] - dev - environnement selected (default: dev) + env - environnement selected (default: dev) oc-k8s upgrade helm [env] - dev - environnement selected (default: dev) + env - environnement selected (default: dev) oc-k8s delete helm [env] - dev - environnement selected (default: dev) + env - environnement selected (default: dev) oc-k8sh help helm " } @@ -233,30 +379,43 @@ Usage: main_help_all() { echo " Main commands: oc-k8s + install - Install opencloud dependancies [arch] [version] start - Start opencloud k8s stop - Stop opencloud k8s Usage: - oc-k8s start [args] - oc-k8s stop [args] + oc-k8s install [arch] [version] + arch - Arch of OS (required) + kind_version - version of kind (required) + oc-k8s start [env] [branch] [target] + env - environnement selected (default: dev) + branch - Git branch to build (default: main) + target - make target (default: all) + oc-k8s stop " main_help_cluster main_help_services main_help_helm main_help_values + main_help_k3s + main_help_kind + main_help_db } main_start() { + sudo sysctl -w fs.inotify.max_user_instances=256 sudo /etc/init.d/apache2 stop sudo nginx -s stop - main_create_cluster "${@:1}" - main_build_services "${@:1}" - main_create_helm "${@:1}" + main_create_cluster + main_build_services "${@:2}" + cd ./oc-k8s + main_create_helm $1 } main_stop() { main_delete_helm "${@:1}" | true main_delete_cluster "${@:1}" | true } + if declare -f main_${1} > /dev/null; then main_${1} "${@:2}" elif declare -f main_${1}_${2} > /dev/null; then diff --git a/opencloud/charts/mongodb/.relok8s-images.yaml b/opencloud/charts/mongodb/.relok8s-images.yaml new file mode 100644 index 0000000..81233da --- /dev/null +++ b/opencloud/charts/mongodb/.relok8s-images.yaml @@ -0,0 +1,19 @@ +# relok8s image hints file +# This file makes this Helm Chart relocatable by relok8s +# More info here https://github.com/vmware-tanzu/asset-relocation-tool-for-kubernetes +# +# mongodb chart + +# mongodb image +- "{{.image.registry}}/{{.image.repository}}:{{.image.tag}}" +# kubectl image +- "{{.externalAccess.autoDiscovery.image.registry}}/{{.externalAccess.autoDiscovery.image.repository}}:{{.externalAccess.autoDiscovery.image.tag}}" +# mongodb-exporter image +- "{{.metrics.image.registry}}/{{.metrics.image.repository}}:{{.metrics.image.tag}}" +# nginx image +- "{{.tls.image.registry}}/{{.tls.image.repository}}:{{.tls.image.tag}}" +# os-shell image +- "{{.externalAccess.dnsCheck.image.registry}}/{{.externalAccess.dnsCheck.image.repository}}:{{.externalAccess.dnsCheck.image.tag}}" +# os-shell image +- "{{.volumePermissions.image.registry}}/{{.volumePermissions.image.repository}}:{{.volumePermissions.image.tag}}" + diff --git a/opencloud/charts/mongodb/Chart.lock b/opencloud/charts/mongodb/Chart.lock deleted file mode 100644 index d575a61..0000000 --- a/opencloud/charts/mongodb/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: common - repository: oci://registry-1.docker.io/bitnamicharts - version: 2.27.0 -digest: sha256:b711ab5874abf868a0c64353a790f17771758cee6f802acb9819be004c8460af -generated: "2024-11-14T11:36:35.060517594+01:00" diff --git a/opencloud/charts/mongodb/Chart.yaml b/opencloud/charts/mongodb/Chart.yaml index 1e1b9ab..d539b77 100644 --- a/opencloud/charts/mongodb/Chart.yaml +++ b/opencloud/charts/mongodb/Chart.yaml @@ -1,30 +1,34 @@ annotations: - category: Database + fips: "true" images: | - name: kubectl - image: docker.io/bitnami/kubectl:1.31.2-debian-12-r3 + version: 1.34.1 + image: registry-1.docker.io/bitnami/kubectl:latest - name: mongodb - image: docker.io/bitnami/mongodb:8.0.3-debian-12-r0 + version: 8.2.1 + image: registry-1.docker.io/bitnami/mongodb:latest - name: mongodb-exporter - image: docker.io/bitnami/mongodb-exporter:0.41.2-debian-12-r1 + version: 0.47.1 + image: registry-1.docker.io/bitnami/mongodb-exporter:latest - name: nginx - image: docker.io/bitnami/nginx:1.27.2-debian-12-r2 + version: 1.29.3 + image: registry-1.docker.io/bitnami/nginx:latest - name: os-shell - image: docker.io/bitnami/os-shell:12-debian-12-r32 + version: "5" + image: registry-1.docker.io/bitnami/os-shell:latest licenses: Apache-2.0 + tanzuCategory: service apiVersion: v2 -appVersion: 8.0.3 +appVersion: 8.2.1 dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: - bitnami-common - version: 2.x.x -description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it - stores data in JSON-like documents. Automated scalability and high-performance. - Ideal for developing cloud native applications. + version: 2.33.2 +description: "MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications." home: https://bitnami.com -icon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png +icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/mongodb/img/mongodb-stack-220x234.png keywords: - mongodb - database @@ -33,9 +37,9 @@ keywords: - replicaset - replication maintainers: -- name: Broadcom, Inc. All Rights Reserved. +- name: "Broadcom, Inc. All Rights Reserved." url: https://github.com/bitnami/charts name: mongodb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mongodb -version: 16.3.1 +version: 18.1.9 diff --git a/opencloud/charts/mongodb/README.md b/opencloud/charts/mongodb/README.md index b953035..f925378 100644 --- a/opencloud/charts/mongodb/README.md +++ b/opencloud/charts/mongodb/README.md @@ -1,27 +1,42 @@ -# MongoDB(R) packaged by Bitnami +# MongoDB® packaged by Bitnami -MongoDB(R) is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. +MongoDB® is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. [Overview of MongoDB®](http://www.mongodb.org) -Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB(R) is run and maintained by MongoDB, which is a completely separate project from Bitnami. +Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB® is run and maintained by MongoDB, which is a completely separate project from Bitnami. ## TL;DR ```console -helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb +helm install my-release oci://MY-OCI-REGISTRY/mongodb ``` -Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. +> Tip: Did you know that this app is also available as a Kubernetes App on the Azure Marketplace? Kubernetes Apps are the easiest way to deploy Bitnami on AKS. Click [here](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bitnami.mongodb-cnab) to see the listing on Azure Marketplace. + +## Why use Bitnami Secure Images? + +Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise [OS Photon Linux](https://vmware.github.io/photon/). Why choose BSI images? + +- Hardened secure images of popular open source software with Near-Zero Vulnerabilities +- Vulnerability Triage & Prioritization with VEX Statements, KEV and EPSS Scores +- Compliance focus with FIPS, STIG, and air-gap options, including secure bill of materials (SBOM) +- Software supply chain provenance attestation through in-toto +- First class support for the internet’s favorite Helm charts + +Each image comes with valuable security metadata. You can view the metadata in [our public catalog here](https://app-catalog.vmware.com/bitnami/apps). Note: Some data is only available with [commercial subscriptions to BSI](https://bitnami.com/). + +![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%201.png?raw=true "Application details") +![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%202.png?raw=true "Packaging report") + +If you are looking for our previous generation of images based on Debian Linux, please see the [Bitnami Legacy registry](https://hub.docker.com/u/bitnamilegacy). ## Introduction This chart bootstraps a [MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - ## Architecture This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: @@ -121,7 +136,25 @@ The command deploys MongoDB(®) on the Kubernetes cluster in the default conf Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. -To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### Prometheus metrics + +This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [mongodb_exporter](https://github.com/percona/mongodb_exporter) in all pods and a `metrics` service, which can be configured under the `metrics.service` section. This `metrics` service will have the necessary annotations to be automatically scraped by Prometheus. + +#### Prometheus requirements + +It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. + +#### Integration with Prometheus Operator + +The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: + +```text +no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" +``` + +Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. ### [Rolling vs Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) @@ -318,7 +351,7 @@ passwordUpdateJob: In the following example we update the password via values.yaml in a MongoDB installation with replication and several usernames and databases (including metrics). ```yaml -architecture: "replication" +architecture: "replicaset" auth: usernames: @@ -363,7 +396,7 @@ passwordUpdateJob: You can add extra update commands using the `passwordUpdateJob.extraCommands` value. -### Backup and restore MongoDB(R) deployments +### Backup and restore Two different approaches are available to back up and restore Bitnami MongoDB® Helm chart deployments on Kubernetes: @@ -418,7 +451,7 @@ Custom Prometheus rules can be defined for the Prometheus Operator by using the summary: High request latency ``` -### Enable SSL/TLS +### Securing traffic using TLS This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. @@ -465,6 +498,12 @@ This chart allows you to set your custom affinity using the `XXX.affinity` param As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. +### FIPS parameters + +The FIPS parameters only have effect if you are using images from the [Bitnami Secure Images catalog](https://go-vmware.broadcom.com/contact-us). + +For more information on this new support, please refer to the [FIPS Compliance section](https://techdocs.broadcom.com/us/en/vmware-tanzu/bitnami-secure-images/bitnami-secure-images/services/bsi-doc/security-frameworks-FIPS-compliance.html). + ## Persistence The [Bitnami MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. @@ -477,14 +516,16 @@ If you encounter errors when working with persistent volumes, refer to our [trou ### Global parameters -| Name | Description | Value | -| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `global.imageRegistry` | Global Docker image registry | `""` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | -| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | -| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | -| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | -| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | +| `global.defaultFips` | Default value for the FIPS configuration (allowed values: '', restricted, relaxed, off). Can be overriden by the 'fips' object | `restricted` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | ### Common parameters @@ -501,6 +542,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` | | `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | | `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `usePasswordFiles` | Mount credentials as files instead of using environment variables | `true` | | `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | | `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | @@ -549,6 +591,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | | `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` | | `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `tls.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `tls.securityContext` | Init container generate-tls-cert Security context | `{}` | | `automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `hostAliases` | Add deployment host aliases | `[]` | @@ -619,6 +662,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `containerPorts.mongodb` | MongoDB(®) container port | `27017` | | `livenessProbe.enabled` | Enable livenessProbe | `true` | | `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | @@ -667,9 +711,10 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `service.annotations` | Provide any additional annotations that may be required | `{}` | | `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `service.sessionAffinity` is `None` | `{}` | | `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | | `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | | `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | | `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | @@ -679,6 +724,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | | `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | | `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.autoDiscovery.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `externalAccess.dnsCheck.image.registry` | Init container dns-check image registry | `REGISTRY_NAME` | | `externalAccess.dnsCheck.image.repository` | Init container dns-check image repository | `REPOSITORY_NAME/kubectl` | | `externalAccess.dnsCheck.image.digest` | Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | @@ -686,6 +732,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `externalAccess.dnsCheck.image.pullSecrets` | Init container dns-check image pull secrets | `[]` | | `externalAccess.dnsCheck.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | | `externalAccess.dnsCheck.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.dnsCheck.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` | | `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` | | `externalAccess.externalMaster.port` | Port for MongoDB(®) service external master host | `27017` | @@ -703,8 +750,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `externalAccess.service.annotations` | Service annotations for external access. These annotations are common for all services created. | `{}` | | `externalAccess.service.annotationsList` | Service annotations for eache external service. This value contains a list allowing different annotations per each external service. | `[]` | -| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` | +| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `externalAccess.service.sessionAffinity` is `None` | `{}` | | `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | | `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | | `externalAccess.hidden.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | @@ -718,8 +765,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | | `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | | `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | -| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | -| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` | `None` | +| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity. Ignored if `externalAccess.hidden.service.sessionAffinity` is `None` | `{}` | ### Password update job @@ -755,6 +802,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `passwordUpdateJob.initContainers` | Add additional init containers for the mysql Primary pod(s) | `[]` | | `passwordUpdateJob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). | `micro` | | `passwordUpdateJob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `passwordUpdateJob.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `passwordUpdateJob.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `passwordUpdateJob.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `passwordUpdateJob.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | @@ -810,6 +858,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | | `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | | `backup.cronjob.backoffLimit` | Set the cronjob parameter backoffLimit | `6` | +| `backup.cronjob.serviceAccount.name` | Set the cronjob parameter serviceAccountName. If you change from the default values make sure that the SA already exists. | `default` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | | `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | @@ -822,6 +871,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | | `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `backup.cronjob.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `backup.cronjob.command` | Set backup container's command to run | `[]` | | `backup.cronjob.labels` | Set the cronjob labels | `{}` | | `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | @@ -862,6 +912,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | @@ -917,6 +968,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `small` | | `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `arbiter.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `arbiter.containerPorts.mongodb` | MongoDB(®) arbiter container port | `27017` | | `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | | `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | @@ -1005,6 +1057,7 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | | `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `micro` | | `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `hidden.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | | `hidden.containerPorts.mongodb` | MongoDB(®) hidden container port | `27017` | | `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | | `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | @@ -1080,6 +1133,8 @@ If you encounter errors when working with persistent volumes, refer to our [trou | `metrics.args` | Override default container args (useful when using custom images) | `[]` | | `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | | `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.fips.openssl` | Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `""` | +| `metrics.fips.golang` | Configure Golang FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used | `relaxed` | | `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | | `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | | `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | @@ -1151,6 +1206,10 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 16.4.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart: ```console @@ -1288,7 +1347,7 @@ extraDeploy: ## License -Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. +Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -1300,4 +1359,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/opencloud/charts/mongodb/charts/common/Chart.yaml b/opencloud/charts/mongodb/charts/common/Chart.yaml index 7205cfe..fb0a86e 100644 --- a/opencloud/charts/mongodb/charts/common/Chart.yaml +++ b/opencloud/charts/mongodb/charts/common/Chart.yaml @@ -1,12 +1,14 @@ annotations: - category: Infrastructure + fips: "true" + images: | + [] licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.27.0 +appVersion: 2.33.2 description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. home: https://bitnami.com -icon: https://bitnami.com/downloads/logos/bitnami-mark.png +icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png keywords: - common - helper @@ -20,4 +22,4 @@ name: common sources: - https://github.com/bitnami/charts/tree/main/bitnami/common type: library -version: 2.27.0 +version: 2.33.2 diff --git a/opencloud/charts/mongodb/charts/common/README.md b/opencloud/charts/mongodb/charts/common/README.md index 3943ed0..90d377a 100644 --- a/opencloud/charts/mongodb/charts/common/README.md +++ b/opencloud/charts/mongodb/charts/common/README.md @@ -1,6 +1,12 @@ -# Bitnami Common Library Chart + -A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. +# Common library for Bitnami packages + +A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. + +[Overview of Common](https://github.com/bitnami/charts/tree/main/bitnami/common) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. ## TL;DR @@ -8,7 +14,7 @@ A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for gro dependencies: - name: common version: 2.x.x - repository: oci://registry-1.docker.io/bitnamicharts + repository: oci://MY-OCI-REGISTRY ``` ```console @@ -24,14 +30,27 @@ data: myvalue: "Hello World" ``` -Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. +## Why use Bitnami Secure Images? + +Those are hardened, minimal CVE images built and maintained by Bitnami. Bitnami Secure Images are based on the cloud-optimized, security-hardened enterprise [OS Photon Linux](https://vmware.github.io/photon/). Why choose BSI images? + +- Hardened secure images of popular open source software with Near-Zero Vulnerabilities +- Vulnerability Triage & Prioritization with VEX Statements, KEV and EPSS Scores +- Compliance focus with FIPS, STIG, and air-gap options, including secure bill of materials (SBOM) +- Software supply chain provenance attestation through in-toto +- First class support for the internet’s favorite Helm charts + +Each image comes with valuable security metadata. You can view the metadata in [our public catalog here](https://app-catalog.vmware.com/bitnami/apps). Note: Some data is only available with [commercial subscriptions to BSI](https://bitnami.com/). + +![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%201.png?raw=true "Application details") +![Alt text](https://github.com/bitnami/containers/blob/main/BSI%20UI%202.png?raw=true "Packaging report") + +If you are looking for our previous generation of images based on Debian Linux, please see the [Bitnami Legacy registry](https://hub.docker.com/u/bitnamilegacy). ## Introduction This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. -Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. - ## Prerequisites - Kubernetes 1.23+ @@ -39,6 +58,162 @@ Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment ## Parameters +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +| ------------------------------- | ---------------------------------------------------- | ------------------------------------------------------------ | +| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes` | Return a nodeAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` | +| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods` | Return a podAffinity/podAntiAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------- | +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.apiVersions.has` | Return true if the apiVersion is supported | `dict "version" "batch/v1" "context" $` | +| `common.capabilities.job.apiVersion` | Return the appropriate apiVersion for job. | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.daemonset.apiVersion` | Return the appropriate apiVersion for daemonset. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | +| `common.capabilities.vpa.apiVersion` | Return the appropriate apiVersion for Vertical Pod Autoscaler. | `.` Chart context | +| `common.capabilities.psp.supported` | Returns true if PodSecurityPolicy is supported | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | +| `common.capabilities.admissionConfiguration.supported` | Returns true if AdmissionConfiguration is supported | `.` Chart context | +| `common.capabilities.admissionConfiguration.apiVersion` | Return the appropriate apiVersion for AdmissionConfiguration. | `.` Chart context | +| `common.capabilities.podSecurityConfiguration.apiVersion` | Return the appropriate apiVersion for PodSecurityConfiguration. | `.` Chart context | + +### Certificates + +| Helper identifier | Description | Expected Input | +| ------------------ | ---------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | +| `common.certs.sans`| Returns a space-separated list of Subject Alternative Names (SANs) to create a TLS certificate | `dict "namespace" "default" "clusterDomain" "cluster.local" "serviceName" "my-service" "headlessServiceName" "my-service-headless"` | + +### Compatibility + +| Helper identifier | Description | Expected Input | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | +| `common.compatibility.isOpenshift` | Return true if the detected platform is Openshift | `.` Chart context | +| `common.compatibility.renderSecurityContext` | Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC | `dict "secContext" .Values.containerSecurityContext "context" $` | + +### Errors + +| Helper identifier | Description | Expected Input | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | +| `common.errors.insecureImages` | Throw error when original container images are replaced. The error can be bypassed by setting the `global.security.allowInsecureImages` to true. | `dict "images" (list .Values.path.to.the.imageRoot) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | +| `common.images.version` | Return the proper image version | `dict "imageRoot" .Values.path.to.the.image "chart" .Chart` , see [ImageRoot](#imageroot) for the structure. | + +### Ingress + +| Helper identifier | Description | Expected Input | +| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +| --------------------------- | --------------------------------------------------------------------------- | ----------------- | +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +| ---------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | +| `common.names.dependency.fullname` | Create a default fully qualified dependency name. | `dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $` | + +### Resources + +| Helper identifier | Description | Expected Input | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| `common.resources.preset` | Return a resource request/limit object based on a given preset. These presets are for basic testing and not meant to be used in production. | `dict "type" "nano"` | + +### Secrets + +| Helper identifier | Description | Expected Input | +| --------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $`, length, strong, honorProvidedValues and chartName fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | +| `common.secrets.lookup` | Reuses the value from an existing secret, otherwise sets its value to a default value. | `dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +| ---------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- | +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +| ---------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | +| `common.tplvalues.merge` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` | +| `common.tplvalues.merge-overwrite` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` | + +### Utils + +| Helper identifier | Description | Expected Input | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | +| `common.utils.checksumTemplate` | Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376) | `dict "path" "/configmap.yaml" "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +| -------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- | +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | +| `common.warnings.modifiedImages` | Warning about replaced images from the original. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | +| `common.warnings.resources` | Warning about not setting the resource object in all deployments. | `dict "sections" (list "path1" "path2") context $` | + +### FIPS + +| Helper identifier | Description | Expected Input | +| -------------------- | ------------------- | ------------------------------------------------------------------------------- | +| `common.fips.enabled` | Enable FIPS mode | `.` Chart context | +| `common.fips.config` | Configure FIPS mode | `dict "tech" "openssl|java|golang" "fips" .Values.fips "global" .Values.global` | + ## Special input schemas ### ImageRoot @@ -220,7 +395,7 @@ helm install test mychart --set path.to.value00="",path.to.value01="" ## License -Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. +Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/opencloud/charts/mongodb/charts/common/templates/_affinities.tpl b/opencloud/charts/mongodb/charts/common/templates/_affinities.tpl index d387dbe..c6ccc62 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_affinities.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_affinities.tpl @@ -82,7 +82,7 @@ preferredDuringSchedulingIgnoredDuringExecution: namespaces: - {{ .context.Release.Namespace }} {{- with $extraNamespaces }} - {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} {{- end }} {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} @@ -97,6 +97,13 @@ preferredDuringSchedulingIgnoredDuringExecution: {{- range $key, $value := .extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if .namespaces }} + namespaces: + - {{ $.context.Release.Namespace }} + {{- with .namespaces }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} weight: {{ .weight | default 1 -}} {{- end -}} @@ -121,13 +128,13 @@ requiredDuringSchedulingIgnoredDuringExecution: {{- range $key, $value := $extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- if $extraNamespaces }} - namespaces: - - {{ .context.Release.Namespace }} - {{- with $extraNamespaces }} - {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} - {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }} {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} {{- range $extraPodAffinityTerms }} - labelSelector: @@ -138,6 +145,13 @@ requiredDuringSchedulingIgnoredDuringExecution: {{- range $key, $value := .extraMatchLabels }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if .namespaces }} + namespaces: + - {{ $.context.Release.Namespace }} + {{- with .namespaces }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }} + {{- end }} + {{- end }} topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} {{- end -}} {{- end -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_capabilities.tpl b/opencloud/charts/mongodb/charts/common/templates/_capabilities.tpl index 2fe81d3..58f58c1 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_capabilities.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_capabilities.tpl @@ -12,159 +12,114 @@ Return the target Kubernetes version {{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} {{- end -}} +{{/* +Return true if the apiVersion is supported +Usage: +{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }} +*/}} +{{- define "common.capabilities.apiVersions.has" -}} +{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}} +{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}} + {{- true -}} +{{- else if has .version $providedAPIVersions -}} + {{- true -}} +{{- end -}} +{{- end -}} + {{/* Return the appropriate apiVersion for poddisruptionbudget. */}} {{- define "common.capabilities.policy.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "policy/v1beta1" -}} -{{- else -}} {{- print "policy/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for networkpolicy. */}} {{- define "common.capabilities.networkPolicy.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} {{- print "networking.k8s.io/v1" -}} {{- end -}} + +{{/* +Return the appropriate apiVersion for job. +*/}} +{{- define "common.capabilities.job.apiVersion" -}} +{{- print "batch/v1" -}} {{- end -}} {{/* Return the appropriate apiVersion for cronjob. */}} {{- define "common.capabilities.cronjob.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} -{{- print "batch/v1beta1" -}} -{{- else -}} {{- print "batch/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for daemonset. */}} {{- define "common.capabilities.daemonset.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} {{- print "apps/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for deployment. */}} {{- define "common.capabilities.deployment.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else -}} {{- print "apps/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for statefulset. */}} {{- define "common.capabilities.statefulset.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "apps/v1beta1" -}} -{{- else -}} {{- print "apps/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for ingress. */}} {{- define "common.capabilities.ingress.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if (.Values.ingress).apiVersion -}} -{{- .Values.ingress.apiVersion -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} -{{- print "extensions/v1beta1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} {{- print "networking.k8s.io/v1" -}} -{{- end }} {{- end -}} {{/* Return the appropriate apiVersion for RBAC resources. */}} {{- define "common.capabilities.rbac.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} -{{- print "rbac.authorization.k8s.io/v1beta1" -}} -{{- else -}} {{- print "rbac.authorization.k8s.io/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for CRDs. */}} {{- define "common.capabilities.crd.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} -{{- print "apiextensions.k8s.io/v1beta1" -}} -{{- else -}} {{- print "apiextensions.k8s.io/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for APIService. */}} {{- define "common.capabilities.apiService.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} -{{- print "apiregistration.k8s.io/v1beta1" -}} -{{- else -}} {{- print "apiregistration.k8s.io/v1" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for Horizontal Pod Autoscaler. */}} {{- define "common.capabilities.hpa.apiVersion" -}} {{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- if .beta2 -}} -{{- print "autoscaling/v2beta2" -}} -{{- else -}} -{{- print "autoscaling/v2beta1" -}} -{{- end -}} -{{- else -}} {{- print "autoscaling/v2" -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for Vertical Pod Autoscaler. */}} {{- define "common.capabilities.vpa.apiVersion" -}} -{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- if .beta2 -}} -{{- print "autoscaling/v2beta2" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta2" -}} {{- else -}} -{{- print "autoscaling/v2beta1" -}} -{{- end -}} -{{- else -}} -{{- print "autoscaling/v2" -}} +{{- print "autoscaling/v1" -}} {{- end -}} {{- end -}} @@ -183,19 +138,15 @@ Returns true if AdmissionConfiguration is supported */}} {{- define "common.capabilities.admissionConfiguration.supported" -}} {{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} {{- true -}} {{- end -}} -{{- end -}} {{/* Return the appropriate apiVersion for AdmissionConfiguration. */}} {{- define "common.capabilities.admissionConfiguration.apiVersion" -}} {{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- print "apiserver.config.k8s.io/v1alpha1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} {{- print "apiserver.config.k8s.io/v1beta1" -}} {{- else -}} {{- print "apiserver.config.k8s.io/v1" -}} @@ -207,9 +158,7 @@ Return the appropriate apiVersion for PodSecurityConfiguration. */}} {{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} {{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} -{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} -{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} -{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} {{- print "pod-security.admission.config.k8s.io/v1beta1" -}} {{- else -}} {{- print "pod-security.admission.config.k8s.io/v1" -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_certs.tpl b/opencloud/charts/mongodb/charts/common/templates/_certs.tpl new file mode 100644 index 0000000..55efc51 --- /dev/null +++ b/opencloud/charts/mongodb/charts/common/templates/_certs.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Returns a space-separated list of Subject Alternative Names (SANs) to create a TLS certificate +Usage: +{{ include "common.certs.sans" (dict "namespace" "default" "clusterDomain" "cluster.local" "serviceName" "my-service" "headlessServiceName" "my-service-headless" "loopback" true "extraSANs" (list "custom.domain.com")) }} + +Params: + - namespace - String - Required - Namespace where the app which we are generating the certificate for is deployed. + - clusterDomain - String - Optional - Cluster domain. Default is "cluster.local". + - serviceName - String - Optional - App service name. If provided, the following SANs will be generated: + - serviceName.namespace.svc.clusterDomain + - serviceName.namespace.svc + - serviceName.namespace + - serviceName + - headlessServiceName - String - Optional - App headless service name. If provided, the following wildcard SANs will be generated: + - *.headlessServiceName.namespace.svc.clusterDomain + - *.headlessServiceName.namespace.svc + - *.headlessServiceName.namespace + - *.headlessServiceName + - extraSANs - List - Optional - Additional custom SANs to be added. + - loopback - Boolean - Optional - If true, "localhost" will be added to the SANs. +*/}} +{{- define "common.certs.sans" -}} +{{- $sans := list }} +{{- if .serviceName -}} + {{- $sans = append $sans (printf "%s.%s.svc.%s" .serviceName .namespace (default "cluster.local" .clusterDomain)) -}} + {{- $sans = append $sans (printf "%s.%s.svc" .serviceName .namespace) -}} + {{- $sans = append $sans (printf "%s.%s" .serviceName .namespace) -}} + {{- $sans = append $sans .serviceName -}} +{{- end -}} +{{- if .headlessServiceName -}} + {{- /* Include wildcard SANs for headless service */ -}} + {{- $sans = append $sans (printf "*.%s.%s.svc.%s" .headlessServiceName .namespace (default "cluster.local" .clusterDomain)) -}} + {{- $sans = append $sans (printf "*.%s.%s.svc" .headlessServiceName .namespace) -}} + {{- $sans = append $sans (printf "*.%s.%s" .headlessServiceName .namespace) -}} + {{- $sans = append $sans (printf "*.%s" .headlessServiceName) -}} +{{- end -}} +{{- range .extraSANs }} + {{- $sans = append $sans . -}} +{{- end -}} +{{- if (default false .loopback) -}} + {{- $sans = append $sans "localhost" }} +{{- end -}} +{{- join " " $sans | trim -}} +{{- end -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_compatibility.tpl b/opencloud/charts/mongodb/charts/common/templates/_compatibility.tpl index a61588d..19c26db 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_compatibility.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_compatibility.tpl @@ -40,7 +40,7 @@ Usage: {{- end -}} {{/* Remove fields that are disregarded when running the container in privileged mode */}} {{- if $adaptedContext.privileged -}} - {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" -}} {{- end -}} {{- omit $adaptedContext "enabled" | toYaml -}} {{- end -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_errors.tpl b/opencloud/charts/mongodb/charts/common/templates/_errors.tpl index e965365..fb704c9 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_errors.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_errors.tpl @@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0 {{/* vim: set filetype=mustache: */}} {{/* -Through error when upgrading using empty passwords values that must not be empty. +Throw error when upgrading using empty passwords values that must not be empty. Usage: {{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} @@ -26,3 +26,67 @@ Required password params: {{- printf $errorString $validationErrors | fail -}} {{- end -}} {{- end -}} + +{{/* +Throw error when original container images are replaced. +The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case, +a warning message will be shown instead. + +Usage: +{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.errors.insecureImages" -}} +{{- $relocatedImages := list -}} +{{- $replacedImages := list -}} +{{- $bitnamiLegacyImages := list -}} +{{- $retaggedImages := list -}} +{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $registryName := default .registry $globalRegistry -}} + {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}} + {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}} + {{- if not (contains $fullImageNameNoTag $originalImages) -}} + {{- if not (contains $registryName $originalImages) -}} + {{- $relocatedImages = append $relocatedImages $fullImageName -}} + {{- else if not (contains .repository $originalImages) -}} + {{- $replacedImages = append $replacedImages $fullImageName -}} + {{- if contains "docker.io/bitnamilegacy/" $fullImageNameNoTag -}} + {{- $bitnamiLegacyImages = append $bitnamiLegacyImages $fullImageName -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}} + {{- $retaggedImages = append $retaggedImages $fullImageName -}} + {{- end -}} +{{- end -}} + +{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}} + {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}} +{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}} + {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}} + {{- $errorString = print $errorString "\n\nUnrecognized images:" -}} + {{- range (concat $relocatedImages $replacedImages) -}} + {{- $errorString = print $errorString "\n - " . -}} + {{- end -}} + {{- if and (eq (len $relocatedImages) 0) (eq (len $replacedImages) (len $bitnamiLegacyImages)) -}} + {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}} + {{- print $errorString -}} + {{- else if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) (contains "docker.io/bitnamisecure/" $originalImages) -}} + {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}} + {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}} + {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}} + {{- print $errorString | fail -}} + {{- else if gt (len $replacedImages) 0 -}} + {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}} + {{- print $errorString -}} + {{- end -}} +{{- else if gt (len $retaggedImages) 0 -}} + {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Bitnami and Bitnami Secure Images containers. Substituting original image tags could cause unexpected behavior." -}} + {{- $warnString = print $warnString "\n\nRetagged images:" -}} + {{- range $retaggedImages -}} + {{- $warnString = print $warnString "\n - " . -}} + {{- end -}} + {{- print $warnString -}} +{{- end -}} +{{- end -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_fips.tpl b/opencloud/charts/mongodb/charts/common/templates/_fips.tpl new file mode 100644 index 0000000..fd0d06a --- /dev/null +++ b/opencloud/charts/mongodb/charts/common/templates/_fips.tpl @@ -0,0 +1,73 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Enable FIPS features +{{ include "common.fips.enabled" . }} +*/}} +{{- define "common.fips.enabled" -}} + {{- $fips := .Chart.Annotations.fips -}} + {{- if eq "true" $fips -}} + {{- true -}} + {{- end -}} +{{- end -}} + +{{/* +Get FIPS environment variable value for the given tech +{{ include "common.fips.config" (dict "tech" "openssl|java|golang" "fips" .Values.fips "global" .Values.global) }} +*/}} +{{- define "common.fips.config" -}} + {{- $availableTechs := list "openssl" "java" "golang" -}} + {{- if not (has .tech $availableTechs) -}} + {{- printf "The common.fips.config method can only provide configuration for: %s" $availableTechs | fail -}} + {{- end -}} + {{- $tech := get (.fips) .tech -}} + {{- $value := $tech | default (.global).defaultFips -}} + {{- if empty $value -}} + {{- printf "Please configure a value for 'fips.%s' or 'global.defaultFips'" .tech | fail -}} + {{- else -}} + {{- $method := printf "common.fips.%s" .tech -}} + {{- include $method (dict "value" $value) | trim | print -}} + {{- end -}} +{{- end -}} + +{{/* +Map OpenSSL values for FIPS configuration +{{ include "common.fips.openssl" (dict "value" "restricted") }} +*/}} +{{- define "common.fips.openssl" -}} + {{- ternary "yes" "no" (eq .value "restricted") | print -}} +{{- end -}} + +{{/* +Map JAVA values for FIPS configuration +{{ include "common.fips.java" (dict "value" "restricted") }} +*/}} +{{- define "common.fips.java" -}} + {{- $suffix := ternary "original" .value (eq .value "off") -}} + {{- $javaSecurityFile := printf "java.security.%s" $suffix -}} + {{/* The two equals signs mean the property file will completely override the master properties file */}} + {{- $javaSecurityOpt := printf "-Djava.security.properties==/opt/bitnami/java/conf/security/%s" $javaSecurityFile -}} + {{- $bcModulesFlag := "--module-path=/opt/bitnami/bc-fips/" -}} + {{- $restrictedFlags := printf "%s %s" $bcModulesFlag $javaSecurityOpt -}} + + {{- ternary $restrictedFlags $javaSecurityOpt (eq .value "restricted") | print -}} +{{- end -}} + +{{/* +Map Golang values for FIPS configuration +{{ include "common.fips.golang" (dict "value" "restricted") }} +*/}} +{{- define "common.fips.golang" -}} + {{- if eq .value "restricted" -}} + {{- print "fips140=only" -}} + {{- else if eq .value "relaxed" -}} + {{- print "fips140=on" -}} + {{- else -}} + {{- print "fips140=off" -}} + {{- end -}} +{{- end -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_ingress.tpl b/opencloud/charts/mongodb/charts/common/templates/_ingress.tpl index 7d2b879..2d0dbf1 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_ingress.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_ingress.tpl @@ -17,11 +17,6 @@ Params: - context - Dict - Required. The context for the template evaluation. */}} {{- define "common.ingress.backend" -}} -{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} -{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} -serviceName: {{ .serviceName }} -servicePort: {{ .servicePort }} -{{- else -}} service: name: {{ .serviceName }} port: @@ -31,33 +26,6 @@ service: number: {{ .servicePort | int }} {{- end }} {{- end -}} -{{- end -}} - -{{/* -Print "true" if the API pathType field is supported -Usage: -{{ include "common.ingress.supportsPathType" . }} -*/}} -{{- define "common.ingress.supportsPathType" -}} -{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns true if the ingressClassname field is supported -Usage: -{{ include "common.ingress.supportsIngressClassname" . }} -*/}} -{{- define "common.ingress.supportsIngressClassname" -}} -{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} {{/* Return true if cert-manager required annotations for TLS signed diff --git a/opencloud/charts/mongodb/charts/common/templates/_labels.tpl b/opencloud/charts/mongodb/charts/common/templates/_labels.tpl index 0a0cc54..4c98597 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_labels.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_labels.tpl @@ -22,7 +22,7 @@ helm.sh/chart: {{ include "common.names.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Chart.AppVersion }} -app.kubernetes.io/version: {{ . | quote }} +app.kubernetes.io/version: {{ . | replace "+" "_" | quote }} {{- end -}} {{- end -}} {{- end -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_names.tpl b/opencloud/charts/mongodb/charts/common/templates/_names.tpl index ba83956..d5d0ae4 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_names.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_names.tpl @@ -28,10 +28,11 @@ If release name contains chart name it will be used as a full name. {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- $releaseName := regexReplaceAll "(-?[^a-z\\d\\-])+-?" (lower .Release.Name) "-" -}} +{{- if contains $name $releaseName -}} +{{- $releaseName | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" $releaseName $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/opencloud/charts/mongodb/charts/common/templates/_resources.tpl b/opencloud/charts/mongodb/charts/common/templates/_resources.tpl index d8a43e1..4c73492 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_resources.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_resources.tpl @@ -19,7 +19,7 @@ These presets are for basic testing and not meant to be used in production ) "micro" (dict "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") - "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + "limits" (dict "cpu" "380m" "memory" "384Mi" "ephemeral-storage" "2Gi") ) "small" (dict "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") diff --git a/opencloud/charts/mongodb/charts/common/templates/_secrets.tpl b/opencloud/charts/mongodb/charts/common/templates/_secrets.tpl index bfef469..7868c00 100644 --- a/opencloud/charts/mongodb/charts/common/templates/_secrets.tpl +++ b/opencloud/charts/mongodb/charts/common/templates/_secrets.tpl @@ -110,12 +110,12 @@ The order in which this function returns a secret password: {{- end }} {{- if and $providedPasswordValue .honorProvidedValues }} - {{- $password = $providedPasswordValue | toString }} + {{- $password = tpl ($providedPasswordValue | toString) .context }} {{- end }} {{- if not $password }} {{- if $providedPasswordValue }} - {{- $password = $providedPasswordValue | toString }} + {{- $password = tpl ($providedPasswordValue | toString) .context }} {{- else }} {{- if .context.Values.enabled }} {{- $subchart = $chartName }} diff --git a/opencloud/charts/mongodb/templates/NOTES.txt b/opencloud/charts/mongodb/templates/NOTES.txt index a69eb9c..a3931c8 100644 --- a/opencloud/charts/mongodb/templates/NOTES.txt +++ b/opencloud/charts/mongodb/templates/NOTES.txt @@ -2,6 +2,10 @@ CHART NAME: {{ .Chart.Name }} CHART VERSION: {{ .Chart.Version }} APP VERSION: {{ .Chart.AppVersion }} +⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free. + Subscribe to Bitnami Secure Images to receive continued support and security updates. + More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267 + {{- if .Values.diagnosticMode.enabled }} The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: @@ -168,4 +172,5 @@ Then, open the obtained URL in a browser. {{- include "common.warnings.rollingTag" .Values.tls.image }} {{- include "mongodb.validateValues" . }} {{- include "common.warnings.resources" (dict "sections" (list "arbiter" "externalAccess.autoDiscovery" "hidden" "metrics" "" "tls" "volumePermissions") "context" $) }} -{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} \ No newline at end of file +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} diff --git a/opencloud/charts/mongodb/templates/_helpers.tpl b/opencloud/charts/mongodb/templates/_helpers.tpl index 5d8cb29..dcecfdf 100644 --- a/opencloud/charts/mongodb/templates/_helpers.tpl +++ b/opencloud/charts/mongodb/templates/_helpers.tpl @@ -309,6 +309,11 @@ Init container definition to change/establish volume permissions. {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} {{- end }} + {{- if include "common.fips.enabled" . }} + env: + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.volumePermissions.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /tmp @@ -338,6 +343,11 @@ Init container definition to recover log dir. {{- else if ne .Values.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} {{- end }} + {{- if include "common.fips.enabled" . }} + env: + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /opt/bitnami/mongodb/logs @@ -366,6 +376,11 @@ Init container definition to get external IP addresses. {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} {{- end }} + {{- if include "common.fips.enabled" . }} + env: + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.externalAccess.autoDiscovery.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: shared mountPath: /shared @@ -401,6 +416,11 @@ Init container definition to wait external DNS names. {{- else if ne .Values.externalAccess.dnsCheck.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.dnsCheck.resourcesPreset) | nindent 12 }} {{- end }} + {{- if include "common.fips.enabled" . }} + env: + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.externalAccess.dnsCheck.fips "global" .Values.global) | quote }} + {{- end }} {{- end -}} {{/* @@ -644,24 +664,13 @@ Validate values of MongoDB® exporter URI string - auth.enabled and/or tls.en {{- end -}} {{- if .Values.metrics.username -}} {{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} - {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} {{- else -}} {{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} - {{- printf "mongodb://%slocalhost:%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} {{- end -}} {{- end -}} -{{/* -Return the appropriate apiGroup for PodSecurityPolicy. -*/}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} -{{- else -}} -{{- print "extensions" -}} -{{- end -}} -{{- end -}} - {{/* Return true if a TLS secret object should be created */}} diff --git a/opencloud/charts/mongodb/templates/arbiter/statefulset.yaml b/opencloud/charts/mongodb/templates/arbiter/statefulset.yaml index 54ac01a..456cbc8 100644 --- a/opencloud/charts/mongodb/templates/arbiter/statefulset.yaml +++ b/opencloud/charts/mongodb/templates/arbiter/statefulset.yaml @@ -87,7 +87,7 @@ spec: {{- if .Values.arbiter.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }} {{- end }} - {{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }} {{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }} {{- end }} {{- if and .Values.tls.enabled .Values.arbiter.enabled }} @@ -107,6 +107,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /tmp @@ -126,6 +130,9 @@ spec: - /bitnami/scripts/generate-certs.sh args: - -s {{ include "mongodb.arbiter.service.nameOverride" . }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }} + {{- end }} {{- end }} containers: - name: mongodb-arbiter @@ -164,6 +171,10 @@ spec: value: {{ include "mongodb.initialPrimaryHost" . | quote }} - name: MONGODB_REPLICA_SET_NAME value: {{ .Values.replicaSetName | quote }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.arbiter.fips "global" .Values.global) | quote }} + {{- end }} - name: MONGODB_ADVERTISED_HOSTNAME value: "$(MY_POD_NAME).{{ include "mongodb.arbiter.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" - name: MONGODB_PORT_NUMBER @@ -173,6 +184,12 @@ spec: {{- if .Values.auth.enabled }} - name: MONGODB_INITIAL_PRIMARY_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + - name: MONGODB_REPLICA_SET_KEY_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key" + {{- else }} - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD valueFrom: secretKeyRef: @@ -184,6 +201,7 @@ spec: name: {{ include "mongodb.secretName" . }} key: mongodb-replica-set-key {{- end }} + {{- end }} - name: ALLOW_EMPTY_PASSWORD value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} {{- $extraFlags := .Values.arbiter.extraFlags | join " " -}} @@ -265,6 +283,10 @@ spec: - name: empty-dir mountPath: /bitnami/mongodb subPath: app-volume-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} - name: config mountPath: /opt/bitnami/mongodb/conf/mongodb.conf @@ -283,11 +305,16 @@ spec: volumes: - name: empty-dir emptyDir: {} - {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0o555 + defaultMode: 0555 {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} - name: config configMap: @@ -303,10 +330,10 @@ spec: items: - key: mongodb-ca-cert path: mongodb-ca-cert - mode: 0o600 + mode: 0600 - key: mongodb-ca-key path: mongodb-ca-key - mode: 0o600 + mode: 0600 {{- else }} - name: mongodb-certs-0 secret: diff --git a/opencloud/charts/mongodb/templates/backup/cronjob.yaml b/opencloud/charts/mongodb/templates/backup/cronjob.yaml index 4119d06..8672a70 100644 --- a/opencloud/charts/mongodb/templates/backup/cronjob.yaml +++ b/opencloud/charts/mongodb/templates/backup/cronjob.yaml @@ -28,8 +28,8 @@ metadata: {{- end }} spec: schedule: {{ quote .Values.backup.cronjob.schedule }} - {{- if .Values.backup.cronjob.timezone }} - timeZone: {{ .Values.backup.cronjob.timezone | quote }} + {{- if .Values.backup.cronjob.timeZone }} + timeZone: {{ .Values.backup.cronjob.timeZone | quote }} {{- end }} concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} @@ -70,6 +70,7 @@ spec: securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 12 }} {{- end }} enableServiceLinks: {{ .Values.enableServiceLinks }} + serviceAccountName: {{ .Values.backup.cronjob.serviceAccount.name | quote }} {{- if .Values.tls.enabled }} initContainers: - name: generate-tls-certs @@ -84,6 +85,10 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /tmp @@ -114,27 +119,39 @@ spec: {{- else if ne .Values.tls.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 16 }} {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 16 }} + {{- end }} {{- end }} containers: - name: {{ include "mongodb.fullname" . }}-mongodump image: {{ include "mongodb.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy | quote }} env: - {{- if .Values.auth.enabled }} + {{- if .Values.auth.enabled }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} - name: MONGODB_ROOT_PASSWORD valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-root-password - {{- end }} + {{- end }} + {{- end }} - name: MONGODB_SERVICE_NAME value: {{ include "mongodb.service.nameOverride" . }} - name: MONGODB_PORT_NUMBER value: {{ .Values.containerPorts.mongodb | quote }} - name: MONGODUMP_DIR value: {{ .Values.backup.cronjob.storage.mountPath }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.backup.cronjob.fips "global" .Values.global) | quote }} + {{- end }} {{- if .Values.tls.enabled }} - name: MONGODB_CLIENT_EXTRA_FLAGS value: --ssl --sslPEMKeyFile=/certs/mongodb.pem --sslCAFile=/certs/mongodb-ca-cert @@ -143,9 +160,13 @@ spec: command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} {{- else }} command: - - /bin/sh + - /bin/bash - -c - - "mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz" + - | + {{- if and .Values.auth.enabled .Values.usePasswordFiles }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz {{- end }} {{- if .Values.backup.cronjob.resources }} resources: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.resources "context" $) | nindent 14 }} @@ -156,6 +177,10 @@ spec: - name: empty-dir mountPath: /tmp subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -181,7 +206,12 @@ spec: - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0o550 + defaultMode: 0550 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} {{- if .Values.tls.enabled }} - name: certs emptyDir: {} @@ -192,10 +222,10 @@ spec: items: - key: mongodb-ca-cert path: mongodb-ca-cert - mode: 0o600 + mode: 0600 - key: mongodb-ca-key path: mongodb-ca-key - mode: 0o600 + mode: 0600 {{- else }} - name: mongodb-certs-0 secret: diff --git a/opencloud/charts/mongodb/templates/hidden/statefulset.yaml b/opencloud/charts/mongodb/templates/hidden/statefulset.yaml index 101ddff..bc7cae8 100644 --- a/opencloud/charts/mongodb/templates/hidden/statefulset.yaml +++ b/opencloud/charts/mongodb/templates/hidden/statefulset.yaml @@ -96,7 +96,7 @@ spec: {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} {{- include "mongodb.initContainers.autoDiscovery" . | indent 8 }} {{- end }} - {{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }} {{- include "mongodb.initContainers.dnsCheck" . | indent 8 }} {{- end }} {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} @@ -117,6 +117,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume @@ -149,6 +153,9 @@ spec: {{- else if ne .Values.tls.resourcesPreset "none" }} resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }} + {{- end }} {{- end }} containers: - name: mongodb @@ -196,6 +203,10 @@ spec: value: "hidden" - name: MONGODB_INITIAL_PRIMARY_HOST value: {{ include "mongodb.initialPrimaryHost" . | quote }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.hidden.fips "global" .Values.global) | quote }} + {{- end }} - name: MONGODB_REPLICA_SET_NAME value: {{ .Values.replicaSetName | quote }} {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }} @@ -214,14 +225,25 @@ spec: {{- end }} {{- if .Values.auth.enabled }} {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_EXTRA_PASSWORDS_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-passwords" + {{- else }} - name: MONGODB_EXTRA_PASSWORDS valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-passwords {{- end }} + {{- end }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + - name: MONGODB_REPLICA_SET_KEY_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key" + {{- else }} - name: MONGODB_ROOT_PASSWORD valueFrom: secretKeyRef: @@ -233,10 +255,15 @@ spec: name: {{ include "mongodb.secretName" . }} key: mongodb-replica-set-key {{- end }} + {{- end }} {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} - name: MONGODB_METRICS_USERNAME value: {{ .Values.metrics.username | quote }} {{- if .Values.auth.enabled }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} - name: MONGODB_METRICS_PASSWORD valueFrom: secretKeyRef: @@ -244,6 +271,7 @@ spec: key: mongodb-metrics-password {{- end }} {{- end }} + {{- end }} - name: ALLOW_EMPTY_PASSWORD value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - name: MONGODB_SYSTEM_LOG_VERBOSITY @@ -329,6 +357,10 @@ spec: subPath: {{ .Values.hidden.persistence.subPath }} - name: common-scripts mountPath: /bitnami/scripts + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts mountPath: /docker-entrypoint-initdb.d @@ -390,6 +422,13 @@ spec: {{- else }} args: - | + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + {{- if .Values.metrics.username }} + export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)" + {{- else }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + {{- end }} /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} {{- end }} env: @@ -397,14 +436,23 @@ spec: {{- if not .Values.metrics.username }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} - name: MONGODB_ROOT_PASSWORD valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-root-password + {{- end }} {{- else }} - name: MONGODB_METRICS_USERNAME value: {{ .Values.metrics.username | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} - name: MONGODB_METRICS_PASSWORD valueFrom: secretKeyRef: @@ -412,10 +460,21 @@ spec: key: mongodb-metrics-password {{- end }} {{- end }} + {{- end }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }} + - name: GODEBUG + value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /tmp subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -468,7 +527,12 @@ spec: - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0o555 + defaultMode: 0555 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts configMap: @@ -486,7 +550,7 @@ spec: - name: scripts configMap: name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0o755 + defaultMode: 0755 {{- if .Values.hidden.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }} {{- end }} @@ -500,10 +564,10 @@ spec: items: - key: mongodb-ca-cert path: mongodb-ca-cert - mode: 0o600 + mode: 0600 - key: mongodb-ca-key path: mongodb-ca-key - mode: 0o600 + mode: 0600 {{- else }} {{- range $index, $secret := .Values.tls.hidden.existingSecrets }} - name: mongodb-certs-{{ $index }} diff --git a/opencloud/charts/mongodb/templates/networkpolicy.yaml b/opencloud/charts/mongodb/templates/networkpolicy.yaml index 4e9f2f2..1cb492f 100644 --- a/opencloud/charts/mongodb/templates/networkpolicy.yaml +++ b/opencloud/charts/mongodb/templates/networkpolicy.yaml @@ -57,7 +57,7 @@ spec: {{- end }} {{- end }} {{- if .Values.networkPolicy.extraEgress }} - {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} {{- end }} ingress: @@ -95,4 +95,4 @@ spec: {{- if $extraIngress }} {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/opencloud/charts/mongodb/templates/replicaset/scripts-configmap.yaml b/opencloud/charts/mongodb/templates/replicaset/scripts-configmap.yaml index ec70ecb..e0571ac 100644 --- a/opencloud/charts/mongodb/templates/replicaset/scripts-configmap.yaml +++ b/opencloud/charts/mongodb/templates/replicaset/scripts-configmap.yaml @@ -111,11 +111,12 @@ data: {{- $replicaCount := int .Values.replicaCount }} {{- $portNumber := int .Values.service.ports.mongodb }} {{- $fullname := include "mongodb.fullname" . }} + {{- $serviceName := include "mongodb.service.nameOverride" . }} {{- $releaseNamespace := include "mongodb.namespace" . }} {{- $clusterDomain := .Values.clusterDomain }} {{- $mongoList := list }} {{- range $e, $i := until $replicaCount }} - {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s.%s.svc.%s:%d" $fullname $i $serviceName $releaseNamespace $clusterDomain $portNumber) }} {{- end }} {{- if .Values.externalAccess.externalMaster.enabled }} @@ -254,28 +255,34 @@ data: # read rs.conf again and store it. settings format is '"" : ,' currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()') - desiredEqualsactual=unknown + desiredEqualsActual=unknown settingsToConfigure="" for key in ${!desiredRsConf[@]}; do value=${desiredRsConf[$key]} - if ! $(echo "\"${currentRsConf}"\" | grep -q -e "${key}: ${value},"); then - if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then - memberIndex=$(echo $key | grep -o -E '[0-9]+') - nodeConfigKey=${key#*.} - settingsToConfigure="${settingsToConfigure}cfg.members[${memberIndex}].${nodeConfigKey} = ${value}; " + if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then + # Replica set member specific setting + if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.${key}" 2>/dev/null)" != "${value}" ]]; then + desiredEqualsActual=false + logger "rs conf: ${key} needs to be updated to desired value: ${value}" + settingsToConfigure="${settingsToConfigure}cfg.${key} = ${value}; " else - # General rs settings - settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " + logger "rs conf: ${key} is already at desired value: ${value}" fi - desiredEqualsactual=false else - logger "rs conf: ${key} is already at desired value: ${value}" + # General rs setting + if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.settings.${key}" 2>/dev/null)" != "${value}" ]]; then + desiredEqualsActual=false + logger "rs conf: ${key} needs to be updated to desired value: ${value}" + settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " + else + logger "rs conf: ${key} is already at desired value: ${value}" + fi fi done - if [[ "${desiredEqualsactual}" != "false" ]]; then + if [[ "${desiredEqualsActual}" != "false" ]]; then logger "replicaSetConfigurationSettings match the settings of the currently running rs" - desiredEqualsactual=true + desiredEqualsActual=true rs_conf_configured_ok=true logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)" exit @@ -313,4 +320,3 @@ data: done {{- end }} {{- end }} - \ No newline at end of file diff --git a/opencloud/charts/mongodb/templates/replicaset/statefulset.yaml b/opencloud/charts/mongodb/templates/replicaset/statefulset.yaml index 8b64327..f457321 100644 --- a/opencloud/charts/mongodb/templates/replicaset/statefulset.yaml +++ b/opencloud/charts/mongodb/templates/replicaset/statefulset.yaml @@ -97,7 +97,7 @@ spec: {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} {{- include "mongodb.initContainers.autoDiscovery" . | nindent 8 }} {{- end }} - {{- if and .Values.externalAccess.enabled ( or .Values.externalAccess.service.publicNames .Values.externalAccess.service.domain ) }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }} {{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }} {{- end }} {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} @@ -118,6 +118,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: {{- if (include "mongodb.autoGenerateCerts" .) }} - name: certs-volume @@ -200,6 +204,10 @@ spec: value: {{ include "mongodb.initialPrimaryHost" . | quote }} - name: MONGODB_REPLICA_SET_NAME value: {{ .Values.replicaSetName | quote }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }} + {{- end }} {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }} - name: MONGODB_ADVERTISED_HOSTNAME value: "$(MY_POD_NAME).{{ include "mongodb.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" @@ -216,14 +224,25 @@ spec: {{- end }} {{- if .Values.auth.enabled }} {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_EXTRA_PASSWORDS_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-passwords" + {{- else }} - name: MONGODB_EXTRA_PASSWORDS valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-passwords {{- end }} + {{- end }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + - name: MONGODB_REPLICA_SET_KEY_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key" + {{- else }} - name: MONGODB_ROOT_PASSWORD valueFrom: secretKeyRef: @@ -235,10 +254,15 @@ spec: name: {{ include "mongodb.secretName" . }} key: mongodb-replica-set-key {{- end }} + {{- end }} {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} - name: MONGODB_METRICS_USERNAME value: {{ .Values.metrics.username | quote }} {{- if .Values.auth.enabled }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} - name: MONGODB_METRICS_PASSWORD valueFrom: secretKeyRef: @@ -246,6 +270,7 @@ spec: key: mongodb-metrics-password {{- end }} {{- end }} + {{- end }} - name: ALLOW_EMPTY_PASSWORD value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - name: MONGODB_SYSTEM_LOG_VERBOSITY @@ -341,6 +366,10 @@ spec: - name: empty-dir mountPath: /.mongodb subPath: mongosh-home + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} - name: {{ .Values.persistence.name | default "datadir" }} mountPath: {{ .Values.persistence.mountPath }} subPath: {{ .Values.persistence.subPath }} @@ -397,6 +426,13 @@ spec: {{- else }} args: - | + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + {{- if .Values.metrics.username }} + export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)" + {{- else }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + {{- end }} /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} {{- end }} env: @@ -404,14 +440,23 @@ spec: {{- if not .Values.metrics.username }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} - name: MONGODB_ROOT_PASSWORD valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-root-password + {{- end }} {{- else }} - name: MONGODB_METRICS_USERNAME value: {{ .Values.metrics.username | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} - name: MONGODB_METRICS_PASSWORD valueFrom: secretKeyRef: @@ -419,10 +464,21 @@ spec: key: mongodb-metrics-password {{- end }} {{- end }} + {{- end }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }} + - name: GODEBUG + value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /tmp subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -472,7 +528,12 @@ spec: - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0o550 + defaultMode: 0550 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts configMap: @@ -490,7 +551,7 @@ spec: - name: scripts configMap: name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0o755 + defaultMode: 0755 {{- if .Values.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} {{- end }} @@ -504,10 +565,10 @@ spec: items: - key: mongodb-ca-cert path: mongodb-ca-cert - mode: 0o600 + mode: 0600 - key: mongodb-ca-key path: mongodb-ca-key - mode: 0o600 + mode: 0600 {{- else }} {{- range $index, $secret := .Values.tls.replicaset.existingSecrets }} - name: mongodb-certs-{{ $index }} @@ -532,9 +593,7 @@ spec: whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} {{- end }} volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: + - metadata: name: datadir {{- if .Values.persistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} diff --git a/opencloud/charts/mongodb/templates/replicaset/svc.yaml b/opencloud/charts/mongodb/templates/replicaset/svc.yaml index 20b347f..7ada019 100644 --- a/opencloud/charts/mongodb/templates/replicaset/svc.yaml +++ b/opencloud/charts/mongodb/templates/replicaset/svc.yaml @@ -25,6 +25,7 @@ metadata: {{- end }} spec: type: ClusterIP + publishNotReadyAddresses: {{ $root.Values.service.publishNotReadyAddresses }} ports: - name: {{ $root.Values.service.portName | quote }} port: {{ $root.Values.service.ports.mongodb }} diff --git a/opencloud/charts/mongodb/templates/role.yaml b/opencloud/charts/mongodb/templates/role.yaml index 062e8f3..651b963 100644 --- a/opencloud/charts/mongodb/templates/role.yaml +++ b/opencloud/charts/mongodb/templates/role.yaml @@ -23,7 +23,7 @@ rules: {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} {{- end -}} {{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} - - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}'] + - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: [{{ include "mongodb.fullname" . }}] diff --git a/opencloud/charts/mongodb/templates/standalone/dep-sts.yaml b/opencloud/charts/mongodb/templates/standalone/dep-sts.yaml index f49b745..c7548e2 100644 --- a/opencloud/charts/mongodb/templates/standalone/dep-sts.yaml +++ b/opencloud/charts/mongodb/templates/standalone/dep-sts.yaml @@ -107,6 +107,10 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.tls.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /tmp @@ -176,24 +180,38 @@ spec: {{- end }} {{- if .Values.auth.enabled }} {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_EXTRA_PASSWORDS_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-passwords" + {{- else }} - name: MONGODB_EXTRA_PASSWORDS valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-passwords {{- end }} + {{- end }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} - name: MONGODB_ROOT_PASSWORD valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-root-password {{- end }} + {{- end }} {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} - name: MONGODB_METRICS_USERNAME value: {{ .Values.metrics.username | quote }} {{- if .Values.auth.enabled }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} - name: MONGODB_METRICS_PASSWORD valueFrom: secretKeyRef: @@ -201,6 +219,11 @@ spec: key: mongodb-metrics-password {{- end }} {{- end }} + {{- end }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.fips "global" .Values.global) | quote }} + {{- end }} - name: ALLOW_EMPTY_PASSWORD value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} - name: MONGODB_SYSTEM_LOG_VERBOSITY @@ -305,6 +328,10 @@ spec: subPath: {{ .Values.persistence.subPath }} - name: common-scripts mountPath: /bitnami/scripts + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts mountPath: /docker-entrypoint-initdb.d @@ -344,6 +371,13 @@ spec: {{- else }} args: - | + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + {{- if .Values.metrics.username }} + export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)" + {{- else }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + {{- end }} /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} {{- end }} env: @@ -351,14 +385,23 @@ spec: {{- if not .Values.metrics.username }} - name: MONGODB_ROOT_USER value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} - name: MONGODB_ROOT_PASSWORD valueFrom: secretKeyRef: name: {{ include "mongodb.secretName" . }} key: mongodb-root-password + {{- end }} {{- else }} - name: MONGODB_METRICS_USERNAME value: {{ .Values.metrics.username | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} - name: MONGODB_METRICS_PASSWORD valueFrom: secretKeyRef: @@ -366,10 +409,21 @@ spec: key: mongodb-metrics-password {{- end }} {{- end }} + {{- end }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.metrics.fips "global" .Values.global) | quote }} + - name: GODEBUG + value: {{ include "common.fips.config" (dict "tech" "golang" "fips" .Values.metrics.fips "global" .Values.global) | quote }} + {{- end }} volumeMounts: - name: empty-dir mountPath: /tmp subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} {{- if .Values.tls.enabled }} - name: certs mountPath: /certs @@ -419,7 +473,12 @@ spec: - name: common-scripts configMap: name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} - defaultMode: 0o550 + defaultMode: 0550 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} - name: custom-init-scripts configMap: @@ -443,10 +502,10 @@ spec: items: - key: mongodb-ca-cert path: mongodb-ca-cert - mode: 0o600 + mode: 0600 - key: mongodb-ca-key path: mongodb-ca-key - mode: 0o600 + mode: 0600 {{- else }} - name: mongodb-certs-0 secret: diff --git a/opencloud/charts/mongodb/templates/standalone/svc.yaml b/opencloud/charts/mongodb/templates/standalone/svc.yaml index c1ec6f7..84869a3 100644 --- a/opencloud/charts/mongodb/templates/standalone/svc.yaml +++ b/opencloud/charts/mongodb/templates/standalone/svc.yaml @@ -35,15 +35,16 @@ spec: {{- if (eq .Values.service.type "LoadBalancer") }} allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} {{- end }} - {{- if .Values.service.sessionAffinity }} + {{- if ne .Values.service.sessionAffinity "None" }} sessionAffinity: {{ .Values.service.sessionAffinity }} - {{- end }} {{- if .Values.service.sessionAffinityConfig }} sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} {{- end }} + {{- end }} {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} {{- end }} + publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }} ports: - name: {{ .Values.service.portName | quote }} port: {{ .Values.service.ports.mongodb }} diff --git a/opencloud/charts/mongodb/templates/update-password/job.yaml b/opencloud/charts/mongodb/templates/update-password/job.yaml index 6d763e9..56e0a49 100644 --- a/opencloud/charts/mongodb/templates/update-password/job.yaml +++ b/opencloud/charts/mongodb/templates/update-password/job.yaml @@ -122,14 +122,14 @@ spec: {{- if .Values.passwordUpdateJob.extraCommands }} info "Running extra commmands" - {{- include "common.tplValues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }} {{- end }} info "Password update job finished successfully" {{- end }} env: - name: BITNAMI_DEBUG value: {{ ternary "true" "false" .Values.image.debug | quote }} - {{- if not .Values.auth.usePasswordFiles }} + {{- if not .Values.usePasswordFiles }} - name: MONGODB_PREVIOUS_ROOT_PASSWORD valueFrom: secretKeyRef: @@ -141,12 +141,16 @@ spec: name: {{ template "mongodb.update-job.newSecretName" . }} key: mongodb-root-password {{- end }} + {{- if include "common.fips.enabled" . }} + - name: OPENSSL_FIPS + value: {{ include "common.fips.config" (dict "tech" "openssl" "fips" .Values.passwordUpdateJob.fips "global" .Values.global) | quote }} + {{- end }} {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} - name: MONGODB_EXTRA_USERNAMES value: {{ $customUsers | quote }} - name: MONGODB_EXTRA_DATABASES value: {{ $customDatabases | quote }} - {{- if not .Values.auth.usePasswordFiles }} + {{- if not .Values.usePasswordFiles }} - name: MONGODB_NEW_EXTRA_PASSWORDS valueFrom: secretKeyRef: @@ -157,7 +161,7 @@ spec: {{- if .Values.metrics.username }} - name: MONGODB_METRICS_USER value: {{ .Values.metrics.username | quote }} - {{- if not .Values.auth.usePasswordFiles }} + {{- if not .Values.usePasswordFiles }} - name: MONGODB_PREVIOUS_METRICS_PASSWORD valueFrom: secretKeyRef: @@ -217,7 +221,7 @@ spec: volumes: - name: empty-dir emptyDir: {} - {{- if and .Values.auth.usePasswordFiles }} + {{- if and .Values.usePasswordFiles }} - name: mongodb-previous-credentials secret: secretName: {{ template "mongodb.update-job.previousSecretName" . }} diff --git a/opencloud/charts/mongodb/values.yaml b/opencloud/charts/mongodb/values.yaml index 5694a47..f740ff7 100644 --- a/opencloud/charts/mongodb/values.yaml +++ b/opencloud/charts/mongodb/values.yaml @@ -12,6 +12,7 @@ ## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) ## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead ## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride +## @param global.defaultFips Default value for the FIPS configuration (allowed values: '', restricted, relaxed, off). Can be overriden by the 'fips' object ## global: imageRegistry: "" @@ -22,6 +23,11 @@ global: imagePullSecrets: [] defaultStorageClass: "" storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false namespaceOverride: "" ## Compatibility adaptations for Kubernetes platforms ## @@ -32,6 +38,9 @@ global: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: auto + ## Configure FIPS mode: '', 'restricted', 'relaxed', 'off' + ## + defaultFips: restricted ## @section Common parameters ## @@ -101,6 +110,9 @@ serviceBindings: ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. ## enableServiceLinks: true +## @param usePasswordFiles Mount credentials as files instead of using environment variables +## +usePasswordFiles: true ## Enable diagnostic mode in the deployment ## diagnosticMode: @@ -129,9 +141,9 @@ diagnosticMode: ## @param image.debug Set to true if you would like to see extra information on logs ## image: - registry: docker.io + registry: registry-1.docker.io repository: bitnami/mongodb - tag: 8.0.3-debian-12-r0 + tag: latest digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -255,9 +267,9 @@ tls: ## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients ## image: - registry: docker.io + registry: registry-1.docker.io repository: bitnami/nginx - tag: 1.27.2-debian-12-r2 + tag: latest digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -298,6 +310,10 @@ tls: ## memory: 1024Mi ## resources: {} + ## @param tls.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## Init Container securityContext ## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/ ## @param tls.securityContext Init container generate-tls-cert Security context @@ -614,6 +630,10 @@ resourcesPreset: "small" ## memory: 1024Mi ## resources: {} +## @param fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used +## +fips: + openssl: "" ## @param containerPorts.mongodb MongoDB(®) container port ## containerPorts: @@ -802,12 +822,11 @@ service: ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## externalTrafficPolicy: Local - ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None - ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `service.sessionAffinity` is `None` ## sessionAffinityConfig: ## clientIP: ## timeoutSeconds: 300 @@ -819,6 +838,10 @@ service: ## @param service.headless.annotations Annotations for the headless service. ## annotations: {} + ## @param service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready + ## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/ + ## + publishNotReadyAddresses: false ## External Access to MongoDB(®) nodes configuration ## externalAccess: @@ -843,9 +866,9 @@ externalAccess: ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets ## image: - registry: docker.io + registry: registry-1.docker.io repository: bitnami/kubectl - tag: 1.31.2-debian-12-r3 + tag: latest digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -879,6 +902,10 @@ externalAccess: ## memory: 1024Mi ## resources: {} + ## @param externalAccess.autoDiscovery.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## Init container what mission is ensure public names can be resolved. ## dnsCheck: @@ -892,9 +919,9 @@ externalAccess: ## @param externalAccess.dnsCheck.image.pullSecrets Init container dns-check image pull secrets ## image: - registry: docker.io + registry: registry-1.docker.io repository: bitnami/os-shell - tag: 12-debian-12-r32 + tag: latest digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -928,6 +955,10 @@ externalAccess: ## memory: 1024Mi ## resources: {} + ## @param externalAccess.dnsCheck.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## Parameters to configure a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. ## @param externalAccess.externalMaster.enabled Use external master for bootstrapping ## @param externalAccess.externalMaster.host External master host to bootstrap from @@ -1005,12 +1036,11 @@ externalAccess: ## - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com ## annotationsList: [] - ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None + ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None - ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `externalAccess.service.sessionAffinity` is `None` ## sessionAffinityConfig: ## clientIP: ## timeoutSeconds: 300 @@ -1080,12 +1110,11 @@ externalAccess: ## @param externalAccess.hidden.service.annotations Service annotations for external access ## annotations: {} - ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None + ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin. Allowed values: `ClientIP` or `None` ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ ## sessionAffinity: None - ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `externalAccess.hidden.service.sessionAffinity` is `None` ## sessionAffinityConfig: ## clientIP: ## timeoutSeconds: 300 @@ -1193,6 +1222,10 @@ passwordUpdateJob: ## memory: 1024Mi ## resources: {} + ## @param passwordUpdateJob.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one ## customLivenessProbe: {} @@ -1220,8 +1253,6 @@ passwordUpdateJob: ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - - ## @section Network policy parameters ## @@ -1405,6 +1436,9 @@ backup: restartPolicy: OnFailure ## @param backup.cronjob.backoffLimit Set the cronjob parameter backoffLimit backoffLimit: 6 + ## @param backup.cronjob.serviceAccount.name Set the cronjob parameter serviceAccountName. If you change from the default values make sure that the SA already exists. + serviceAccount: + name: "default" ## backup container's Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context @@ -1452,6 +1486,10 @@ backup: ## memory: 1024Mi ## resources: {} + ## @param backup.cronjob.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## @param backup.cronjob.command Set backup container's command to run ## command: [] @@ -1618,9 +1656,9 @@ volumePermissions: ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array ## image: - registry: docker.io + registry: registry-1.docker.io repository: bitnami/os-shell - tag: 12-debian-12-r32 + tag: latest digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1654,6 +1692,10 @@ volumePermissions: ## memory: 1024Mi ## resources: {} + ## @param volumePermissions.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## Init container Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.securityContext.runAsUser @@ -1872,6 +1914,10 @@ arbiter: ## memory: 1024Mi ## resources: {} + ## @param arbiter.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## @param arbiter.containerPorts.mongodb MongoDB(®) arbiter container port ## containerPorts: @@ -2215,6 +2261,10 @@ hidden: ## memory: 1024Mi ## resources: {} + ## @param hidden.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" ## @param hidden.containerPorts.mongodb MongoDB(®) hidden container port ## containerPorts: @@ -2418,9 +2468,9 @@ metrics: ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array ## image: - registry: docker.io + registry: registry-1.docker.io repository: bitnami/mongodb-exporter - tag: 0.41.2-debian-12-r1 + tag: latest digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -2494,6 +2544,12 @@ metrics: ## memory: 1024Mi ## resources: {} + ## @param metrics.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## @param metrics.fips.golang Configure Golang FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used + ## + fips: + openssl: "" + golang: relaxed ## @param metrics.containerPort Port of the Prometheus metrics container ## containerPort: 9216 diff --git a/opencloud/templates/mongo.yaml b/opencloud/templates/mongo.yaml index 82ffd21..1c5e3d9 100644 --- a/opencloud/templates/mongo.yaml +++ b/opencloud/templates/mongo.yaml @@ -1,4 +1,4 @@ -{{- if .Values.mongodb.enabled }} +{{- if index .Values.mongodb.enabled }} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -7,9 +7,9 @@ metadata: annotations: helm.sh/resource-policy: keep spec: - accessModes: {{ .Values.mongodb.persistence.accessModes }} + accessModes: {{ index .Values.mongodb.persistence.accessModes }} resources: requests: - storage: {{ index .Values.mongodb.persistence.size }} - storageClassName: {{ index .Values.mongodb.persistence.storageClass }} + storage: {{ .Values.mongodb.persistence.size }} + storageClassName: {{ .Values.mongodb.persistence.storageClass }} {{- end }} diff --git a/opencloud/templates/mongoExpress.yaml b/opencloud/templates/mongoExpress.yaml index 74107f7..7352f9a 100644 --- a/opencloud/templates/mongoExpress.yaml +++ b/opencloud/templates/mongoExpress.yaml @@ -12,7 +12,7 @@ spec: priority: 10 services: - kind: Service - name: {{ .Release.Name }}-mongo-express + name: {{ .Release.Name }}-mongo-express.{{ .Release.Namespace }} passHostHeader: true port: 8081 {{- end }} \ No newline at end of file diff --git a/opencloud/templates/nats.yaml b/opencloud/templates/nats.yaml new file mode 100644 index 0000000..adcc72c --- /dev/null +++ b/opencloud/templates/nats.yaml @@ -0,0 +1,13 @@ +{{- if index .Values.nats.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: nats-config +data: + nats.conf: | + port: 4222 + http_port: 8222 + + max_connections: 200000 # optional but recommended + max_subscriptions: 200000 +{{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-auth/deployment.yaml b/opencloud/templates/oc-auth/deployment.yaml index 1297a48..cc40cc0 100644 --- a/opencloud/templates/oc-auth/deployment.yaml +++ b/opencloud/templates/oc-auth/deployment.yaml @@ -53,8 +53,8 @@ spec: memory: "{{ .Values.ocAuth.resources.requests.memory }}" livenessProbe: httpGet: - path: /metrics - port: http + path: /oc/version + port: 8080 initialDelaySeconds: 10 periodSeconds: 30 {{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-catalog/deployment.yaml b/opencloud/templates/oc-catalog/deployment.yaml index 1615825..647d8b8 100644 --- a/opencloud/templates/oc-catalog/deployment.yaml +++ b/opencloud/templates/oc-catalog/deployment.yaml @@ -36,4 +36,10 @@ spec: requests: cpu: "{{ .Values.ocCatalog.resources.requests.cpu }}" memory: "{{ .Values.ocCatalog.resources.requests.memory }}" + livenessProbe: + httpGet: + path: /oc/version + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 30 {{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-datacenter/deployment.yaml b/opencloud/templates/oc-datacenter/deployment.yaml index 93134c0..c2ec0fc 100644 --- a/opencloud/templates/oc-datacenter/deployment.yaml +++ b/opencloud/templates/oc-datacenter/deployment.yaml @@ -31,10 +31,10 @@ spec: protocol: TCP livenessProbe: httpGet: - path: /metrics - port: http + path: /oc/version + port: 8080 initialDelaySeconds: 10 - periodSeconds: 30 + periodSeconds: 30 resources: limits: cpu: "{{ .Values.ocDatacenter.resources.limits.cpu }}" diff --git a/opencloud/templates/oc-front/deployment.yaml b/opencloud/templates/oc-front/deployment.yaml index 8f7615f..948fd23 100644 --- a/opencloud/templates/oc-front/deployment.yaml +++ b/opencloud/templates/oc-front/deployment.yaml @@ -32,10 +32,10 @@ spec: protocol: TCP livenessProbe: httpGet: - path: /metrics - port: http + path: / + port: 80 initialDelaySeconds: 10 - periodSeconds: 30 + periodSeconds: 30 resources: limits: cpu: "{{ .Values.ocFront.resources.limits.cpu }}" diff --git a/opencloud/templates/oc-peer/deployment.yaml b/opencloud/templates/oc-peer/deployment.yaml index 917fe6f..c7dd390 100644 --- a/opencloud/templates/oc-peer/deployment.yaml +++ b/opencloud/templates/oc-peer/deployment.yaml @@ -27,10 +27,10 @@ spec: name: opencloud-config livenessProbe: httpGet: - path: /metrics - port: http + path: /oc/version + port: 8080 initialDelaySeconds: 10 - periodSeconds: 30 + periodSeconds: 30 ports: - name: http containerPort: 8080 diff --git a/opencloud/templates/oc-scheduler/deployment.yaml b/opencloud/templates/oc-scheduler/deployment.yaml index 6eef542..2eb91ae 100644 --- a/opencloud/templates/oc-scheduler/deployment.yaml +++ b/opencloud/templates/oc-scheduler/deployment.yaml @@ -28,10 +28,10 @@ spec: name: opencloud-config livenessProbe: httpGet: - path: /metrics - port: http + path: /oc/version + port: 8080 initialDelaySeconds: 10 - periodSeconds: 30 + periodSeconds: 30 ports: - name: http containerPort: 8080 diff --git a/opencloud/templates/oc-schedulerd/deployment.yaml b/opencloud/templates/oc-schedulerd/deployment.yaml index c3b2929..c0e347b 100644 --- a/opencloud/templates/oc-schedulerd/deployment.yaml +++ b/opencloud/templates/oc-schedulerd/deployment.yaml @@ -25,12 +25,6 @@ spec: envFrom: - configMapRef: name: opencloud-config - livenessProbe: - httpGet: - path: /metrics - port: http - initialDelaySeconds: 10 - periodSeconds: 30 resources: limits: cpu: "{{ .Values.ocSchedulerd.resources.limits.cpu }}" diff --git a/opencloud/templates/oc-shared/deployment.yaml b/opencloud/templates/oc-shared/deployment.yaml index a898031..2ed533d 100644 --- a/opencloud/templates/oc-shared/deployment.yaml +++ b/opencloud/templates/oc-shared/deployment.yaml @@ -27,10 +27,10 @@ spec: name: opencloud-config livenessProbe: httpGet: - path: /metrics - port: http + path: /oc/version + port: 8080 initialDelaySeconds: 10 - periodSeconds: 30 + periodSeconds: 30 ports: - name: http containerPort: 8080 diff --git a/opencloud/templates/oc-workflow/deployment.yaml b/opencloud/templates/oc-workflow/deployment.yaml index 9fa1725..230f431 100644 --- a/opencloud/templates/oc-workflow/deployment.yaml +++ b/opencloud/templates/oc-workflow/deployment.yaml @@ -31,10 +31,10 @@ spec: protocol: TCP livenessProbe: httpGet: - path: /metrics - port: http + path: /oc/version + port: 8080 initialDelaySeconds: 10 - periodSeconds: 30 + periodSeconds: 30 resources: limits: cpu: "{{ .Values.ocWorkflow.resources.limits.cpu }}" diff --git a/opencloud/templates/oc-workspace/deployment.yaml b/opencloud/templates/oc-workspace/deployment.yaml index 527b2a8..f3a4d09 100644 --- a/opencloud/templates/oc-workspace/deployment.yaml +++ b/opencloud/templates/oc-workspace/deployment.yaml @@ -27,10 +27,10 @@ spec: protocol: TCP livenessProbe: httpGet: - path: /metrics - port: http + path: /oc/version + port: 8080 initialDelaySeconds: 10 - periodSeconds: 30 + periodSeconds: 30 resources: limits: cpu: "{{ .Values.ocWorkspace.resources.limits.cpu }}" diff --git a/opencloud/templates/openCloudConf.yaml b/opencloud/templates/openCloudConf.yaml index ab0a484..0a5963e 100644 --- a/opencloud/templates/openCloudConf.yaml +++ b/opencloud/templates/openCloudConf.yaml @@ -24,7 +24,6 @@ data: OC_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}" OC_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.rootUser }}:{{ index .Values.mongodb.auth.rootPassword }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}" OC_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}" - OC_NATS_URL: "nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}:4222" - OC_LOKI_URL: "http://{{ .Release.Name }}-loki.{{ .Release.Namespace }}:3100" - OC_LOKI_URL: "http://{{ .Release.Name }}-loki.{{ .Release.Namespace }}:3100" + OC_NATS_URL: "nats://{{ .Release.Name }}-nats.{{ .Release.Namespace }}.svc.cluster.local:4222" + OC_LOKI_URL: "http://loki-headless.{{ .Release.Namespace }}.svc.cluster.local:3100" OC_PROMETHEUS_URL: "http://{{ .Release.Name }}-monitor.{{ .Release.Namespace }}:9090" \ No newline at end of file diff --git a/opencloud/templates/openldap.yaml b/opencloud/templates/openldap.yaml index 9e30f77..5daf178 100644 --- a/opencloud/templates/openldap.yaml +++ b/opencloud/templates/openldap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.externalLDAP.enabled }} +{{- if .Values.openldap.externalLDAP.enabled }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/opencloud/templates/prometheus.yaml b/opencloud/templates/prometheus.yaml index 65c9aed..93aa59f 100644 --- a/opencloud/templates/prometheus.yaml +++ b/opencloud/templates/prometheus.yaml @@ -1,15 +1,18 @@ -{{- if .Values.prometheus.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor +{{- if index .Values "prometheus" "enabled" }} +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute metadata: - name: {{ .Release.Name }}-monitor.{{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} + name: prometheus-ingress spec: - selector: - matchLabels: - app: monitor - endpoints: - - port: http - interval: 30s + entryPoints: + - web + routes: + - kind: Rule + match: Host(`{{ .Values.host }}`) && PathPrefix(`/monitor`) + priority: 10 + services: + - kind: Service + name: {{ .Release.Name }}-monitor.{{ .Release.Namespace }} + passHostHeader: true + port: 9090 {{- end }} \ No newline at end of file diff --git a/opencloud/templates/sc-longhorn-nor1.yaml b/opencloud/templates/sc-longhorn-nor1.yaml new file mode 100644 index 0000000..37e5c69 --- /dev/null +++ b/opencloud/templates/sc-longhorn-nor1.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: longhorn-nor1 +provisioner: driver.longhorn.io +parameters: + numberOfReplicas: "2" # set 1 for single-node testing +reclaimPolicy: Retain +allowVolumeExpansion: true +volumeBindingMode: Immediate diff --git a/opencloud/values.yaml.template b/opencloud/values.yaml.template index 4a47871..3de2b8a 100644 --- a/opencloud/values.yaml.template +++ b/opencloud/values.yaml.template @@ -1,11 +1,11 @@ -env: {{ .Release.Name }} # For storage class provisioning -host: ${HOST:-exemple.com} # For reverse proxy rule -registryHost: ${REGISTRY_HOST:-registry.exemple.com} # For reverse proxy rule +env: ${RELEASE:-prod} # For storage class provisioning +host: ${HOST:-beta.opencloud.com} # For reverse proxy rule +registryHost: ${REGISTRY_HOST:-oc} # For reverse proxy rule scheme: https # For reverse proxy rule mongo-express: enabled: ${OC_MONGOEXPRESS_ENABLED:-true} - mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}" # TO LOOK AFTER + mongodbServer: "${RELEASE:-prod}-mongodb.${RELEASE:-prod}" # TO LOOK AFTER mongodbPort: 27017 mongodbEnableAdmin: true mongodbAdminUsername: ${OC_MONGO_ADMIN:-admin} @@ -19,26 +19,27 @@ mongo-express: mongodb: enabled: ${OC_MONGO_ENABLED:-true} global: - defaultStorageClass: longhorn-nor1 - storageClass: longhorn-nor1 + defaultStorageClass: ${OC_MONGO_STORAGE:-""} + storageClass: ${OC_MONGO_STORAGE:-""} architecture: standalone useStatefulSet: false auth: enabled: true - rootUser: ${OC_MONGO_ADMIN:-admin} - rootPassword: ${OC_MONGO_PWD:-admin} + rootUser: ${OC_MONGO_ADMIN_USERNAME:-admin} + rootPassword: ${OC_MONGO_ADMIN_PWD:-admin} databases: [ ${OC_MONGO_DATABASE:-opencloud} ] - usernames: [] - passwords: [] + usernames: [ ${OC_MONGO_USERNAME:-admin} ] + passwords: [ ${OC_MONGO_PWD:-admin} ] resourcesPreset: "small" replicaCount: 1 persistence: enabled: true - storageClass: longhorn-nor1 - existingClaim: mongo-pvc + create: false # do not auto-create + existingClaim: ${OC_MONGO_PVC:-mongo-pvc} + storageClassName: ${OC_MONGO_STORAGE:-""} accessModes: - - ReadWriteOnce - size: ${OC_MONGO_SIZE:-5000Mi} + - ReadWriteOnce + size: ${OC_MONGO_SIZE:-5000Mi} persistentVolumeClaimRetentionPolicy: enabled: true whenDeleted: Retain @@ -52,11 +53,28 @@ mongodb: nats: enabled: ${OC_NATS_ENABLED:-true} - jetstream: - enabled: true - fileStore: - size: ${OC_NATS_SIZE:-20Mi} - storageClassName: longhorn-nor1 + extraEnv: + - name: NATS_MAX_FILE_DESCRIPTORS + value: "65536" + extraVolumeMounts: + - name: nats-config + mountPath: /etc/nats + config: + jetstream: + enabled: true + fileStore: + enabled: true + dir: /data/jetstream # mountPath used by template + # pvc block must live here + pvc: + enabled: true + # if you already created the claim, set existingClaim: + existingClaim: nats-pvc + # storageClassName: local-path or standard (use the SC in your cluster) + storageClassName: ${OC_NATS_STORAGE:-""} + size: ${OC_NATS_SIZE:-50Gi} + # name is the volume name used in volumeMounts; keep it simple + name: nats-jetstream openldap: enabled: ${OC_LDAP_ENABLED:-true} @@ -73,8 +91,8 @@ openldap: LDAP_ORGANISATION: ${OC_LDAP_ORGANISATION:-Opencloud} LDAP_DOMAIN: ${OC_LDAP_DOMAIN:-opencloud.com} LDAP_BACKEND: "mdb" - LDAP_TLS: ${OC_LDAP_TLS:-false} - LDAP_TLS_ENFORCE: ${OC_LDAP_TLS:-false} + LDAP_TLS: "${OC_LDAP_TLS:-false}" + LDAP_TLS_ENFORCE: "${OC_LDAP_TLS:-false}" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" adminPassword: ${OC_LDAP_ADMIN_PWD:-admin} configPassword: "${OC_LDAP_CONFIG_PWD:-config}" @@ -82,9 +100,11 @@ openldap: enabled: false persistence: enabled: true + create: false # do not auto-create + existingClaim: openldap-pvc accessMode: ReadWriteOnce size: ${OC_LDAP_SIZE:-10Mi} - storageClass: longhorn-nor1 + storageClassName: ${OC_LDAP_STORAGE:-""} replication: enabled: false externalLDAP: @@ -168,6 +188,7 @@ openldap: prometheus: enabled: ${OC_PROMETHEUS_ENABLED:-true} + enableTraefikProxyIntegration: true server: persistentVolume: enabled: true @@ -188,13 +209,13 @@ ldapUserManager: env: SERVER_HOSTNAME: ${OC_LDAP_MNGT_HOST:-ldap.exemple.com} LDAP_BASE_DN: ${OC_LDAP_MNGT_DN:-dc=example,dc=com} - LDAP_REQUIRE_STARTTLS: ${OC_LDAP_MNGT_REQUIRE_TLS:-false} + LDAP_REQUIRE_STARTTLS: "${OC_LDAP_MNGT_REQUIRE_TLS:-false}" LDAP_ADMINS_GROUP: ${OC_LDAP_MNGT_ADMIN_GROUP:-ldapadmin} LDAP_ADMIN_BIND_DN: ${OC_LDAP_MNGT_ADMIN_DN:-cn=admin,dc=example,dc=com} LDAP_ADMIN_BIND_PWD: ${OC_LDAP_MNGT_ADMIN_PWD:-admin} - LDAP_IGNORE_CERT_ERRORS: ${OC_LDAP_MNGT_IGNORE_CERTS_ERRORS:-true} - EMAIL_DOMAIN: ${OC_LDAP_MNGT_EMAIL_DOMAIN:- } - NO_HTTPS: ${OC_LDAP_MNGT_NO_HTTPS:-true} + LDAP_IGNORE_CERT_ERRORS: "${OC_LDAP_MNGT_IGNORE_CERTS_ERRORS:-true}" + EMAIL_DOMAIN: ${OC_LDAP_MNGT_EMAIL_DOMAIN:-""} + NO_HTTPS: "${OC_LDAP_MNGT_NO_HTTPS:-true}" SERVER_PATH: "/users" ORGANISATION_NAME: ${OC_LDAP_ORGANISATION:-Opencloud} LDAP_USER_OU: ${OC_LDAP_USERS_OU:-users} @@ -239,7 +260,7 @@ hydra: # consent: https://localhost-consent/consent/consent # logout: https://localhost-logout/authentication/logout self: - issuer: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/" + issuer: "http://${RELEASE:-prod}-hydra-public.${RELEASE:-prod}:4444/" keto: enabled: ${OC_KETO_ENABLED:-true} @@ -303,8 +324,9 @@ loki: enabled: false # Deactivate loki auto provisioning, rely on existing PVC accessMode: ReadWriteOnce size: ${OC_LOKI_SIZE:-1Gi} - storageClassName: longhorn-nor1 - claimName: loki-pvc + storageClassName: ${OC_LOKI_STORAGE:-""} + create: false + claimName: ${OC_LOKI_PVC:-loki-pvc} extraVolumeMounts: - name: loki-storage @@ -382,7 +404,7 @@ argo-workflows: ocAuth: enabled: ${OC_AUTH_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_AUTH_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-auth:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_AUTH_IMAGE:-oc-auth:0.0.1}" authType: hydra keto: adminRole: admin @@ -410,7 +432,7 @@ ocAuth: ocFront: enabled: ${OC_FRONT_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_FRONT_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-front:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_FRONT_IMAGE:-oc-front:0.0.1}" resources: limits: cpu: ${OC_FRONT_LIMITS_CPU:-128m} @@ -428,7 +450,7 @@ ocFront: ocWorkspace: enabled: ${OC_WORKSPACE_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_WORKSPACE_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-workspace:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_WORKSPACE_IMAGE:-oc-workspace:0.0.1}" resources: limits: cpu: ${OC_WORKSPACE_LIMITS_CPU:-128m} @@ -447,7 +469,7 @@ ocWorkspace: ocShared: enabled: ${OC_SHARED_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_SHARED_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-shared:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_SHARED_IMAGE:-oc-shared:0.0.1}" resources: limits: cpu: ${OC_SHARED_LIMITS_CPU:-128m} @@ -465,7 +487,7 @@ ocShared: ocWorkflow: enabled: ${OC_WORKFLOW_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_WORKFLOW_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-workflow:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_WORKFLOW_IMAGE:-oc-workflow:0.0.1}" resources: limits: cpu: ${OC_WORKFLOW_LIMITS_CPU:-128m} @@ -483,7 +505,7 @@ ocWorkflow: ocCatalog: enabled: ${OC_CATALOG_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_CATALOG_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-catalog:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_CATALOG_IMAGE:-oc-catalog:0.0.1}" resources: limits: cpu: ${OC_CATALOG_LIMITS_CPU:-128m} @@ -501,7 +523,7 @@ ocCatalog: ocPeer: enabled: ${OC_PEER_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_PEER_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-peer:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_PEER_IMAGE:-oc-peer:0.0.1}" resources: limits: cpu: ${OC_PEER_LIMITS_CPU:-128m} @@ -519,7 +541,7 @@ ocPeer: ocDatacenter: enabled: ${OC_DATACENTER_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_DATACENTER_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-datacenter:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_DATACENTER_IMAGE:-oc-datacenter:0.0.1}" resources: limits: cpu: ${OC_DATACENTER_LIMITS_CPU:-128m} @@ -537,7 +559,7 @@ ocDatacenter: ocSchedulerd: enabled: ${OC_SCHEDULERD_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_SCHEDULERD_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-schedulerd:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_SCHEDULERD_IMAGE:-oc-schedulerd:0.0.1}" resources: limits: cpu: ${OC_SCHEDULERD_LIMITS_CPU:-128m} @@ -555,7 +577,7 @@ ocSchedulerd: ocScheduler: enabled: ${OC_SCHEDULER_ENABLED:-true} enableTraefikProxyIntegration: true - image: ${OC_SCHEDULER_IMAGE:-registry-opencloud.pf.irt-saintexupery.com/oc-scheduler:0.0.1} + image: "${REGISTRY_HOST:-oc}/${OC_SCHEDULER_IMAGE:-oc-scheduler:0.0.1}" resources: limits: cpu: ${OC_SCHEDULER_LIMITS_CPU:-128m} @@ -575,7 +597,7 @@ docker-registry-ui: ui: title: "opencloud docker registry" proxy: true - dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000" + dockerRegistryUrl: "http://${RELEASE:-prod}-docker-registry-ui-registry-server.${RELEASE:-prod}.svc.cluster.local:5000" registry: secretName: regcred enabled: true @@ -583,6 +605,8 @@ docker-registry-ui: persistentVolumeClaim: claimName: docker-registry-pvc persistence: + create: false + existingClaim: docker-registry-pvc accessMode: ReadWriteOnce - storage: 5000Mi - storageClassName: longhorn-nor1 + storage: ${OC_DOCKER_REGISTRY_SIZE:-5Gi} + storageClassName: ${OC_DOCKER_REGISTRY_STORAGE:-""} diff --git a/opencloud/values/dev-values.yaml b/opencloud/values/dev-values.yaml index 7abf096..eeaa0da 100644 --- a/opencloud/values/dev-values.yaml +++ b/opencloud/values/dev-values.yaml @@ -1,10 +1,10 @@ -env: {{ .Release.Name }} # For storage class provisioning +env: dev # For storage class provisioning host: beta.opencloud.com # For reverse proxy rule scheme: http # For reverse proxy rule mongo-express: enabled: true - mongodbServer: "{{ .Release.Name }}-mongodb.d{{ .Release.Namespace }}ev" + mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}" mongodbPort: 27017 mongodbEnableAdmin: true mongodbAdminUsername: root diff --git a/opencloud/values/exemple-values.yaml b/opencloud/values/exemple-values.yaml new file mode 100644 index 0000000..85ebab2 --- /dev/null +++ b/opencloud/values/exemple-values.yaml @@ -0,0 +1,589 @@ +env: exemple # For storage class provisioning +host: truc # For reverse proxy rule +registryHost: oc # For reverse proxy rule +scheme: https # For reverse proxy rule + +mongo-express: + enabled: true + mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}" # TO LOOK AFTER + mongodbPort: 27017 + mongodbEnableAdmin: true + mongodbAdminUsername: admin + mongodbAdminPassword: admin + siteBaseUrl: /mongoexpress + basicAuthUsername: admin + basicAuthPassword: admin + mongodb: + enabled: false + +mongodb: + enabled: true + global: + defaultStorageClass: longhorn-nor1 + storageClass: longhorn-nor1 + architecture: standalone + useStatefulSet: false + auth: + enabled: true + rootUser: admin + rootPassword: admin + databases: [ opencloud ] + usernames: [ admin ] + passwords: [ admin ] + resourcesPreset: "small" + replicaCount: 1 + persistence: + enabled: true + storageClass: longhorn-nor1 + existingClaim: mongo-pvc + accessModes: + - ReadWriteOnce + size: 5000Mi + persistentVolumeClaimRetentionPolicy: + enabled: true + whenDeleted: Retain + whenScaled: Retain + arbiter: + enabled: false + livenessProbe: + enabled: true + readinessProbe: + enabled: true + +nats: + enabled: true + jetstream: + enabled: true + fileStore: + size: 20Mi + storageClassName: longhorn-nor1 + +openldap: + enabled: true + test: + enabled: false + ltb-passwd: + enabled: false + replicaCount: 1 + image: + repository: osixia/openldap + tls: + enabled: false + env: + LDAP_ORGANISATION: Opencloud + LDAP_DOMAIN: opencloud.com + LDAP_BACKEND: "mdb" + LDAP_TLS: "false" + LDAP_TLS_ENFORCE: "false" + LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" + adminPassword: admin + configPassword: "config" + phpldapadmin: + enabled: false + persistence: + enabled: true + accessMode: ReadWriteOnce + size: 10Mi + storageClass: longhorn-nor1 + replication: + enabled: false + externalLDAP: + enabled: false + url: ${OC_LDAP_EXTERNAL_ENDPOINT} + bindDN: cn=admin,dc=example,dc=com + bindPassword: admin + customLdifFiles: + 01-schema.ldif: |- + dn: ou=groups,dc=example,dc=com + objectClass: organizationalUnit + ou: groups + + dn: ou=users,dc=example,dc=com + objectClass: organizationalUnit + ou: users + + dn: cn=lastGID,dc=example,dc=com + objectClass: device + objectClass: top + description: Records the last GID used to create a Posix group. This prevents the re-use of a GID from a deleted group. + cn: lastGID + serialNumber: 2001 + + dn: cn=lastUID,dc=example,dc=com + objectClass: device + objectClass: top + serialNumber: 2001 + description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account. + cn: lastUID + + dn: cn=everybody,ou=groups,dc=example,dc=com + objectClass: top + objectClass: posixGroup + cn: everybody + memberUid: admin + gidNumber: 2003 + + 02-ldapadmin.ldif : |- + dn: cn=ldapadmin,ou=groups,dc=example,dc=com + objectClass: top + objectClass: posixGroup + cn: ldapadmin + memberUid: ldapadmin + gidNumber: 2001 + + dn: uid=ldapadmin,ou=users,dc=example,dc=com + givenName: ldap + sn: admin + uid: ldapadmin + cn: ldapadmin + mail: ldapadmin@example.com + objectClass: person + objectClass: inetOrgPerson + objectClass: posixAccount + userPassword: sai1yeiT + uidNumber: 2001 + gidNumber: 2001 + loginShell: /bin/bash + homeDirectory: /home/ldapadmin + + 03-opencloudadmin.ldif : |- + dn: uid=admin,ou=users,dc=example,dc=com + objectClass: inetOrgPerson + cn: Admin + sn: Istrator + uid: admin + userPassword: admin + mail: admin@example.com + ou: users + + dn: ou=AppRoles,dc=example,dc=com + objectClass: organizationalunit + ou: AppRoles + description: AppRoles + + dn: ou=App1,ou=AppRoles,dc=example,dc=com + objectClass: organizationalunit + ou: App1 + description: App1 + +prometheus: + enabled: true + enableTraefikProxyIntegration: true + server: + persistentVolume: + enabled: true + size: 5Gi + service: + type: ClusterIP + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 128m + memory: 256Mi + +# ldap user manager configuration +ldapUserManager: + enabled: true + env: + SERVER_HOSTNAME: ldap.exemple.com + LDAP_BASE_DN: dc=example,dc=com + LDAP_REQUIRE_STARTTLS: "false" + LDAP_ADMINS_GROUP: ldapadmin + LDAP_ADMIN_BIND_DN: cn=admin,dc=example,dc=com + LDAP_ADMIN_BIND_PWD: admin + LDAP_IGNORE_CERT_ERRORS: "true" + EMAIL_DOMAIN: + NO_HTTPS: "true" + SERVER_PATH: "/users" + ORGANISATION_NAME: Opencloud + LDAP_USER_OU: users + LDAP_GROUP_OU: groups + ACCEPT_WEAK_PASSWORDS: "true" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + +traefik: + enabled: true + service: + type: NodePort + ingressRoute: + dashboard: + enabled: true + matchRule: Host(`localhost`) && PathPrefix(`/api`) || PathPrefix(`/dashboard`) + entryPoints: [web] + ports: + web: + nodePort: 30950 + +hydra: + enabled: true + maester: + enabled: true + secret: + enabled: false + nameOverride: hydra-secret + hashSumEnabled: false + hydra: + dev: true + existingSecret: hydra-secret + config: + dsn: memory + urls: + # login: https://localhost-login/authentication/login + # consent: https://localhost-consent/consent/consent + # logout: https://localhost-logout/authentication/logout + self: + issuer: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/" + +keto: + enabled: true + keto: + config: + serve: + read: + port: 4466 + write: + port: 4467 + metrics: + port: 4468 + namespaces: + - id: 0 + name: open-cloud + dsn: memory + + +loki: + enabled: true + loki: + auth_enabled: false + commonConfig: + replication_factor: 1 + storage: + type: filesystem + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + admin_api_directory: /var/loki/admin + storage_config: + boltdb_shipper: + active_index_directory: /var/loki/index + filesystem: + directory: /var/loki/chunks + limits_config: + allow_structured_metadata: false + schemaConfig: + configs: + - from: "2020-01-01" + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + ingester: + chunk_encoding: snappy + tracing: + enabled: true + querier: + max_concurrent: 2 + + deploymentMode: SingleBinary + singleBinary: + extraVolumes: + - name: loki-storage + persistentVolumeClaim: + claimName: loki-pvc + persistence: + enabled: false # Deactivate loki auto provisioning, rely on existing PVC + accessMode: ReadWriteOnce + size: 1Gi + storageClassName: longhorn-nor1 + claimName: loki-pvc + + extraVolumeMounts: + - name: loki-storage + mountPath: /var/loki + replicas: 1 + resources: + limits: + cpu: 3 + memory: 4Gi + requests: + cpu: 1 + memory: 0.5Gi + extraEnv: + - name: GOMEMLIMIT + value: 3750MiB + + chunksCache: + # default is 500MB, with limited memory keep this smaller + writebackSizeLimit: 10MB + + # Enable minio for storage + minio: + enabled: false + # Zero out replica counts of other deployment modes + backend: + replicas: 0 + read: + replicas: 0 + write: + replicas: 0 + ingester: + replicas: 0 + querier: + replicas: 0 + queryFrontend: + replicas: 0 + queryScheduler: + replicas: 0 + distributor: + replicas: 0 + compactor: + replicas: 0 + indexGateway: + replicas: 0 + bloomCompactor: + replicas: 0 + bloomGateway: + replicas: 0 + +grafana: + enabled: true + adminUser: admin + adminPassword: admin + persistence: + enabled: true + size: 1Gi + service: + type: ClusterIP + +argo-workflows: + enabled: false + workflow: + serviceAccount: + create: false + name: argo-workflow + rbac: + create: false # Manual provisioning + controller: + workflowNamespaces: [] #All of them + controller: + workflowDefaults: + spec: + serviceAccountName: argo-workflow + +ocAuth: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-auth:0.0.1" + authType: hydra + keto: + adminRole: admin + hydra: + openCloudOauth2ClientSecretName: oc-oauth2-client-secret + ldap: + bindDn: cn=admin,dc=example,dc=com + binPwd: admin + baseDn: dc=example,dc=com + roleBaseDn: ou=AppRoles,dc=example,dc=com + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocFront: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-front:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocWorkspace: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-workspace:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + + +ocShared: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-shared:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocWorkflow: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-workflow:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocCatalog: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-catalog:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocPeer: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-peer:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocDatacenter: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-datacenter:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocSchedulerd: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-schedulerd:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +ocScheduler: + enabled: true + enableTraefikProxyIntegration: true + image: "oc/oc-scheduler:0.0.1" + resources: + limits: + cpu: 128m + memory: 256Mi + requests: + cpu: 128m + memory: 256Mi + replicas: 1 + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +docker-registry-ui: + enabled: true + ui: + title: "opencloud docker registry" + proxy: true + dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000" + registry: + secretName: regcred + enabled: true + dataVolume: + persistentVolumeClaim: + claimName: docker-registry-pvc + persistence: + accessMode: ReadWriteOnce + storage: 5000Mi + storageClassName: longhorn-nor1 diff --git a/opencloud/values/test-values.yaml b/opencloud/values/test-values.yaml index edf6bec..bc6df97 100644 --- a/opencloud/values/test-values.yaml +++ b/opencloud/values/test-values.yaml @@ -1,11 +1,11 @@ -env: {{ .Release.Name }} # For storage class provisioning -host: exemple.com # For reverse proxy rule -registryHost: registry.exemple.com # For reverse proxy rule +env: test # For storage class provisioning +host: beta.opencloud.com # For reverse proxy rule +registryHost: oc # For reverse proxy rule scheme: https # For reverse proxy rule mongo-express: enabled: true - mongodbServer: "{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}" # TO LOOK AFTER + mongodbServer: "test-mongodb.test" # TO LOOK AFTER mongodbPort: 27017 mongodbEnableAdmin: true mongodbAdminUsername: admin @@ -19,8 +19,8 @@ mongo-express: mongodb: enabled: true global: - defaultStorageClass: longhorn-nor1 - storageClass: longhorn-nor1 + defaultStorageClass: + storageClass: architecture: standalone useStatefulSet: false auth: @@ -28,17 +28,18 @@ mongodb: rootUser: admin rootPassword: admin databases: [ opencloud ] - usernames: [] - passwords: [] + usernames: [ admin ] + passwords: [ admin ] resourcesPreset: "small" replicaCount: 1 persistence: enabled: true - storageClass: longhorn-nor1 + create: false # do not auto-create existingClaim: mongo-pvc + storageClassName: accessModes: - - ReadWriteOnce - size: 5000Mi + - ReadWriteOnce + size: 5000Mi persistentVolumeClaimRetentionPolicy: enabled: true whenDeleted: Retain @@ -52,11 +53,45 @@ mongodb: nats: enabled: true - jetstream: - enabled: true - fileStore: - size: 20Mi - storageClassName: longhorn-nor1 + extraEnv: + - name: NATS_MAX_FILE_DESCRIPTORS + value: "65536" + extraVolumeMounts: + - name: nats-config + mountPath: /etc/nats + config: + jetstream: + enabled: true + fileStore: + enabled: true + dir: /data/jetstream # mountPath used by template + # pvc block must live here + pvc: + enabled: true + # if you already created the claim, set existingClaim: + existingClaim: nats-pvc + # storageClassName: local-path or standard (use the SC in your cluster) + storageClassName: + size: 50Gi + # name is the volume name used in volumeMounts; keep it simple + name: nats-jetstream + +reloader: + enabled: false + image: "natsio/nats-server-config-reloader:0.16.0-debian" + # Override ENTRYPOINT so we can raise ulimit before starting the real binary + command: + - /bin/sh + - -c + args: + - -pid + - /var/run/nats/nats.pid + - -config + - /etc/nats-config/nats.conf + + # Required to allow ulimit raise + securityContext: + runAsUser: 0 openldap: enabled: true @@ -73,8 +108,8 @@ openldap: LDAP_ORGANISATION: Opencloud LDAP_DOMAIN: opencloud.com LDAP_BACKEND: "mdb" - LDAP_TLS: false - LDAP_TLS_ENFORCE: false + LDAP_TLS: "false" + LDAP_TLS_ENFORCE: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" adminPassword: admin configPassword: "config" @@ -82,9 +117,11 @@ openldap: enabled: false persistence: enabled: true + create: false # do not auto-create + existingClaim: openldap-pvc accessMode: ReadWriteOnce size: 10Mi - storageClass: longhorn-nor1 + storageClassName: replication: enabled: false externalLDAP: @@ -154,7 +191,7 @@ openldap: uid: admin userPassword: admin mail: admin@example.com - ou: Users + ou: users dn: ou=AppRoles,dc=example,dc=com objectClass: organizationalunit @@ -168,6 +205,7 @@ openldap: prometheus: enabled: true + enableTraefikProxyIntegration: true server: persistentVolume: enabled: true @@ -188,13 +226,13 @@ ldapUserManager: env: SERVER_HOSTNAME: ldap.exemple.com LDAP_BASE_DN: dc=example,dc=com - LDAP_REQUIRE_STARTTLS: false + LDAP_REQUIRE_STARTTLS: "false" LDAP_ADMINS_GROUP: ldapadmin LDAP_ADMIN_BIND_DN: cn=admin,dc=example,dc=com LDAP_ADMIN_BIND_PWD: admin - LDAP_IGNORE_CERT_ERRORS: true + LDAP_IGNORE_CERT_ERRORS: "true" EMAIL_DOMAIN: - NO_HTTPS: true + NO_HTTPS: "true" SERVER_PATH: "/users" ORGANISATION_NAME: Opencloud LDAP_USER_OU: users @@ -239,7 +277,7 @@ hydra: # consent: https://localhost-consent/consent/consent # logout: https://localhost-logout/authentication/logout self: - issuer: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/" + issuer: "http://test-hydra-public.test:4444/" keto: enabled: true @@ -303,8 +341,9 @@ loki: enabled: false # Deactivate loki auto provisioning, rely on existing PVC accessMode: ReadWriteOnce size: 1Gi - storageClassName: longhorn-nor1 - claimName: loki-pvc + storageClassName: + create: false + claimName: loki-pvc extraVolumeMounts: - name: loki-storage @@ -382,7 +421,7 @@ argo-workflows: ocAuth: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-auth:0.0.1 + image: "oc/oc-auth:0.0.1" authType: hydra keto: adminRole: admin @@ -410,7 +449,7 @@ ocAuth: ocFront: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-front:0.0.1 + image: "oc/oc-front:0.0.1" resources: limits: cpu: 128m @@ -428,7 +467,7 @@ ocFront: ocWorkspace: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-workspace:0.0.1 + image: "oc/oc-workspace:0.0.1" resources: limits: cpu: 128m @@ -447,7 +486,7 @@ ocWorkspace: ocShared: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-shared:0.0.1 + image: "oc/oc-shared:0.0.1" resources: limits: cpu: 128m @@ -465,7 +504,7 @@ ocShared: ocWorkflow: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-workflow:0.0.1 + image: "oc/oc-workflow:0.0.1" resources: limits: cpu: 128m @@ -483,7 +522,7 @@ ocWorkflow: ocCatalog: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-catalog:0.0.1 + image: "oc/oc-catalog:0.0.1" resources: limits: cpu: 128m @@ -501,7 +540,7 @@ ocCatalog: ocPeer: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-peer:0.0.1 + image: "oc/oc-peer:0.0.1" resources: limits: cpu: 128m @@ -519,7 +558,7 @@ ocPeer: ocDatacenter: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-datacenter:0.0.1 + image: "oc/oc-datacenter:0.0.1" resources: limits: cpu: 128m @@ -537,7 +576,7 @@ ocDatacenter: ocSchedulerd: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-schedulerd:0.0.1 + image: "oc/oc-schedulerd:0.0.1" resources: limits: cpu: 128m @@ -555,7 +594,7 @@ ocSchedulerd: ocScheduler: enabled: true enableTraefikProxyIntegration: true - image: registry-opencloud.pf.irt-saintexupery.com/oc-scheduler:0.0.1 + image: "oc/oc-scheduler:0.0.1" resources: limits: cpu: 128m @@ -575,7 +614,7 @@ docker-registry-ui: ui: title: "opencloud docker registry" proxy: true - dockerRegistryUrl: "http://{{ .Release.Name }}-docker-registry-ui-registry-server.{{ .Release.Namespace }}.svc.cluster.local:5000" + dockerRegistryUrl: "http://test-docker-registry-ui-registry-server.test.svc.cluster.local:5000" registry: secretName: regcred enabled: true @@ -583,6 +622,8 @@ docker-registry-ui: persistentVolumeClaim: claimName: docker-registry-pvc persistence: + create: false + existingClaim: docker-registry-pvc accessMode: ReadWriteOnce - storage: 5000Mi - storageClassName: longhorn-nor1 + storage: 5Gi + storageClassName: